how to create user that can login to create and edit but cannot delete?

Click here to monitor SSC

<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>

SQLServerCentral is supported by Red Gate Software Ltd.

Log in :: Register :: Not logged in

<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>

Recent Posts

Popular Topics

Home

Home » SQL Server 2012 » SQL 2012 - General » how to create user that can login to create...

Add to briefcase

13 posts, Page 1 of 2

1 2 »»

how to create user that can login to create and edit but cannot delete?

Expand / Collapse

Author

Message

Posted Thursday, March 14, 2013 7:45 PM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, March 20, 2013 9:02 PM
Points: 33, Visits: 37

Circumstances require a user that can be restricted to login to a specific database to create and edit data entered into tables but cannot delete anything. I presume this type of security has been around awhile but I could not find anything searching around so I ask is it possible and if so I need to learn how.

I may also need some help with the T-SQL because the database is being generated by script that was generated by a tool and I will have to modify that generated sql script to create the user and login.

Post #1431324

Posted Thursday, March 14, 2013 11:18 PM

SSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 11:54 PM
Points: 33,113, Visits: 27,041

clintonG (3/14/2013)

Circumstances require a user that can be restricted to login to a specific database to create and edit data entered into tables but cannot delete anything. I presume this type of security has been around awhile but I could not find anything searching around so I ask is it possible and if so I need to learn how.

I may also need some help with the T-SQL because the database is being generated by script that was generated by a tool and I will have to modify that generated sql script to create the user and login.

Take a look at GRANT and DENY in Books Online (press the {f1} key in SSMS to get there) and also have a look at all the different permissions that can be used in the links included in those two BOL articles.

--Jeff Moden

"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Post #1431356

Posted Saturday, March 16, 2013 3:25 AM

SSC Rookie

Group: General Forum Members
Last Login: Thursday, June 13, 2013 1:59 AM
Points: 48, Visits: 152

Just right click on the database and take permission tab. here u can assign the user for permissions.

http://msdn.microsoft.com/en-IN/library/ms178569.aspx

Post #1431873

Posted Saturday, March 16, 2013 12:40 PM

SSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 10:11 AM
Points: 5,242, Visits: 11,262

clintonG (3/14/2013)

Circumstances require a user that can be restricted to login to a specific database to create and edit data entered into tables but cannot delete anything. I presume this type of security has been around awhile but I could not find anything searching around so I ask is it possible and if so I need to learn how.

I may also need some help with the T-SQL because the database is being generated by script that was generated by a tool and I will have to modify that generated sql script to create the user and login.

insert and update all tables or a handful?

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" Wink

Wink

Post #1431936

Posted Saturday, March 16, 2013 1:07 PM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, March 20, 2013 9:02 PM
Points: 33, Visits: 37

Here is one solution perhaps the best I've learned so far:

// Transact-SQL
REVOKE privilege_name
ON object_name
FROM {user_name |PUBLIC |role_name}

// Example
REVOKE DELETE
ON TransactionRecordsTable
FROM employee

Post #1431937

Posted Saturday, March 16, 2013 1:12 PM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, March 20, 2013 9:02 PM
Points: 33, Visits: 37

Perry Whittle (3/16/2013)

clintonG (3/14/2013)

Circumstances require a user that can be restricted to login to a specific database to create and edit data entered into tables but cannot delete anything. I presume this type of security has been around awhile but I could not find anything searching around so I ask is it possible and if so I need to learn how.

I may also need some help with the T-SQL because the database is being generated by script that was generated by a tool and I will have to modify that generated sql script to create the user and login.

insert and update all tables or a handful?

Disallow a specific User type the permission to DELETE any type of object in a specific database including disallowing deleting the database itself.

This is a project for small businesses like pawnbrokers and second-hand resellers to record transactions they are required to report to police. I intend to disallow DELETE for what I hope is now an obvious reason. I think we call it "cover my @ss lol.

Post #1431939

Posted Saturday, March 16, 2013 1:31 PM

SSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 10:11 AM
Points: 5,242, Visits: 11,262

clintonG (3/16/2013)

Here is one solution perhaps the best I've learned so far:

// Transact-SQL
REVOKE privilege_name
ON object_name
FROM {user_name |PUBLIC |role_name}

// Example
REVOKE DELETE
ON TransactionRecordsTable
FROM employee

REVOKE only clears the granted permission, a user may still obtain this via another role,etc.

clintonG (3/16/2013)

Disallow a specific User type the permission to DELETE any type of object in a specific database

You could grant the user insert and update permission on the schema the objects reside in.

clintonG (3/16/2013)

including disallowing deleting the database itself.

No need to fear here as this requires a high level of elevated privilege. The user must have at least CONTROL on the database or be a member of DB_Owner role or SYSADMIN role, as long as you're not granting this then that's fine.

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" Wink

Wink

Post #1431940

Posted Saturday, March 16, 2013 6:06 PM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, March 20, 2013 9:02 PM
Points: 33, Visits: 37

You could grant the user insert and update permission on the schema the objects reside in.

I was going to try it this way:

EXEC sp_addrolemember db_datareader, $(DatabaseUserName)
EXEC sp_addrolemember db_datawriter, $(DatabaseUserName)
REVOKE DELETE
ON $(DatabaseName)
FROM {$(DatabaseUserName)}

* Is the syntax correct?
* Is there anything problematic with this approach?

Post #1431951

Posted Saturday, March 16, 2013 6:47 PM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, March 20, 2013 9:02 PM
Points: 33, Visits: 37

clintonG (3/16/2013)

You could grant the user insert and update permission on the schema the objects reside in.

I was going to try it this way:

EXEC sp_addrolemember db_datareader, $(DatabaseUserName)
EXEC sp_addrolemember db_datawriter, $(DatabaseUserName)
REVOKE DELETE
ON $(DatabaseName)
FROM {$(DatabaseUserName)}

* Is the syntax correct?
* Is there anything problematic with this approach?

Post #1431952

Posted Saturday, March 16, 2013 6:57 PM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, March 20, 2013 9:02 PM
Points: 33, Visits: 37

// FAILED:

EXEC sp_addrolemember db_datareader, $(DatabaseUserName)
EXEC sp_addrolemember db_datawriter, $(DatabaseUserName)
REVOKE DELETE
ON $(DatabaseName)
FROM {$(DatabaseUserName)}

* Is the syntax correct?
* Is there anything problematic with this approach?

When I ran CreateUser.sql that failed with this message:
Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.

// CreateUser.sql

:setvar DatabaseName "PasswordVault"
:setvar DatabaseUserName "csg"
:setvar DatabaseUserPassword "csg"
GO

USE [$(DatabaseName)]

DECLARE @usercount int
SELECT @usercount=COUNT(name) FROM sys.database_principals WHERE name = '$(DatabaseUserName)'
IF @usercount = 0
    CREATE USER $(DatabaseUserName) FOR LOGIN $(DatabaseUserName)
GO

EXEC sp_addrolemember db_datareader, $(DatabaseUserName)
EXEC sp_addrolemember db_datawriter, $(DatabaseUserName)
REVOKE DELETE
ON      $(DatabaseName)
FROM {$(DatabaseUserName)}
GO

NOTE: no previous login or user named 'csg' existed before I ran scripts. Another script actually generates the database and the database was created as expected.

Neither a Login nor User named csg was created by CreateUser.sql.

Apparently CreateUser.sql bombed out because it tried to REVOKE DELETE on something not allowed but I can't determine what at the moment.

Post #1431953

« Prev Topic | Next Topic »

Add to briefcase

13 posts, Page 1 of 2

1 2 »»

Permissions

Expand / Collapse