Blog Post

db_ddladmin and the SSMS table designer

,

If you want to grant a user the ability to create/alter/delete any table, SP, function etc in a database you have a several options. For example:

  • You can grant all of the CREATE permissions either to the database itself or to all of the schemas.
  • You can add the user to the db_ddladmin role
  • You can add the user to the db_owner role

 

I’m sure if you tried you could come up with several other options but these are the ones that come immediately to mind. The first one sounds really complicated to me. The third one is way more power than you want to grant unless it’s absolutely needed. That leaves the second, which in my opinion is really the way you want to go. In fact db_ddladmin was specifically designed for this type of security role.

Interestingly if you grant add someone to the db_ddladmin role and they try to go into the table designer in SSMS they are going to see the following warning:

DDLAdminSSMSOE1

No big deal really. This is just a warning and doesn’t actually say you won’t be able to make changes, just that you might not have sufficient permissions.

However, even more interestingly if you are using SSMS 2008R2 then you are also going to see the following error:

DDLAdminSSMSOE2

At this point you really do have a problem. There is a bug in the table designer that will not allow a user that is not at least a member of the db_owner role to modify tables. I’m currently on 2008R2 SP2 and I have no idea if this will be fixed in SP3 but I’m not holding my breath. There is a closed connect item on this that indicated it would be fixed in a future version (and it is fixed in SQL 2012) but didn’t mention a fix being released in a service pack. Also after some superficial testing I believe this error will occur at ANY level of permissions lower than membership in the db_owner role.

If you happen to be the type that prefers to use code over the GUI like I am, you may never notice this. Or for that matter if you are not living in the past like I am you won’t notice it either. Unfortunately it was a real shock to me when one of my users ran into it. So be warned!

Filed under: Microsoft SQL Server, Problem Resolution, Security, SQLServerPedia Syndication, SSMS Tagged: database permissions, microsoft sql server, problem resolution, security, SSMS

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating

Related content

Technical Article

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

You rated this post out of 5. Change rating

2009-02-23

1,567 reads

Technical Article

Networking - Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I'd like to talk about social networking. We'll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let...

You rated this post out of 5. Change rating

2009-02-17

1,530 reads

Technical Article

Speaking at Community Events - More Thoughts

Last week I posted Speaking at Community Events - Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I've got a few more thoughts on the topic this week, and I look forward to your comments.

You rated this post out of 5. Change rating

2009-02-13

360 reads