Home Forums SQL Server 2005 Administering Creating USER Group in SQL Server 2005 RE: Creating USER Group in SQL Server 2005

  • July 25, 2010 at 4:05 pm

    #1197975

    what the original poster calls a "group" is what books on line calls a "role". you typically create a role and add the expected rights tot eh role, then add users to the role.

    here's a nice script i like to use as an example:

    create database Whatever

    GO

    USE Whatever

    CREATE ROLE [ReallyReadOnly]

    --give reader rights to this group

    ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [ReallyReadOnly]

    --explicitly DENY access to writing

    ALTER AUTHORIZATION ON SCHEMA::[DB_DenyDataWriter] TO [ReallyReadOnly]

    GRANT EXECUTE TO [ReallyReadOnly]

    --create the Role for my Dev guys, who create tables and procs

    CREATE ROLE [WhateverDEVAdmins]

    ALTER AUTHORIZATION ON SCHEMA::[db_ddladmin] TO [WhateverDEVAdmins]

    ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [WhateverDEVAdmins]

    ALTER AUTHORIZATION ON SCHEMA::[db_datawriter] TO [WhateverDEVAdmins]

    GRANT EXECUTE,ALTER TO [WhateverDEVAdmins]

    --create role for my normal users

    CREATE ROLE [WhateverDEVUsers]

    ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [WhateverDEVUsers]

    ALTER AUTHORIZATION ON SCHEMA::[db_datawriter] TO [WhateverDEVUsers]

    GRANT EXECUTE TO [WhateverDEVUsers]

    --now add specific users to nearly-Admins

    IF NOT EXISTS (SELECT * FROM MASTER.dbo.syslogins WHERE name = N'bob')

    BEGIN

    EXEC MASTER.dbo.sp_addlogin @loginame = N'bob', @passwd = 'NotARealPassword', @defdb = N'WHATEVER', @deflanguage = N'us_english'

    --add this user to permit read and write

    END

    IF NOT EXISTS (SELECT * FROM MASTER.dbo.syslogins WHERE name = N'jeff')

    BEGIN

    EXEC MASTER.dbo.sp_addlogin @loginame = N'jeff', @passwd = 'NotARealPassword', @defdb = N'WHATEVER', @deflanguage = N'us_english'

    END

    USE [WHATEVER]

    --make a user in the db for the matching login

    CREATE USER [bob] FOR LOGIN [bob]

    CREATE USER [jeff] FOR LOGIN [jeff]

    --add these logs to the role

    EXEC sp_addrolemember N'WhateverDEVAdmins', N'bob'

    EXEC sp_addrolemember N'WhateverDEVAdmins', N'jeff'

    CREATE LOGIN [NT AUTHORITY\Authenticated Users] FROM WINDOWS WITH DEFAULT_DATABASE=[WHATEVER]

    CREATE USER [NT AUTHORITY\Authenticated Users] FOR LOGIN [NT AUTHORITY\Authenticated Users]

    EXEC sp_addrolemember N'WhateverDEVUsers', N'NT AUTHORITY\Authenticated Users'

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!