Home Forums SQL Server 2008 SQL Server 2008 - General DB Role permissions RE: DB Role permissions

  • April 22, 2010 at 9:22 am

    #1156205

    thx for that clarification Greg.. also derived this info:

    *** We can also include a custom created --> db_executor priveledge w/in these Roles (see definition below) which will set each Role with execute permissions on all existing stored procedures and scalar functions AND all subsequently created ones.

    ____________________________________________________________________

    Database-level Roles: http://msdn.microsoft.com/en-us/library/ms189121.aspx

    db_accessadmin - Members of the db_accessadmin fixed database role can add or remove access to the database for Windows logins, Windows groups, and SQL Server logins.

    db_ddladmin - Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database.

    db_datawriter - Members of the db_datawriter fixed database role can add, delete, or change data in all user tables.

    db_datareader - Members of the db_datareader fixed database role can read all data from all user tables.

    ____________________________________________________________________

    msdb Roles (req'd for SSIS Pkg promotion)

    db_ssisadmin, db_ssisoperator, db_ssisltduser - Members of these database roles can administer and use SSIS. Instances of SQL Server that are upgraded from an earlier version might contain an older version of the role that was named using Data Transformation Services (DTS) instead of SSIS.

    Caution/Important: Members of the db_ssisadmin role and the dc_admin role may be able to elevate their privileges to sysadmin. This elevation of privilege can occur because these roles can modify Integration Services packages and Integration Services packages can be executed by SQL Server using the sysadmin security context of SQL Server Agent. To guard against this elevation of privilege when running maintenance plans, data collection sets, and other Integration Services packages, configure SQL Server Agent jobs that run packages to use a proxy account with limited privileges or only add sysadmin members to the db_ssisadmin and dc_admin roles.

    Review SSIS Roles here: http://msdn.microsoft.com/en-us/library/ms141053.aspx

    SQL Server Integration Services includes the three fixed database-level roles, db_ssisadmin, db_ssisltduser, and db_ssisoperator, for controlling access to packages. Roles can be implemented only on packages that are saved to the msdb database in SQL Server. You assign roles to a package using SQL Server Management Studio. The role assignments are saved to the msdb database. (Our SSIS Pkg's are NOT saved to msdb; they're saved to the File System!!)

    ____________________________________________________________________

    EXECUTE PROC/SCALAR FUNCTION Permission - SQL Server 2008/5 make the EXECUTE permission grantable at the database scope. We can issue a statement like the example below and this will GRANT execute permissions on all existing stored procedures and scalar functions AND all subsequently created ones.

    Use myDatabase

    GO

    /* CREATE A NEW ROLE */

    CREATE ROLE db_executor

    /* GRANT EXECUTE TO THE ROLE */

    GRANT EXECUTE TO db_executor

    BT