April 28, 2017 at 7:59 am
HI
im having a few issues trying to set minimum permissions, for any table that has a trigger i can not update or insert even though i have update and insert permissions on both tables. if i disable the trigger all is good but if i re enable i get a permissions error (the user does not have permissions) the trigger just inserts data from table one into table 2 from deleted.
***The first step is always the hardest *******
April 28, 2017 at 8:16 am
My guess would be that the user trying to INSERT/UPDATE doesn't have permission (or has DENY) on the table the trigger is inserting into. is the table that the trigger it is inserting into on a different database, or does it have a different owner?
What is the error message you are receiving when you attempt to insert/update?
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
April 28, 2017 at 8:23 am
When i disable the trigger i can insert or update both tables no problems when the trigger is on i get this error the The user does not have permission to perform this action
***The first step is always the hardest *******
April 28, 2017 at 8:33 am
the trigger is probably inserting into an audit table, right? and a normal end user does not have access to that table; it might be sending an email, or something else, but the code INSIDE the trigger is doing something the normal user does not have permissions for.
I would recommend either signing the trigger with a certificate, or changing the trigger to EXECUTE AS OWNER to resolve the permissions issue.
Lowell
April 30, 2017 at 2:58 am
Thanks lowell
the trigger fires after insert or update and is as basic as; insert x from inserted or deleted. I have select, update, insert and delete permissions on both tables and I can insert update and delete from both tables but I can not insert when trigger is enabled.
I can get this to work if i assign myself view server state but i am trying to avoid using this principle
***The first step is always the hardest *******
April 30, 2017 at 3:56 pm
SGT_squeequal - Sunday, April 30, 2017 2:58 AMThanks lowell
the trigger fires after insert or update and is as basic as; insert x from inserted or deleted. I have select, update, insert and delete permissions on both tables and I can insert update and delete from both tables but I can not insert when trigger is enabled.I can get this to work if i assign myself view server state but i am trying to avoid using this principle
If the trigger is inserting into an audit table, you probably don't want to grant SELECT, UPDATE and DELETE permissions on the audit table to everyone. PLEASE don't grant view server state to a limited login. You're doing it right by going with least privs, so don't start granting the keys to the kingdom.
Did you change the trigger the way Lowell suggested - WITH EXECUTE AS OWNER in the definition of the trigger?
April 30, 2017 at 4:35 pm
view server state? i guess you are trying to select info about the connection from sys.dm_exec_connections
stick with what i said, either sign the trigger or use EXECUTE AS OWNER
there are ConnectionProperty functions that you can sue to get the same info that exists in the dmv's without access.
here's decent example of an audit that works in a trigger: SELECT
getdate() AS EventDate,
DB_NAME() AS DBName,
CURRENT_USER AS CurrentUser,
HOST_NAME() AS HostName,
APP_NAME() AS ApplicationName,
OBJECT_NAME(@@PROCID) AS ProcedureName,
USER_ID() AS Userid,
USER_NAME() AS UserName,
SUSER_ID() AS sUserid,
SUSER_SNAME() AS sUserName,
IS_SRVROLEMEMBER ('sysadmin') AS [Is_ServerAdmin_Sysadmin],
IS_MEMBER('db_owner') AS [Is_DB_owner],
IS_MEMBER('db_ddladmin') AS [Is_DDL_Admin],
IS_MEMBER('db_datareader') AS [Is_DB_Datareader],
ORIGINAL_LOGIN() AS [ORIGINAL_LOGIN],
ConnectionProperty('net_transport') AS 'net_transport',
ConnectionProperty('protocol_type') AS 'protocol_type',
ConnectionProperty('auth_scheme') AS 'auth_scheme',
ConnectionProperty('local_net_address') AS 'local_net_address',
ConnectionProperty('local_tcp_port') AS 'local_tcp_port',
ConnectionProperty('client_net_address') AS 'client_net_address',
ConnectionProperty('physical_net_transport') AS 'physical_net_transport'
Lowell
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply