Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


server role and permission


server role and permission

Author
Message
Erland Sommarskog
Erland Sommarskog
SSC Eights!
SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)

Group: General Forum Members
Points: 939 Visits: 866
sqlfriends (1/21/2014)
By reading from the definition from microsoft site below, it look like we grant view definition on server level, also add the user to the database without granting any permissions is equivalent as granting the user the view definition to the securables.


No. Try this (replace ssgrep with any database you might have):

USE master
go
CREATE LOGIN bludder WITH PASSWORD = 'offentligt'
GRANT VIEW ANY DEFINITION TO bludder
go
EXECUTE AS LOGIN = 'bludder'
go
SELECT * FROM ssgrep.sys.tables
go
REVERT
go
DROP LOGIN bludder



This produces the error message

Server: Msg 916, Level 14, State 1, Line 1
The server principal "bludder" is not able to access the database "ssgrep" under the current security context.


The example also shows how you easily can test a certain permission scenario easily.

To create a user without creating a schema, use CREATE USER.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
sqlfriends
sqlfriends
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2047 Visits: 3863
Thanks, tried the way you test, it looks like if the user is added to the database without any other permissions, and it has server role view server definition, it will work.

I will also use create user to replace sp_adduser in the last statment.


Thanks much
sqlfriends
sqlfriends
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2047 Visits: 3863
I rewrite the script as this:

USE master
GRANT VIEW SERVER STATE TO [mydomain\sys$swind]
GRANT VIEW ANY DEFINITION TO [mydomain\sys$swind]
GRANT EXECUTE ON xp_readerrorlog TO [mydomain\sys$swind]
EXECUTE sp_MSforeachdb 'USE [?]; CREATE USER [mydomain\sys$swind] FOR LOGIN [mydomain\sys$swind]'
USE msdb
EXEC sp_addrolemember N'db_datareader', [mydomain\sys$swind]

It works great.

And by replacing sp_adduser with create user, there is no schema created for the user for all the databases except one - master, why in master database the user still own a schema that is the same name as the login name?


Thanks
Erland Sommarskog
Erland Sommarskog
SSC Eights!
SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)SSC Eights! (939 reputation)

Group: General Forum Members
Points: 939 Visits: 866
sqlfriends (1/22/2014)And by replacing sp_adduser with create user, there is no schema created for the user for all the databases except one - master, why in master database the user still own a schema that is the same name as the login name?


I was not able to repeat this. Maybe this is something the application does already at installation?

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search