Enable 'Allow modifications to be made directly to the system catalogs'

  • Hey,

    My last question didnt get much help so I thought I would ask a more direct one with less parts. How do I enable 'Allow modifications to be made directly to the system catalogs' with SQL?

    Thanks

  • since 2005, it's no longer possible. the old SQL 2000 syntax is ignored.

    what is it you think you want to change, that cannot be done with the normal commands?

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • First thanks for the reply,

    Secondly I am trying to delete access to Object Permissions for the public user. (I am not worried about the side affects, it has to be done) The SQL comman I am using deletes all of the Object Permissions for public accept 26 Now I have read that if I dont enable the Allow modifications to be made directly to the system catalogs' I cant delete them all and I am assuming this is the problem which I am facing. Is there a work around in 2005 or Am I just screwed?

  • Thats 26 is the number of Object Permissions sorry I should have clarrified that!

  • lets look at the details....show us the SQL you are using to identify objects you want to take away access from; that will really let us help you better.

    if it is things like views for sysobjects or something like that, that would be an example of a change you cannot make.

    from BOL:

    http://msdn.microsoft.com/en-us/library/bb669065.aspx

    The public Role

    The public role is contained in every database, which includes system databases. It cannot be dropped and you cannot add or remove users from it. Permissions granted to the public role are inherited by all other users and roles because they belong to the public role by default. Grant public only the permissions you want all users to have.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • USE [database name]

    SELECT u.name 'User', o.name 'Object', p.permission_name 'Action'

    FROM sys.database_permissions p, sys.database_principals u, sys.all_objects o

    WHERE o.object_id = p.major_id

    AND p.grantee_principal_id = u.principal_id

    AND p.grantee_principal_id IN (0, 2)

    ORDER BY u.name, o.name, p.permission_name

    It is displaying a list of SELECT and EXECUTE.I can delete all except the last 26 which are a mix of the two.

  • Use the REVOKE statement to remove permissions.

    Example

    REVOKE SELECT on SomeTable TO Public

    Specific statement depends on what the objects are.

    Directly editing the system tables, even on SQL 2000, was just asking for a corrupt database. I had to clean up often enough after people who just wanted to quickly edit the system tables and not care about the side effects (which can be a completely unusable database if you're not careful)

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • What is the purpose of removing that access from the public role? What is it you are trying to accomplish here?

    Take a look at VIEW DEFINITION in books online. I think that might be what you are trying to get at.

    Jeffrey Williams
    “We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”

    ― Charles R. Swindoll

    How to post questions to get better answers faster
    Managing Transaction Logs

  • - I already have the Revoke applied my code uses a cursor to run through each Object name. Unfortuantly though there are a few that its not sufficent to delete. I appriciate your concern, but I implied i dont care about the side effects to avoid a lecture. Plus I am Installing the SQL and running this script to set it up. No unfourtnate DBA's or SA's will get stuck cleaning it up.

    -I have to delete these permissions from the user, beause its a secure system. So we cannot allow anyone assigned to Public to have any access.

  • ok i think i'm following along; i created a brand new database in SQL 2005, and ran the following script to generate the revoke statements; i think the difference for me is i'm specifically getting the schema name of the objects as well, and that is allowing me to drop access to things like sys.all_columns:

    --CREATE DATABASE [SandBox]

    GO

    USE [SandBox]

    SELECT

    'REVOKE ' + convert(varchar(50),x.[Action])

    + ' on ' + x.[Schema]

    + '.' + convert(varchar(50),x.[Object])

    + ' TO ' + convert(varchar(50),x.[User]) COLLATE Latin1_General_CI_AS

    FROM (

    SELECT

    u.name COLLATE Latin1_General_CI_AS AS 'User',

    schema_name(o.schema_id) As 'Schema',

    o.name COLLATE Latin1_General_CI_AS AS 'Object' ,

    p.permission_name COLLATE Latin1_General_CI_AS AS 'Action'

    --into tmp

    FROM sys.database_permissions p, sys.database_principals u, sys.all_objects o

    WHERE o.object_id = p.major_id

    AND p.grantee_principal_id = u.principal_id

    AND p.grantee_principal_id IN (0, 2)

    ) X

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Lowell (1/11/2010)


    since 2005, it's no longer possible. the old SQL 2000 syntax is ignored.

    Just for the record, it is still possible (and documented). I'm not going to go into details on this particular thread though 😉

  • yeah i had read an article about how to update 2005+ system catalogs as well; after all, service packs need the ability to do it, so it has to exist, it's just no so obvious any more.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Lowell (1/11/2010)


    ok i think i'm following along; i created a brand new database in SQL 2005, and ran the following script to generate the revoke statements; i think the difference for me is i'm specifically getting the schema name of the objects as well, and that is allowing me to drop access to things like sys.all_columns:

    ...

    Nice script Lowell. I also like that the script does not immediately execute the Revoke statements.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Hey guys,

    Thanks for the response they are really helping. When I incorporated searching for the schema instead of just using sys. I was actually able to knock 26 down to 21. Then as silly as this sounds one of my variables needed to be lengthened in order and that brought it down to 20. However, I am still trying to get ride of those last few! Paul would you at least be willing to point me towards some resources to help me figure out how to enable 'allow modifications to be made directly to the system catalog'?

    Thanks,

  • Lowell's script worked just fine for me.

    Perhaps if you were to share the script you are using and details of the objects which aren't working...?

    You really don't want to modify the system catalogues directly. Even if you think you do. 🙂

Viewing 15 posts - 1 through 15 (of 28 total)

You must be logged in to reply to this topic. Login to reply