HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

What does GRANT CONTROL on a schema do in MSSQL?

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
controlwhatgrantmssqldoesschema

Problem

I'm using SQL Server 2016 for these tests.

The following did not allow me to create a table in schema S for user U

USE [D];
GRANT CONTROL ON SCHEMA :: [S] TO [U];


But this did:

USE [D]
GRANT ALTER ON SCHEMA :: [S] TO [U];
GRANT CREATE TABLE TO [U];


What is the GRANT CONTROL supposed to do, if you have to run these two additional commands to allow the user to create a table in a specific schema?

This description is nice, but what kind of a use case can I run that can confirm (with success or failure) the GRANT CONTROL command physically affected the user's security on the database with and without this schema, before and after running the command?

https://blogs.msdn.microsoft.com/lcris/2009/08/11/basic-sql-server-security-concepts-ownership-control-take-ownership/


CONTROL permission: The CONTROL permission can be used to easily grant
all permissions on an entity to some principal. It's the next best
thing after ownership of the entity, but it's not quite as powerful as
ownership. The main difference is that a grantee of CONTROL can still
be denied some other permissions on the entity. For example, I can be
granted CONTROL on a table, while at the same time I can be denied
SELECT on that table, preventing me from selecting from it - this can
never happen to the owner, because the owner cannot be granted or
denied permissions.

Solution

To see what CONTROL on schema brings to you, create a test user without any permission, grant CONTROL on schema to it and check what permissions he has after it:

create user test;
grant control on schema::dbo to test;

execute as user = 'test';
select *
from sys.fn_my_permissions('dbo', 'schema');
revert;


Here is what you'll get:

When you want to CREATE TABLE you should open BOL article CREATE TABLE (Transact-SQL) and scroll down to PERMISSIONS:

Now you see that even if your table is not supposed to have columns of CLR user-defined type, you still need CREATE TABLE permission to grant to your user to make him be able to create a table.

Test user has already ALTER SCHEMA implied by CONTROL on schema, but CREATE TABLE should be granted (as well as REFERENCE permission in case of CLR user-defined type).

Code Snippets

create user test;
grant control on schema::dbo to test;

execute as user = 'test';
select *
from sys.fn_my_permissions('dbo', 'schema');
revert;

Context

StackExchange Database Administrators Q#191466, answer score: 9

Revisions (0)

No revisions yet.