Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 


 
     
Recent Posts
   
Popular Topics
Home   
Search
    Members    Calendar    Who's On

Home » SQL Server 2008 » SQL Server 2008 Administration » sql server alter permission
Add to briefcase

sql server alter permission Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
vinuvt
Posted Wednesday, October 03, 2012 4:09 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Today @ 3:55 AM
Points: 6, Visits: 275
Experts

I am trying to set up permission for our IT team. All our IT staffs are member of I.T group. With the database in question the IT staffs groups are member of db_reader, db_reader and can execute all SP/Fun. one particular user I want to give the permission to modify the objects.

CREATE USER [S\Al] FOR LOGIN [S\Al] WITH DEFAULT_SCHEMA=[dbo]

added him to db_ddlAmin role

EXEC sp_addrolemember N'db_ddladmin', N'S\Al'

all the objects in our db belongs to DBO schema..so i have give alter permission on dbo schema to the user

GRANT ALTER ON SCHEMA::[dbo] TO [S\Al]

But when this user tries to modify an sp or drop a table he gets

Cannot alter the procedure 'XX', because it does not exist or you do not have permission.
Cannot drop table 'XX', because it does not exist or you do not have permission.

This user can create a new table, but if he tries to drop the newly created table he get the permission error..

This user is member of 4 other group where the group is a member of either db_owner or db_ddladmin role,

What am I doing wrong, how can i resolve this..

Thanks

VT
Post #1367525
Animal Magic
Posted Wednesday, October 03, 2012 6:31 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: 2 days ago @ 9:08 AM
Points: 983, Visits: 13,350
is the database replicated?

I know a very similar error comes up on replicated databases and you have to be a dbo to be able to make ddl changes.
Post #1367619
foxxo
Posted Wednesday, October 03, 2012 7:19 AM
Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Yesterday @ 6:13 PM
Points: 712, Visits: 1,053
One of the groups will have a DENY permission on ALTER or similar.
DENY takes precedence over any GRANTed permissions
Post #1367658
vinuvt
Posted Wednesday, October 03, 2012 7:52 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Today @ 3:55 AM
Points: 6, Visits: 275
No not replicated...
Post #1367690
vinuvt
Posted Wednesday, October 03, 2012 7:54 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Today @ 3:55 AM
Points: 6, Visits: 275
foxxo (10/3/2012)
One of the groups will have a DENY permission on ALTER or similar.
DENY takes precedence over any GRANTed permissions


hmm..Might be.. any script to find that..also this what i did
Added I.t group as a login on sql server
added i.t group as a user with the database.. made i.t group member of db_reader,db_writed. created a role db_executer, granted execute permission to db_executer and made i.t group member of db_executer role.

added S\Al as a login on sql sevrer
added S\Al as a db user with default schema set to DBO
added S\Al to db_ddladmin
granted alter permission on dbo to s\al

by doing this wouldn't individual get the extra permission he is been granted.. ???

to make this worse..i did exactly something on other database and same person can drop/alter objects..
Post #1367692
foxxo
Posted Wednesday, October 03, 2012 8:11 AM
Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Yesterday @ 6:13 PM
Points: 712, Visits: 1,053
That would work, except if S\AI is a member of any other Windows group that exists on the SQL server which has a DENY on ALTER, then he will still get the error.
You'd need to go through and find the permissions.

eg.
select * 
from sys.database_permissions
where state <> 'G'
Post #1367705
vinuvt
Posted Wednesday, October 03, 2012 8:39 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Today @ 3:55 AM
Points: 6, Visits: 275
foxxo (10/3/2012)
That would work, except if S\AI is a member of any other Windows group that exists on the SQL server which has a DENY on ALTER, then he will still get the error.
You'd need to go through and find the permissions.

eg.
select * 
from sys.database_permissions
where state <> 'G'



Thanks..
Please see the result of the above query.. what shall i be looking..



[url=https://docs.google.com/open?id=0B0uFffnwypYVWmUtTnRMaWQ4UUE][/url]
Post #1367732
foxxo
Posted Wednesday, October 03, 2012 8:56 AM
Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Yesterday @ 6:13 PM
Points: 712, Visits: 1,053
Check the permissions on the objects with DENY

select p.name, p.type_desc,OBJECT_NAME(dp.major_id),OBJECT_SCHEMA_NAME(dp.major_id), dp.permission_name, dp.state_desc
from sys.database_permissions dp
inner join sys.database_principals p on dp.grantee_principal_id = p.principal_id
where dp.state <> 'G'

Edit, actually it'll be the DENY at the database level for principal_id = 54
So check who that is - if it's S\I then fix the permissions by using a REVOKE


select p.name, p.type_desc
from sys.database_principals p
where p.principal_id = 54
Post #1367751
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse

 
 
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.