Who should be an owner of the new schema? - sql-server

I am creating a new schema in SQLServer 2008.
Should I create a new user with the same name as schema owner?
Should I use 'dbo' user as schema owner?

If all you want to do is make the name stand out, then just use dbo. No sense creating new users and roles that you don't need.
But really, you shouldn't create a schema just to do this. Why not simply prefix the names of the procedures?

From a security perspective the schema and all database objects should be owned by a role that cannot login yet has super user privileges. When maintenance is to be performed you login as a non-privileged user and set your role to the super user role.

Related

Why do we have dbo user as owner for dbo schema?

I understand that dbo is a default schema for every object in database owned by dbo user but we can't login with dbo user and the account we specify during setup gets rights automatically.
Why do we have a dbo user for dbo schema if we can't login with it. We could have had the setup account with full previleges on all schemas.
What's the significance of it?
We don't have to use dbo schema till in DB we don't have another objects with same name in anothers schemas.
But if you build queries without specifying this, then the speed of query execution will slow down. Since the query optimizer will scan other schemes. You can assume that this is just a default namespace

SQL Server 2005 - Create Database with permissions for another database

I am a complete SQL Server newbie but I have experience with Oracle and MySQL. I am using SQL Server Management Studio.
I have an existing database that I want to create views from but I want those views to reside in another database (schema?) which will be accessible by a separate user account that can connect via JDBC.
I can create the database easily enough, right click "Databases" and select "New Database". From there I am lost.
1) How do I grant select/update/delete permissions (to create and update views) on one database to the new database?
2) How do I create a new user?
3) How do I grant permissions for users?
Thanks in advance.
Like Martin said you need a new schema not a database.
CREATE SCHEMA [SchemaName] AUTHORIZATION dbo;
Create your Views under the new schema name then,
CREATE LOGIN [LoginName] {FROM WINDOWS} (If you are using an AD Group)
USE [DatabaseName];
CREATE USER [LoginName/Username]; (They can be the same)
GRANT EXECUTE, SELECT, INSERT, DELETE, VIEW DEFINITION ON Schema::[NewSchemaName] TO [LoginName/Username];
If you want to have a Role the create the role under the database and make the UserName a member of the Role and grant the permissions to the role.

SQL Server 2008 - Removing schema ownership

I just created a new web application that accepts some form based input from the user and inserts it in into the database. To go along with this I created a new user in the database and initially assigned the user to two roles and schemas ...
db_datareader
db_datawriter
After thinking things over I realized the user did not need to be part of the db_datareader role because the user only inserted data into the database and never read any. So I went back and removed the role of db_datareader and noticed that the schema options were grayed out. I could not remove the user from schema ownership of db_datareader.
How does one go about removing a user from ownership of a specific schema? Should I have even assigned schema ownership in the first place?
I am logged in as administrator of the SQL Server and of the Windows 7 OS.
I had same issue today and found a way to remove user as owner of schema. Open Schema node below Security in database and change the owner for the user that you mistakenly used with the default owner. For example if some oddball user name is listed as schema owner for db_datareader, change it to dbo (the default) and so on.
No, you shouldn't have assigned ownership of the schema to the user. You should have just made the user a member of the schema. Revert ownership to dbo and check that the user account is not still a member of the schema.

Setting up a user to my database in my SQL Server

I just finished creating a new user for my database in SQL Server. I had 4 tables I wanted to grant Insert, Update, Select and delete permissions. I did this manually in the Securables area of the new user.
Is there a better way to do this that to have to touch each object? if so, how?
Thanks,
rod.
One way is use schemas such that
tables belong to a schema (let's call it data, CREATE SCHEMA)
users belong to a role (CREATE ROLE, sp_addrolemember)
permissions are assigned to the role on the schema (GRANT INSERT ON schema::data to myRole)
Now, you can add new tables or change users without losing/creating permissions
If you want finely granular control over who can do what, I don't think there's a whole lot you can do - you're doing it just fine.
gbn's approach is quite nifty - another approach for "simple" setups (when you don't need a whole lot of different permissions) is to:
grant every user (or a role) the database role db_datareader - this allows read access
(SELECT) on all tables and views
grant every user (or a role) the database role db_datawriter - this allows write access (INSERT, UPDATE, DELETE) on all tables and views
If you also need to grant execution rights on stored procedures, there's unfortunately no predefined role to use. You can however create your own database role and then grant execute permissions to that role. The great thing is: this permission to execute stored procedures also applies to all future stored procedure you might create in your database!
To define your new role, use this:
CREATE ROLE db_executor
GRANT EXECUTE TO [db_executor]
and then you can just assign db_executor to those users who need to be able to execute stored procs and stored functions in your database.

Grant user DDL permissions on specific schema

Using SQL Server (2008), is it possible to grant a specific user full control of the objects under a specific schema? This includes create/drop/alert table. Its important that this user isn't not given db_ddladmin role because that would give him access to other tables.
You can create a role in the database, assign all appropriate permissions(SELECT, UPDATE, DELETE, EXECUTE, etc.) to the role, and then assign the user to that role.

Resources