I'm looking to GRANT all sorts of CREATE statements on specific schemas in my DB for specific members of a role;
Here's my current setup, I have:
Schema A
Schema B
Role A
Role B
SQL Login A
SQL Login B
Schema A is owned by Role A;
SQL Login A is a member of Role A;
Schema B is owned by Role B;
SQL Login B is a member of Role B;
I'm looking to GRANT CREATE TABLE + CREATE VIEW + CREATE PROCEDURE on Schema A, only to members in Role A and same CREATE statements on Schema B, only to members in Role B. SQL Login B can't CREATE on Schema A.
I've tried the following but I keep stuck as SQL Login B keeps being able to CREATE on Schema A:
ALTER AUTHORIZATION ON SCHEMA::[Schema A] to [Role A];
GRANT CREATE TABLE, CREATE VIEW, CREATE PROCEDURE, CREATE SCHEMA TO [Role A];
What am I missing?
Related
We have a azure based SQL Server instance that we are wanting to create a user who would only have SELECT access to two tables on a database that has many more tables. Is this possible? If so is there a guide I can follow to accomplish this?
Restrict user to certain tables in SQL
You can use the SQL GRANT statement to grant SQL SELECT, and other privileges on tables.
CREATE USER demouser
WITH PASSWORD = 'demopa#ssword1234';
GRANT SELECT ON dbo.student TO demouser
GRANT SELECT ON dbo.Airlines TO demouser
execute as user = 'demouser'
select * from student
select * from Airlines
REVERT;
Execution
Granted SELECT permission to user demouser on Airlines and student table.
demouser user has no access to mydata table
I have created a table 'T' under user 'SYS'. Now I want to view the contents of the same table 'T' under another user 'JACH'. I have granted the select privileges' on table 'T' to user 'JACH'. But when I try to view the table under 'JACH', it says table doesn't exist. How do I view the table data under user 'JACH'?[Logged in as user 'SYS']
[Logged in as user 'JACH']
You need to schema qualify your select statement.
If a table is created under SCHEMA1 and you wish to query it while connected to SCHEMA2, assuming that SCHEMA2 has been granted SELECT/READ privileges properly, you should be able to query the table while connected to SCHEMA2 like this:
SELECT * FROM SCHEMA1.TABLE_NAME;
I have restricted select access at table level for 1 single table 'A'in sql server(2016).
But users are able to access views which are created top of that table 'A'.
when users run select statement on table 'A'(select * from table 'A')users are getting 'select permission is denied on object table 'A' ' message.
when users run select statement on view (select * from view 'A') users are able to access all data.
Users are able to create new views by writing select statement on table 'A'.
How can i restrict users to access table 'A' from views as well.
This is expected behavior due to ownership chaining. Permissions on tables referenced by the view are not checked as long as the view and tables have the same owner (AUTHORIZATION).
To break the ownership chain, you could either move the table to a different schema (owned by a different user than the view schema) or change to owner of the table. Examples below.
--move table to different schema
CREATE USER RestricedTablesOwner WITHOUT LOGIN;
GO
CREATE SCHEMA RestricedTables AUTHORIZATION RestricedTablesOwner;
GO
ALTER SCHEMA RestricedTables TRANSFER dbo.A;
GO
--change table to different owner, retaining same schema
ALTER AUTHORIZATION ON OBJECT::dbo.A TO RestricedTablesOwner;
I have a hive db 'common' where 5 users create tables (HDP2.1). Is it possible to automate GRANT SELECT on any new table created in this DB by user1 to role1 (not the entire DB).
I want to assign select permission to a user, for all tables, and I need this permission work for every table which will be added to database.
I can assign select permission to my user (data_reader) for all tables which are currently in database, by executing my code result:
select 'grant select on object::'+s.name+'.'+t.name+' to data_reader'
from sys.schemas s
inner join sys.tables t on s.schema_id=t.schema_id
my problem is, if any table added to database I have to execute grant select on that table for data_reader, so it may be forgotten.
I searched a lot, but I couldn't find a way to grant select to all tables in all schemas to my user, forever.
If all your tables are in the dbo schema then this would be :
GRANT SELECT ON SCHEMA :: [dbo] TO specialrole
and try it :
GRANT { { schemaPrivileges | SELECT [ PRIVILEGES ] } ON { SCHEMA <schema_name> | ALL SCHEMAS IN DATABASE <db_name> }
| { schemaObjectPrivileges | SELECT [ PRIVILEGES ] } ON FUTURE <object_type>S IN SCHEMA <schema_name> }
TO [ ROLE ] <role_name> [ WITH GRANT OPTION ]
It is enough to give the rights db_datareader in the mapping to the desired database:
USE [DBName]
GO
ALTER ROLE [db_datareader] ADD MEMBER [user_name]
GO
I check this problem on SQL Server 2017
I create a login with Stack Name and map to Data Base User without any permission
Then i grant Select permission to user
grant select to Stack;