snippetsqlModerate
Allow user to do anything within his own schema but not create or drop the schema itself
Viewed 0 times
itselfthehiscreateanythinguserbutwithinallowown
Problem
I have created a schema in SQL Azure and granted the following permissions to a database role:
Through the above defined permissions
What permissions are required in order to allow the user to do anything within his own schema but not be able to create or drop the schema itself?
CREATE ROLE myrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'myrole', 'myuser';
CREATE SCHEMA myschema AUTHORIZATION dbo;
GRANT ALTER, CONTROL, DELETE, EXECUTE, INSERT, REFERENCES, SELECT, UPDATE, VIEW
DEFINITION ON SCHEMA::myschema TO myrole;
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO myrole;Through the above defined permissions
myuser can create/drop his own schema, so to overcome the problem I tried the ALTER ANY SCHEMA permission. But this permission also denies the user to create/drop tables. What permissions are required in order to allow the user to do anything within his own schema but not be able to create or drop the schema itself?
Solution
There is no need to grant
The permission required to
The required permission to
You already have these permissions in your script, so all that you have to do is remove the
For the lazy, here is your code after removing the unnecessary permission:
CONTROL on the schema.The permission required to
DROP SCHEMA is either CONTROL on the schema or ALTER ANY SCHEMA at the database level, and that is why your user was able to drop the schema. Removing these two permissions will prevent the role-associated users from creating and droping the schema (unless they have higher level permissions of course). The required permission to
CREATE ALTER and DROP other objects is the CREATE permission for the object type (table\procedure\function\view) combined with ALTER permission on the schema.You already have these permissions in your script, so all that you have to do is remove the
CONTROL permission. For reference, here is a BOL list of DDL statements where You can find the required permission for all object types. For the lazy, here is your code after removing the unnecessary permission:
CREATE ROLE myrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'myrole', 'myuser';
CREATE SCHEMA myschema AUTHORIZATION dbo;
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
UPDATE, VIEW DEFINITION ON SCHEMA::myschema TO myrole;
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO myrole;Code Snippets
CREATE ROLE myrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'myrole', 'myuser';
CREATE SCHEMA myschema AUTHORIZATION dbo;
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
UPDATE, VIEW DEFINITION ON SCHEMA::myschema TO myrole;
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO myrole;Context
StackExchange Database Administrators Q#21733, answer score: 13
Revisions (0)
No revisions yet.