Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


sql server alter permission


sql server alter permission

Author
Message
vinuvt
vinuvt
Forum Newbie
Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)

Group: General Forum Members
Points: 6 Visits: 378
Experts

I am trying to set up permission for our IT team. All our IT staffs are member of I.T group. With the database in question the IT staffs groups are member of db_reader, db_reader and can execute all SP/Fun. one particular user I want to give the permission to modify the objects.

CREATE USER [S\Al] FOR LOGIN [S\Al] WITH DEFAULT_SCHEMA=[dbo]

added him to db_ddlAmin role

EXEC sp_addrolemember N'db_ddladmin', N'S\Al'

all the objects in our db belongs to DBO schema..so i have give alter permission on dbo schema to the user

GRANT ALTER ON SCHEMA::[dbo] TO [S\Al]

But when this user tries to modify an sp or drop a table he gets

Cannot alter the procedure 'XX', because it does not exist or you do not have permission.
Cannot drop table 'XX', because it does not exist or you do not have permission.

This user can create a new table, but if he tries to drop the newly created table he get the permission error..

This user is member of 4 other group where the group is a member of either db_owner or db_ddladmin role,

What am I doing wrong, how can i resolve this..

Thanks

VT
Animal Magic
Animal Magic
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1064 Visits: 13728
is the database replicated?

I know a very similar error comes up on replicated databases and you have to be a dbo to be able to make ddl changes.
Andrew G
Andrew G
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2012 Visits: 2229
One of the groups will have a DENY permission on ALTER or similar.
DENY takes precedence over any GRANTed permissions
vinuvt
vinuvt
Forum Newbie
Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)

Group: General Forum Members
Points: 6 Visits: 378
No not replicated...
vinuvt
vinuvt
Forum Newbie
Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)

Group: General Forum Members
Points: 6 Visits: 378
foxxo (10/3/2012)
One of the groups will have a DENY permission on ALTER or similar.
DENY takes precedence over any GRANTed permissions


hmm..Might be.. any script to find that..also this what i did
Added I.t group as a login on sql server
added i.t group as a user with the database.. made i.t group member of db_reader,db_writed. created a role db_executer, granted execute permission to db_executer and made i.t group member of db_executer role.

added S\Al as a login on sql sevrer
added S\Al as a db user with default schema set to DBO
added S\Al to db_ddladmin
granted alter permission on dbo to s\al

by doing this wouldn't individual get the extra permission he is been granted.. ???

to make this worse..i did exactly something on other database and same person can drop/alter objects..
Andrew G
Andrew G
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2012 Visits: 2229
That would work, except if S\AI is a member of any other Windows group that exists on the SQL server which has a DENY on ALTER, then he will still get the error.
You'd need to go through and find the permissions.

eg.

select *
from sys.database_permissions
where state <> 'G'


vinuvt
vinuvt
Forum Newbie
Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)

Group: General Forum Members
Points: 6 Visits: 378
foxxo (10/3/2012)
That would work, except if S\AI is a member of any other Windows group that exists on the SQL server which has a DENY on ALTER, then he will still get the error.
You'd need to go through and find the permissions.

eg.

select *
from sys.database_permissions
where state <> 'G'




Thanks..
Please see the result of the above query.. what shall i be looking..



[url=https://www.sqlservercentral.com/Forums/Uploads/image-unavailable.png][/url]
Andrew G
Andrew G
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2012 Visits: 2229
Check the permissions on the objects with DENY

select p.name, p.type_desc,OBJECT_NAME(dp.major_id),OBJECT_SCHEMA_NAME(dp.major_id), dp.permission_name, dp.state_desc
from sys.database_permissions dp
inner join sys.database_principals p on dp.grantee_principal_id = p.principal_id
where dp.state <> 'G'



Edit, actually it'll be the DENY at the database level for principal_id = 54
So check who that is - if it's S\I then fix the permissions by using a REVOKE


select p.name, p.type_desc
from sys.database_principals p
where p.principal_id = 54


Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search