May 6, 2016 at 2:37 pm
For a given role 'dev_role', I'm trying to be restrictive to SELECT and VIEW DEFINITION for a particular schema 'foo', but otherwise, I wish to confer GRANT ALTER to dev_role.
How can I make schema 'foo' restrictive for dev_role while retaining ALTER permissions across the database apart from 'foo'?
grant alter to dev_role;
grant select, view definition on schema::foo to dev_role;
This lets me do the following, which I don't want:create table foo.bar (i int);
If I subsequently use: deny control on schema::foo to dev_role...then I'm rather unsurprisingly unable to run the following:select * from foo.mytableI must be missing something basic, but thus far no joy...
- John
May 10, 2016 at 2:57 pm
Me think know ansur:
Not quite what I was going for to begin with, but these 2 solutions are probably more sensible than [font="Courier New"]GRANT ALTER to dev_role[/font]:
Solution 1 (no explicit GRANTs to schema 'foo' necesssary):
GRANT SELECT, VIEW DEFINITION to dev_role
GRANT CONTROL on schema::dbo to dev_role
Solution 2 (only schema-specific permissions):
ALTER AUTHORIZATION on schema::foo TO db_ddladmin
GRANT SELECT, VIEW DEFINITION on schema::foo to dev_role
GRANT CONTROL on schema::dbo to dev_role
AFAICS, either of these will lock down schema 'foo' as initially intended, while permitting liberal permissions on the default 'dbo' schema.
Took some head-scratching and brick-wall acquaintances to get there, but these are making sense to me unless anyone sees holes with this approach...
May 10, 2016 at 11:58 pm
Looks like those may work. Have you tried them, yet?
--Jeff Moden
Change is inevitable... Change for the better is not.
May 11, 2016 at 3:43 pm
Thanks for eyeballing this Jeff.
Yes, when executing within the context of the 'dev_role' role the following 2 statements fail as intended:create table foo.bar (i int);
execute as user = 'dbo';
And the following 2 succeed as intended:create table dbo.bar (i int);
select * from foo.readonlytable;
So, short of an exhaustive security audit or setting up a full-blown array of tests, I think dev_role meets the requirements. Permissioning schemes tax the old noggin right quick!
Cheers,
John
May 11, 2016 at 8:37 pm
Very cool, John. That's awesome. Thanks for posting what you tried and done. Really appreciate it.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 11, 2016 at 8:38 pm
Hey! As a bit of a sidebar, something like this would make a great "SQL SPACKLE" article. You should take up the pen and submit an article.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 12, 2016 at 9:21 pm
Thanks for the vote of confidence Jeff - taking up the pen on the topic of permissions is something I'll have to deliberate over. Hopefully I can find some time to follow through on that and come up with a draft that's spackle-worthy : )
Cheers,
John
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply