June 24, 2011 at 7:30 am
I have many users setup in my SQL 2008 db.
All those users are then assigned to Database Roles I created, based on jib function/department.
Those Roles then specify what tables/views they can SELECT.
But is there a single switch that I can DENYREAD to all users and roles, except the sysadmin server role, do some table maintanence, and then switch the roles back to SELECT?
Currently, I go into each Database Role, and for each Securable I uncheck Select-Grant and check Select-Deny. That turns into quite a few check boxes. Then I reverse the process when I want to let them all in.
Is there a quicker, simpler method? I have a feeling I making this more complicated than needed.
June 24, 2011 at 7:33 am
odeonkreel (6/24/2011)
I have many users setup in my SQL 2008 db.All those users are then assigned to Database Roles I created, based on jib function/department.
Those Roles then specify what tables/views they can SELECT.
But is there a single switch that I can DENYREAD to all users and roles, except the sysadmin server role, do some table maintanence, and then switch the roles back to SELECT?
yes,, a database can be set to modes like RESTRICTED_USER (sysadmins) or SINGLE_USER, or you can even set the whole database to read only;
this will kick everyone off, rollback their transacitons, and only allow admins:
ALTER DATABASE MyDATABASE SET RESTRICTED_USER WITH ROLLBACK IMMEDIATE
so you could kick everyone off, make your changes, and then set the mode back
ALTER DATABASE MyDATABASE SET MULTI_USER
Currently, I go into each Database Role, and for each Securable I uncheck Select-Grant and check Select-Deny. That turns into quite a few check boxes. Then I reverse the process when I want to let them all in.
Is there a quicker, simpler method? I have a feeling I making this more complicated than needed.
Lowell
June 24, 2011 at 7:42 am
yes,, a database can be set to modes like RESTRICTED_USER (sysadmins) or SINGLE_USER, or you can even set the whole database to read only;
restricted_user doesn't just allow sysadmins, it also allows anyone who has db_owner on the database or dbcreator at the server access to the database while the database is set to restricted_user.
From MSDN
SINGLE_USER | RESTRICTED_USER | MULTI_USER
Controls which users may access the database. When SINGLE_USER is specified, only one user at a time can access the database. When RESTRICTED_USER is specified, only members of the db_owner, dbcreator, or sysadmin roles can use the database. MULTI_USER returns the database to its normal operating state.
June 24, 2011 at 7:53 am
Perfect.
That will work exactly like I need it to. None of the users are owners of anything, all I allow them to do is run Select statements on views I created for them.
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply