Deny Update on Columns to ALL Users & Roles - sql

In SQL Server, I have a table where after a row has been inserted, several of the columns never need to be changed (yes it's possible this might change in the future, but unlikely or will be a rare event). I know that SQL server has column level permissions, and so I wanted to deny updated on these columns for all users, role, current and present. The T-SQL looks something like this:
DENY UPDATE ON dbo.<Table>(<Column1>,<Columns2>,etc) TO ______
However it appears that using this command, you have to always specify a user or role at the end. Is there a way to have it apply to all users current and future?
And yes, I AM WELL AWARE I can use a trigger to throw an error if the columns are changed after an update, or apply the DENY command to all existing users and roles and create a procedure for creating new users and roles that would create the new user/role and automatically apply the update, etc.
Before I consider any of those options, I would see if the DENY Update to all Users option can be done.
Thanks you!

Enrole all your SQL users in a default role, so that you can do a DENY on that role. For the future one, create a DDL trigger that fire CREATE USER and add it as a member of this role.

Related

Letting users "GRANT SELECT" without making them admins or giving them CONTROL permission

Background info:
I administrate a database in SSMS. I am the only administrator. I have users creating tables, and then they want to grant select permissions on those tables, to other users. But they are not allowed to do it because they are not administrators or have CONTROL permission on the schema.
Question:
How can I as an SSMS database administrator let users grant SELECT on tables they create to other users, without making them admins or giving them CONTROL permissions?
I would simply get users to create a table in their own schema along the lines of (SSMS syntax may be different, this is just meant to be illustrative):
create table select_access (
table_name varchar[50],
user_name varchar[50],
is_active varchar
)
Then have an admin job run periodically (every five or ten minutes, for example) and, for every applicable user, examine the entries in that table.
If there's an entry for a table not currently having the permission (with is_active set to Y), grant the permission. If there's an entry for a table currently having the permission (with is_active set to N), remove the permission.
That way, they have full control over select permissions on their tables without getting you involved.
To share a table, they just create it, add entries to select_access for each user they want to share it with, then wait for your job to run.
To disable, they just set the is_active field to N for the users they want to revoke access for and, again, wait for your job to run.
The use of is_active is just to make your life easier, as your only necessary source of information is just that table.
You could make it smarter by just letting them delete the row for the given user/table but then you'd have to process the table and all their tables that may have access granted but no longer have an entry in select_access.
Just make sure any table they grant permissions to is a table in their schema, not one of the system tables :-)

SQL Server permissions to only one table for specific users

I have a database with many users who have access to all tables within the DB. There is one table that I would like to restrict access to only a specific few users. So basically granting table access to some while removing table access to the rest. Any thoughts on best way to accomplish this?
You could always DENY SELECT to all users on that table, and then grant it by person for the few you do want to have access to it.
DENY Object Permissions (Transact-SQL)
This question may also help you: SQL Server : can you limit access to only one table

specific permissions to a table based on user

I am using SQL Server 2012.
I have a table which contains two columns. One is called Directory, the other UserName.
To explain my problem I think a simple example is easier.
So this table has 3 users. In the UserName column, only the 3 users, usernames can be entered plus one other entry called Default.
Directory UserName
C:\Blah Bob
C:\BlaF Brad
C:\BlaK Dave
C:\BlaPP Default
C:\Anoth Default
What I would like to know is if it is possible to allow only two of the users to be able to insert, delete records with the username Default and the other user to be able to only select the records with Default.
Is this possible?
Update
After doing some reading is it not possible to do this using an Instead of trigger? So in my understanding this trigger will fire before an insert, update or delete query is executed. So I was thinking in the trigger if could check the host pc (users on my team will only be using their computer) to see who it is trying to insert, update or delete and if its a user who doesn't have permission to edit the default list then exit the trigger and don't update the table. Or am I missing something?
Instead of giving users direct access to the table, give the first two users access to a stored procedure that inserts to the table, and only inserts "Default" for the username.
Give the third user access to a view (or stored procedure) that only selects records where username="Default".

how to change db user name and db group name in Sybase Anywhere 11

all!
I have a db with tables User and Group, which represent entities in some application. But at the same time there are database users and database groups with the same names. I need to anonymize the database. It's easy to change db tables, e.g. update User set "Name" = "John",... where Id = 100500
But what to do with db users and db groups?
My first thought was to drop user and that create a new one:
drop user John;
create user njoh identified by 'pswd' login policy "root";
But belonging to groups is lost in the approach.
Is there any kind of rename method for db users in Sybase Anywhere 11?
Also I don't know how to change last log-in time and comments for a db user.
The same problem with groups. I didn't try to 'drop groups', 'cause I don't know if there is a possibility in Sybase Anywhere 11.
Could anyone tell me the truth - does the problem have a solution?
No, there is no way to rename an existing user. You can certainly drop it and create a new user but like you said, any group memberships are lost, as are permissions granted on objects like tables and procedures.
The only way to change the last login time for a user is by logging in. You can change the comment on a user by using comment on user is '<string>'.
There is no drop group statement - a group in SQL Anywhere (versions 12 and older) is simply a user with "group authority", so to drop a group you would use revoke connect from <group name>.
Disclaimer: I work for SAP in SQL Anywhere engineering.

How to prevent database user deleting data from ALL tables by triggers

Hi Experts
How I can prevent database user deleting any data in tables using triggers?
I want just Admin delete Data from tables
Thanks
Umm take away that users permission? If you don't want them doing something, 'disallow' them that right... thats why we have permissions.
Here are details on how to revoke permissions:
http://msdn.microsoft.com/en-us/library/ms186308.aspx
Any particular reason you want to use triggers?
You could simply remove the DELETE permission from the users you want to restrict. Have a look at the "Permissions" section here: http://msdn.microsoft.com/en-us/library/ms189835.aspx
EDIT: Since you say you do want to use triggers (but I really think you should reconsider) you can create a table such as:
CREATE TABLE Restricted_Users
(
user_name VARCHAR(40) PRIMARY_KEY -- Use a size appropriate to your requirements
)
Create INSTEAD OF DELETE triggers on all your tables (that's going to be a chore) which checks for the USER_NAME() in the Restricted_Users table and if they EXIST you can call RAISERROR to cause the transaction to be rolled back and display a message to the user.
Remember you will have to maintain these triggers on all new tables added to the database as well as maintaining the list of users in the Restricted_Users table whenever you add/remove users from the database.
It would be a lot simpler to use the permission system available in SQL Server (it's what it's designed for) using roles with appropriate permissions set for the tables. Then, when adding new users you only have to assign them to the appropriate role and the delete permissions are handled for you.