InstantForum.NET v4.1.4SQLServerCentralhttp://www.sqlservercentral.com/Forums/notifications@sqlservercentral.comSat, 17 May 2008 09:01:00 GMT20http://www.sqlservercentral.com/Forums/Topic501672-359-1.aspxif ive created a procedure with encryption, can any one any how to decrypt this procedure?Thu, 15 May 2008 15:24:14 GMTmobashahttp://www.sqlservercentral.com/Forums/Topic500973-359-1.aspxHello, I have over 100 clients using MSDE 2000 with specific port setting. I cannot upgrade them to SQL 2005, because not being able to change port on 2005 and make it work. Port settings in 2005 actually get saved, but I no longer can connect to server unless I set port back 1433. What am I missing? Any help appreciated.P.S. I am changing port settings on client and server together and it worked fine on 2000.thank you, Paul.Wed, 14 May 2008 20:11:17 GMTsarkisphttp://www.sqlservercentral.com/Forums/Topic502360-359-1.aspxHello,When I try to start "SQL Server Agent" in SQL Server Configuration Manager I get an error, when I look in the Event log I see:The SQLAgent$SQL2005 service was unable to log on as MyUserAccount with the currently configured password due to the following error: Logon failure: unknown user name or bad password. However, when I try to start "SQL Server" in SQL Server Configuration Manager using the same login credentials it works just fine.I'm not exactly sure what the difference between these two SQL Server 2005 Services is. I found out that I had to make MyUserAccount a member of the "Backup Operators" group in order to be able to start the "SQL Server" service in SQL Server Configuration Manager, strange.-EricFri, 16 May 2008 14:35:23 GMTeric.goforthhttp://www.sqlservercentral.com/Forums/Topic502290-359-1.aspxHi,We have just created a new Windows 2008 server running SQL 2005 64 bit. I am in the process of migrating old SQL 2000 databases onto this new server. One of the databases required a SQL login for some Windows groups that get created from the SMS software. I'm having a problem when I go into create a new login, select object type Groups, from this location , I enter the object name and click Check Names and it finds it. I select okay and everything looks good. But when I click ok on the New Login screen, I get the 15401 error saying that Windows NT user or group not found. I have gone into the Server Manager - Groups and verified that the group exists, and it does. The only thing I see when I click properties is on the bottom right had side of the screen it says "Changes to a user's group membership are not effective until the next time the user logs on." It says this for all the groups on this server and I get the same error message when I try to add any group. I have had the user that is a memeber of this group log off and back on a few times, but it still says the same thing and I still get the same error.Anyone have any ideas on what the problem might be? Is there something on the Windows 2008 server setup that we missed?Thanks,IsabelleFri, 16 May 2008 12:32:23 GMTIsabellehttp://www.sqlservercentral.com/Forums/Topic502055-359-1.aspxWe are using SQL Agent ActiveX jobs to send MQ messages using CreateObject("MQAX200.MQSession").We are running this without any issues in SQL2000. When we upgraded to SQL2005 we are having errors as below. where STG is our domain and wfservice is part of Administrator group on this server.MessageExecuted as user: STG\wfservice. Error Code: 0 Error Source= Microsoft VBScript runtime error Error Description: ActiveX component can't create object: 'MQAX200.MQSession' Error on Line 23. The step failedWe are also using dome other FAX API and having same problem (can't create object) in SQL2005 but SQL2000 works fine. Help!Fri, 16 May 2008 07:46:32 GMTsam patelhttp://www.sqlservercentral.com/Forums/Topic502297-359-1.aspxHi , Is there any script to delete all the logins that don't have any mappings with the database?Fri, 16 May 2008 12:52:08 GMTswekikhttp://www.sqlservercentral.com/Forums/Topic501277-359-1.aspxAll,I'm trying to get a SQL Login on Server A to connect to a linked server (Server B). I need the SQL Login to connect as a given Windows login on Server B.Server B is set up correctly on Server A as a lined server I think - I created the same SQL Login on Server B to test and I can connect fine when I use the SQL Login as the "Local Login" and click "Impersonate" The message I get when trying to connect as the remote Windows login is [b]Login failed for user 'DOMAIN\User'[/b]I've definitely got the domain and password right.Server A runs SQL 2000, mixed authenticationServer B runs SQL 2005, mixed authentication.Is what I'm trying to do possible (ie SQL Login -> Remote Windows Login) ? Any ideas on getting around the error ?Thu, 15 May 2008 07:09:22 GMTJoseph Fallonhttp://www.sqlservercentral.com/Forums/Topic498545-359-1.aspxHi All,I have a database in sql server 2005. I want to restrict adding/updating data into a particular table for 'sa' login itself. Can i protect my table by asking password or some other mechanism since sa user will have all the rights on the database.when by application is given to client, i might sell him only a particular module(for ex . Screening module). But that module requires main admin table to be there. I dont want him to alter the admin module data.He will be knowing the sa password. but i want to restrict him from making any changes for admin table. Please HelP!!Regards,Amit kulkarniSun, 11 May 2008 22:46:52 GMTamit kulkarnihttp://www.sqlservercentral.com/Forums/Topic500148-359-1.aspxOk this is ugly...we are a small company, we have gone through a lot of turnover (not in IT but in the company in general) one of our IT members is almost to the point of stalking another employee. The IT member is reviewing files, emails, logs of two employees a blatant violation of company policyThe IT director has been alerted of the situation and the director is not going to go through ‘proper channels’ to resolve this. The person who is a network admin is too valuable.Yes this will get ugly...as the DBA I need to cover my *** big time. Did I mention he is a domain admin?We have audit on all successful and failed logins. Half of our databases are mixed mode, so the plus is for the critical you need to have a database logon ID which this person does not have, YET may have access to the 'sa' password which is in our disaster recovery layout.I am thinking of doing profiler trace on all databases to check for anything funny. I cannot simply drop groups that as a windows user he may be part of (i.e. BlackBerry server) that will raise suspicion.Looking for some ideas..Tue, 13 May 2008 20:58:01 GMTjsheldonhttp://www.sqlservercentral.com/Forums/Topic498813-359-1.aspxDuring a 1 hr period over the weekend, SQL Agent logged a group of three errors over and over again:[i]Message[298] SQLServer Error: 848, SQL Network Interfaces: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. [SQLSTATE HY000][/i]followed by:[i]Message[298] SQLServer Error: 848, Cannot generate SSPI context [SQLSTATE HY000][/i]and then:[i]Message[382] Logon to server '(local)' failed (SaveAllSchedules)[/i]I haven't been able to find much information about these online. Anybody have any ideas? I'm working with the networking team to determine if there was anything network-wise going on but haven't heard back from them. These problems happened for an hour and then stopped. Everything seems ok now.Thanks,RobMon, 12 May 2008 08:21:39 GMTRob Symondshttp://www.sqlservercentral.com/Forums/Topic501259-359-1.aspxSQL 2005 SP2. I changed the sa password and my maintenance jobs (Backups) started to fail with - "Login failed for user 'sa'. Error: 18456, Severity: 14, State: 8". I changed the job owner, cycled the SQL Agent, but still got the error. I ended up having to delete my maintenance plan and recreate it.Can someone please explain what's happening here?thanks very veryThu, 15 May 2008 06:55:26 GMTTim Whitehttp://www.sqlservercentral.com/Forums/Topic499827-359-1.aspxI've been setting users for SQL servers for a year and this is the first time happened to me. I am trying to set a new login/password/user with SQL server authentication on a new server.I set up a fresh test database, new login and user for that database. I don't get any error, just confirmation that user was created OK.After I disconnect and try to connect again to the SQL Server with the SQL server authentication using this user/password, I get an error that user is not associated with the trusted SQL server connection. User name and password are correct. I do the same thing on an old server and everything works fine.I checked Surface Area configuration, remote connections are set to allow local and remote connections. What can be the reason that SQL server users do not work?Tue, 13 May 2008 10:49:55 GMTVikahttp://www.sqlservercentral.com/Forums/Topic501534-359-1.aspxJust want to confirm, in Security/Logins if I right-click and choose Properties I SHOULD receive an error when I try to select under status 'Login Disabled'I am thinking because it is an AD security group it doesn't have a password Thu, 15 May 2008 11:28:53 GMTjsheldonhttp://www.sqlservercentral.com/Forums/Topic501545-359-1.aspxHi,is there any way to design the security of the data in the cube as per the client login.Since we have a Ladap profiles set up for the client im intrested in Ldap.Else is there any way that we can restrict the clients from seeing other clients data?Gurus pls help..Thanks,ArvindThu, 15 May 2008 11:47:08 GMTkarvindreddyhttp://www.sqlservercentral.com/Forums/Topic501133-359-1.aspxI am accessing network shared folder through xp_cmdshell as [b]exec master..xp_cmdshell 'dir \\server1\sharedfolder\*.*'[/b]but i am getting an error [b]Logon failure: unknown user name or bad password.[/b]Thu, 15 May 2008 03:53:04 GMTken.keenhttp://www.sqlservercentral.com/Forums/Topic500050-359-1.aspxHi All,I've created a non sa user in order to install an app but cannot go through the install process because it cannot run the following execute:exec master..xp_servicecontrol 'QueryState', 'SQLSERVERAGENT'I get an error telling me that Permission is denided and that the user must be a member of the 'sysadmin' server role. the app runs the command to making sure that sqlserveragent is running. Is there any way around this? thanks for the help.Tue, 13 May 2008 16:31:31 GMTtannguyen00http://www.sqlservercentral.com/Forums/Topic500442-359-1.aspxI am running 5 different vb software from 10 client machines to access various SQL 2005 DBs on the server. All software on all machines was running fine. The ethernet LAN cable on one of the machines got unplugged while in operation.From then, none of the software on this particular client machine can access the SQL Server. The 'dbconnection.open' command fails and an error message 'SQL Server does not exist or Access Denied' is returned.The same software continues to run fine from all other client machines. All software on all machines uses the same connection string i.e. no change in user name & password.I tried changing the IP address of the machine, restarting it, changing the workgroup but without success. I then added a new login to the SQL Server with full rights (the same rights as the user in the old connection string). The problem repeats with this new login as well. It seems that this is a machine specific problem somehow related to the unplugging of the LAN cable.Could somebody help?Wed, 14 May 2008 07:20:29 GMTvvikranthttp://www.sqlservercentral.com/Forums/Topic499159-359-1.aspxHow can you setup security so that a user can not use an ODBC connection with an application other than the intended?You create a Access frontend using a file ODBC. A user can then use it with other applications, like Excel given them full rights.1. If I use Trusted, they can create their own ODBC to attach with any application. 2. If I create a SQL login, the user has to remember another user/passord and they can create their own ODBC to attach with any application. 3. If I use a named SQL user, the user name and password gets saved unencrpyed either in the linked table of in the dsn.I can not find a solution?JackMon, 12 May 2008 15:05:47 GMTjack_stocktonhttp://www.sqlservercentral.com/Forums/Topic497615-359-1.aspxI have the following stored procedure to create a login on SQL Server 2005. As is it works perfectly but I want to pass a parameter for the login name but keeps getting incorrect syntax errors. The script looks as follows:CREATE PROCEDURE dbo.Create_LoginASBEGIN SET NOCOUNT ONCREATE LOGIN [johnny] WITH PASSWORD = '12345', DEFAULT_DATABASE=[dbname], DEFAULT_LANGUAGE=[British], CHECK_EXPIRATION=OFF, CHECK_POLICY=ONEXEC sys.sp_addsrvrolemember @loginame = N'johnny', @rolename = N'sysadmin'ALTER LOGIN [@username] DISABLEENDWhen I pass the parameter it looks like this:CREATE PROCEDURE dbo.Create_Login ( @username varchar(50) )ASBEGIN SET NOCOUNT ONCREATE LOGIN @username WITH PASSWORD = '12345', DEFAULT_DATABASE=[dbname], DEFAULT_LANGUAGE=[British], CHECK_EXPIRATION=OFF, CHECK_POLICY=ONEXEC sys.sp_addsrvrolemember @loginame = @username, @rolename = N'sysadmin'ALTER LOGIN @username DISABLEENDPlease can someone help me to get this right. I have searched but nowhere any site says anything about passing a parameterThanksManie VersterFri, 09 May 2008 00:52:30 GMTManie Versterhttp://www.sqlservercentral.com/Forums/Topic500170-359-1.aspxI'm trying to create a role("roleA") that can create users for the database and also delete them."RoleA" should also let its members add users to 2 different roles, 1 of the roles being "roleA".RoleA shouldn't allow members to delete or create other roles.Currently "grant alter any user to roleA" gets what i want for creating\deleting users and "grant alter any to roleA" allows me to add users to roles but it also lets members of "roleA" to create and delete roles which i do not want. Any thoughts?Tue, 13 May 2008 22:30:24 GMTpartner55415554http://www.sqlservercentral.com/Forums/Topic499887-359-1.aspxHelloo all,I would like to gather some thoughts on how to secure my database (running on sql server 2005) from SQL injection , one such as :[code]DECLARE @T varchar(255), @C varchar(255);DECLARE Table_Cursor CURSOR FORSELECT a.name, b.nameFROM sysobjects a, syscolumns bWHERE a.id = b.id AND a.xtype = 'u' AND(b.xtype = 99 ORb.xtype = 35 ORb.xtype = 231 ORb.xtype = 167);OPEN Table_Cursor;FETCH NEXT FROM Table_Cursor INTO @T, @C;WHILE (@@FETCH_STATUS = 0) BEGINEXEC('update [' + @T + '] set [' + @C + '] =rtrim(convert(varchar,[' + @C + ']))+'' ''');FETCH NEXT FROM Table_Cursor INTO @T, @C;END;CLOSE Table_Cursor;DEALLOCATE Table_Cursor;[/code]Basically this statement finds every text column contained in a database and inserts a cross site script into it.I know this topic has been covered in some depth in articles such as :MSDN article on SQL injection (http://msdn.microsoft.com/en-us/library/ms161953.aspx)and on forums a few times.And the general consensus is to check application code and fix it, which is fine, however we have many legacy systems where it would be too time consuming to fix the problem at the application level.So the alternative is fix this at the database level.A possible solution is to isolate the application access to only the objects it uses, and none of the system objects. This should prevent the statement above from running, because it requests access to the sysobjects and syscolumns views. I could implement this by changing the schema for all user objects from dbo to [myAppSchema] and assigning it to my applications database user.Not particularly elegant but might work, what do you think?Nigel.Tue, 13 May 2008 12:12:22 GMTNigelMMVIIIhttp://www.sqlservercentral.com/Forums/Topic499722-359-1.aspxHello all,I have a website that pulls data from a SQL2005 database and shows it to the world.The set up is that the web server and the database server are different servers in the same domain.I have seen different solutions to make it work, security wise:solution A. The website (under IIS) is configured to use Anonymous Access, using a dedicated domain account with read permissions on the webfolder (to be able to access the webpages). This account is also a member of a dedicated database role called 'web_usr'. The permissions to access the database is arranged via stored procedures; the 'web_usr' role gets the appropriate permissions on these stored procedures.solution B. The website (under IIS) is configured to use Anonymous Access, using a dedicated domain account with read permissions on the webfolder (to be able to access the webpages). This account is also a member of a local group called SERVER1\WebAccount.Local group SERVER1\WebAccount is a member of the dedicated database role 'web_usr'. Again, access to the database is arranged via granting permission to 'web_usr' on stored procedures.Which of these solutions poses the least security risk? And why?Is there any other set up that is best practice in this case? Thanks for help.HansTue, 13 May 2008 09:17:38 GMTHhttp://www.sqlservercentral.com/Forums/Topic495240-359-1.aspxHi all,Hope you can help with some information.We are introducing a new company database that is TOP SECRET! on SQL2005. I need to be able to Encrypt the majority of the tables and the rest (only about 10) need to be available for information.I need to ensure that the data on the backups is encrypted, and all of the other data cannot be accessed either by DBA's or Server Admin - Only the application need to be able to access the un-encrypted data - Can anyone help?Would be appreciated for any pointers.Mon, 05 May 2008 13:56:02 GMTDaveBhttp://www.sqlservercentral.com/Forums/Topic498611-359-1.aspx:cool:i have database1, i have been trying to give user1 the right permission to manage (add)only the users in this database, but am getting an error msg.this is what i worte:use database1goGRANT EXECUTE ON [sys].sp_adduser TO [user1];error:Msg 4629, Level 16, State 10, Line 1Permissions on server scoped catalog views or system stored procedures or extended stored procedures can be granted only when the current database is master. and when i execute this:use mastergoGRANT EXECUTE ON [sys].sp_adduser TO [user1];then the user have it permission on the master, anyway when i tried to create a user its not working:Msg 15247, Level 16, State 1, Procedure sp_adduser, Line 35User does not have permission to perform this action.so what permission should the user have in order to create users in the database??Mon, 12 May 2008 02:46:08 GMTmobashahttp://www.sqlservercentral.com/Forums/Topic497594-359-1.aspxI am using SqlDataSource in ASP.NET 2.0 (VS2005) application. I can use both stored procedures and in-line SQL statements within the development environment and everything works perfectly. However, when I publish the web site, only the stored procedures work and in-line SQL statements give 'Permission Denied' error. The error line reads as:System.Data.SqlClient.SqlException: The SELECT permission was denied on the object 'Contacts', database 'Homer', schema 'dbo'.Really appreciate any help...Fri, 09 May 2008 00:17:13 GMTJohn Smithhttp://www.sqlservercentral.com/Forums/Topic497247-359-1.aspxHi all, I ran into an issue recently where I reduced user access to the server/databases to the lowest level possible based on user needs. One of our programmers complained he could no longer see the database diagrams. I narrowed his access to DataReader/DataWriter. According to BOL, the only users that can see a diagram are the creator and any member of the db_owner role. Obviously I don't want to grant db_owner so can anyone suggest alternate methods for viewing the database schemas? Thank you in advance.Thu, 08 May 2008 10:15:10 GMTdavid.tylerhttp://www.sqlservercentral.com/Forums/Topic497148-359-1.aspxA user is getting this error when trying to execute a stored procedure that truncates Table_X:"Table_X does not exist or you do not have permissions."I've verified that the user has execute permissions on the SP. Isn't that sufficient? They don't specifically need delete (truncate) permission on the table itself, correct? Color me confused on this one...Thu, 08 May 2008 08:45:01 GMTahutchhttp://www.sqlservercentral.com/Forums/Topic491418-359-1.aspxI have a user who is a member of a group which has db_datareader and db_datawriter permissions to a particular db.I have also granted that group showplan rights to the db.when he runs the set showplan_xml on cmd, it succeeds.if this user runs a very simple 'select top 1 * from table' select he gets 'showplan permission denied in database 'xxx'.'in an attempt to rule out any odd windows authentication issues, Ive parsed him down to being a member of only one group in the domain, and verified that he can run the raw select without the showplan on. If he creates a table, he can run the showplan stmt against that table. I briefly gave the group db_owner permissions to the db, and still no dice.according to http://msdn2.microsoft.com/en-us/library/ms189602.aspx, the only permissions needed are:showplan access granted, and access to the object you want to run showplan against. There is no ownership chaining issues going on, as its only a single table in a single db that the user can access.I have also granted the showplan right to the individual user to no avail.any suggestions? am I missing something here? Thanks all in advance.Mon, 28 Apr 2008 08:07:33 GMTLAW1143http://www.sqlservercentral.com/Forums/Topic496496-359-1.aspxThis is probably a really rookie question, but how do I restore a logon's User Mapping and permissions to a database when restoring that database? I have a production DB that is backed up nightly and restored immediately to another server to serve as a reporting DB. When the restore is done, the logons lose their memory of having access to that DB and the only way I know to restore them is to go in and manually do it every morning.There has *got* to be a better way. I hope someone can point me to it.Wed, 07 May 2008 10:12:19 GMTmcasterhttp://www.sqlservercentral.com/Forums/Topic495696-359-1.aspxHas anyone tried to track logon/logoff events using triggers; I mean DDL type triggers? Can we use the TRC_SECURITY_AUDIT directly, or should we create event notifications specifically? Any help is appreciated!Tue, 06 May 2008 08:46:53 GMTRajan Johnhttp://www.sqlservercentral.com/Forums/Topic495166-359-1.aspxI have a SQL Server 2005 DB that was developed on our Development Server. The DB was then moved to a production server however we had some problems with that server and the DB was detached from that server and attached to another server. All of the users were dropped from the DB and re-added on the new server however there is 1 user that I cannot drop or modify. That user has the datareader and datawriter schema assigned to it.Mon, 05 May 2008 12:29:26 GMTRayMilhonhttp://www.sqlservercentral.com/Forums/Topic495160-359-1.aspxMy company found out there was hacker trying to hack into our system, luckily it was not successful. However the web pages did not check the value if it was valid and actually did not check anything. The hacker put in something liked..../search.asp?search_text=product[b];DECLARE @a AS NVARCHAR(4000); SET @a = CAST(.....AS NVARCHAR(4000)) ; EXEC(@a);-[/b]The CAST statement is a whole bunch of number 0x44004500430043......Now my boss wanted me to check if the database was alright. How am I going to check? What if the statement is a 'DELETE' statement?Please help! Urgent!Mon, 05 May 2008 12:15:04 GMTLonerhttp://www.sqlservercentral.com/Forums/Topic495071-359-1.aspxuser unable to pull the data using crytal reports, there was an upgrade to the db, first he wasnt able to login, then when i gave him read permissions he says he is able to see the data but unable to pull the data. He have windows authentication and he works on odbc connection, Can any one tell me what user role shall i give in order to resolve his problem.ThanksMon, 05 May 2008 09:23:11 GMTNicolehttp://www.sqlservercentral.com/Forums/Topic493889-359-1.aspxI am trying to remove the builtin\administrator account from my servers and create an account that will have read or read\write permission to the databases. My question is - is there a way to give a user account a read access to the database without using this query below which will only work if you have the user account in all the databases.EXEC sp_addrolemember 'db_datareader', 'SQLRO'Also does a user account need datareader access if the account has already datawriter access.Thu, 01 May 2008 13:53:14 GMTHenryhttp://www.sqlservercentral.com/Forums/Topic494211-359-1.aspxLets assume SQL Server 2005 running on Windows 2003 Server, connected to the network but not part of the domain. One application accesses it over the network with one login. Either SQL Server or a local windows login is used for authentication. This would protect SQL Server if the domain was compromised. I can see in normal circumstances domain level logins should be used, but in certain scenerios where the security of the SQL Server box is top would this be a good solution?ThanksDannyFri, 02 May 2008 07:06:05 GMTDannyhttp://www.sqlservercentral.com/Forums/Topic492487-359-1.aspxHas anyone been able to successfully resolve preventing 'hackers' from attaching a database and then being able to view the data in all tables.I have tested with an sql express 2005 instance - where I have run following when connected using sa (plus I have removed Security Logins for BUILTIN\Administrators and BUILTIN\Users - just from this instance):use MyDBcreate master key encryption by password = 'apwd'open master key decryption by password = 'apwd'alter master key drop encryption by service master keythen I have detached MyDB and have been able to re-attach but was able to run any queries fine (either to the same instance (connecting using sa) or a separate SQL Express on the same computer (and connecting with Windows Authentication). I'm not seeing any errors or messages indicating access denied.I expected that it would have at least not worked successfully to the separate instance. Have I missed something?BTW:The intention is that my application is downloaded and an instance of SQL Express is also installed and during the installation process access to Windows Authentication has been removed by removing Security Logins for BUILTIN\Administrators and BUILTIN\Users - this is what my installation code will do.However, how do I stop that person on their computer installing their own SQL Express instance and attaching my database to their new SQL Express instance (which will still have BUILTIN\Administrators and BUILTIN\Users - and thus Windows Authentication working).Also:I am concerned with competitors viewing my database design. But from reading up stopping this is impossible. So I thought I'd just settle for competitors accessing any data in the tables.I have two client markets for my application. The one I am addressing here is a low cost downloadable version for the end user and where I would expect there would be no local dba or in fact even a need for a local dba. My concern however, is that my competitors also download my product, but have the skill set to interrogate unethically - my aim is to make this as difficult as possible.Thanks muchlyTue, 29 Apr 2008 14:19:10 GMTgcmcmahonhttp://www.sqlservercentral.com/Forums/Topic473970-359-1.aspxMy Sql server user will not be given sysadmin role in Production environment.in that case how the job will get execute??Appriciate the Answer in Advance.Tue, 25 Mar 2008 05:59:26 GMTvijayhttp://www.sqlservercentral.com/Forums/Topic492677-359-1.aspxI am using dynamics GP 10. for customization am using VBA, in that when i try to connect remote server[sql 2005]am getting this "Login failed for user 'sa' " Even this is happening for other user also.I am using ADODB.Connection method. And i set mixed mode for 'sa' also.what would be the solution for this?Wed, 30 Apr 2008 00:55:51 GMTksprabu_cmrhttp://www.sqlservercentral.com/Forums/Topic493748-359-1.aspxI'm looking for a way to allow a login or role to create/drop indexes or a specific index if possible...So far my efforts have been in vain.Specific index would be best but we can live with any index cause right now they have the full ddl access :(Thanks, NamThu, 01 May 2008 10:13:26 GMTNam Nguyenhttp://www.sqlservercentral.com/Forums/Topic490100-359-1.aspxHi Guys,I need some advice on a permission issue that I've run into. I have a database to which my QA people have dbo access. However, there's a group of 200 or so tables in the database that I don't want them touching because they're replicated. Changes to these tables should only go through me. I want to give them read access to these tables and full access to all other objects. I can't put these tables in a separate db because the application will break. I need a way to restrict their access to the tables while giving them DBO like privileges to the remaining db objects. Any insights that you can give me would be greatly appreciated. LynnThu, 24 Apr 2008 10:33:43 GMTLynn