Is there a way I can grant truncate permission to a user without altering privileges in SQL Server?
The minimum permission required is ALTER on table_name. TRUNCATE TABLE permissions default to the table owner, members of the sysadmin fixed server role, and the db_owner and db_ddladmin fixed database roles, and are not transferable. However, you can incorporate the TRUNCATE TABLE statement within a module, such as a stored procedure, and grant appropriate permissions to the module using the EXECUTE AS clause.
CREATE PROCEDURE dbo.usp_Demo
WITH EXECUTE AS 'CompanyDomain\SqlUser1'
AS
SELECT user_name();
Source
You can go through this official documentation.
Create a test Login and User id then grant it execute permission on the stored procedure Truncate_Table_Loner. This id will be used to perform the truncate.
-- Grant Execute Permission
-- Setup ID on Database with Connect permission
USE master
GO
CREATE LOGIN [test_user_id] WITH PASSWORD = 'JustConnect123';
GO
USE TestSQL
GO
CREATE USER [test_user_id] FOR LOGIN [test_user_id];
GO
-- Grant Permission
GRANT EXECUTE ON dbo.Truncate_Table_Loner TO [test_user_id];
GO
Related
I hope you can help me with this.
We have an application that we need to restrict access to. The application will be using login TestApp.
I've been testing this using SQL Server Management Studio v 17.9.1 and we are using SQL Server 2016.
This Login will have access to all tables, stored procedures, views, functions and triggers within its own schema Test in the tatabase: Testing, and only to certain tables from dbo schema that we specify in the permissions of the TestAPP user.
I've used the following script to achieve that.
The problem we are having is that the Login can access all system views and stored procedures and we don't want this level of access (attached pictures enter image description here) enter image description here
This login shouldn't be able to do those under schema TEST.
Create, drop, alter tables from Test schema
Create, alter, drop views from Test schema
Create, alter, drop stored procedures from Test schema
We are trying to use Roles so that we don't have to specify each and every sys object that we want to deny access to.
I've created the Role [db_TestExecutor] and attached the role to the user. and then gave specific permissions for the dbo tables but still they can see all sys objects.
Used SQL code below:
USE [Testing]
GO
CREATE SCHEMA [Test] AUTHORIZATION [dbo]
GO
CREATE ROLE [db_TestExecutor]
GO
GRANT EXECUTE ON SCHEMA::Test TO [db_TestExecutor]
GO
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::Test TO [db_TestExecutor]
USE [mASTER]
GO
IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE [name] = 'TestApp')
BEGIN
CREATE LOGIN TestApp WITH PASSWORD=N'Password123', DEFAULT_DATABASE=[tempdb], DEFAULT_LANGUAGE=[British], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
END
USE [Testing]
GO
CREATE USER [TestApp] FOR LOGIN [TestApp]
GO
ALTER ROLE [db_TestExecutor] ADD MEMBER [TestApp]
GO
GRANT INSERT ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT SELECT ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT UPDATE ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT SELECT ON [dbo].[test] TO [TestApp]
I expect the TestApp login to be able to see only objects from Test schema and only certain dbo tables.
Please see below the desired result:
Thank you very much for your help!
How do I Grant drop permission of stored procedure in SQL Server to user via script?
I tried the following, but it does not work
use XpressFeed_Dev
GRANT DROP ON procedure::getPartyDuns TO "INT\svc-w-corerefdata-de";
use XpressFeed_Dev
ALTER AUTHORIZATION ON [getPartyDuns] TO "INT\svc-w-corerefdata-de";
Permissions
Requires CONTROL permission on the procedure, or ALTER permission on
the schema to which the procedure belongs, or membership in the
db_ddladmin fixed server role.
DROP PROCEDURE (Transact-SQL)
So the minimum permission of all mentioned above is control on a procedure because after it will be dropped the user will have no additional permissions
GRANT CONTROL ON object::getPartyDuns TO [INT\svc-w-corerefdata-de];
You must specify schema before the procedure name - like this:
GRANT DROP ON procedure::XpressFeed_Dev.getPartyDuns TO [INT\svc-w-corerefdata-de];
ALTER AUTHORIZATION ON XpressFeed_Dev.[getPartyDuns] TO [INT\svc-w-corerefdata-de];
I'm trying to allow a stored procedure for a user, but struggling to get it right. Hopefully I'm on the right track, thanks for the help.
GO
Alter role ReportDeveloper
Add sp_GetActiveProductInfo
GRANT EXECUTE ON ReportDeveloper TO employee_usr;
Grant permission to database role not user.
USE DB_NAME;
GRANT EXECUTE ON sp_GetActiveProductInfo TO ReportDeveloper;
GO
It rather should be like below per Documentation
USE DB_NAME;
GRANT EXECUTE ON OBJECT::sp_GetActiveProductInfo
TO employee_usr;
GO
You can do it as ;
USE databse;
GRANT EXECUTE ON sp_GetActiveProductInfo TO employee_usr;
GO
If you add this user to a Role you will Grant the permission to the Role where your user is member in :
USE databse;
GRANT EXECUTE ON sp_GetActiveProductInfo TO ReportDeveloper;
GO
Does the following command effectively give the user, "MyUser," permission to execute ALL stored procedures in the database?
GRANT EXECUTE TO [MyDomain\MyUser]
SQL Server 2008 and Above:
/* CREATE A NEW ROLE */
CREATE ROLE db_executor
/* GRANT EXECUTE TO THE ROLE */
GRANT EXECUTE TO db_executor
For just a user (not a role):
USE [DBName]
GO
GRANT EXECUTE TO [user]
SQL Server 2005 introduced the ability to grant database execute permissions to a database principle, as you've described:
GRANT EXECUTE TO [MyDomain\MyUser]
That will grant permission at the database scope, which implicitly includes all stored procedures in all schemas. This means that you don't have to explicitly grant permissions per stored procedure.
You can also restrict by granting schema execute permissions if you want to be more granular:
GRANT EXECUTE ON SCHEMA ::dbo TO [MyDomain\MyUser]
In addition to the answers above, I'd like to add:
You might want to grant this to a role instead, and then assign the role to the user(s).
Suppose you have created a role myAppRights via
CREATE ROLE [myAppRights]
then you can give execute rights via
GRANT EXECUTE TO [myAppRights]
to that role.
Or, if you want to do it on schema level:
GRANT EXECUTE ON SCHEMA ::dbo TO [myAppRights]
also works (in this example, the role myAppRights will have execute rights on all elements of schema dbo afterwards).
This way, you only have to do it once and can assign/revoke all related application rights easily to/from a user if you need to change that later on - especially useful if you want to create more complex access profiles.
Note: If you grant a role to a schema, that affects also elements you will have created later - this might be beneficial or not depending on the design you intended, so keep that in mind.
What are min permission we need to truncate table ? Apart from DDLAdmin. And what is best pratice to give permission to the user to truncate the user on SQL 2008 R2
Truncate table documentation at books online here
Permissions
The minimum permission required is
ALTER on table_name. TRUNCATE TABLE
permissions default to the table
owner, members of the sysadmin fixed
server role, and the db_owner and
db_ddladmin fixed database roles, and
are not transferable. However, you can
incorporate the TRUNCATE TABLE
statement within a module, such as a
stored procedure, and grant
appropriate permissions to the module
using the EXECUTE AS clause. For more
information, see Using EXECUTE AS to
Create Custom Permission Sets.
MSDN:
The minimum permission required is
ALTER on table_name. TRUNCATE TABLE
permissions default to the table
owner, members of the sysadmin fixed
server role, and the db_owner and
db_ddladmin fixed database roles, and
are not transferable.
If you don't want to grant rights (which are excessive, really, and described in other answers) you can escalate permissions within a stored procedure...
CREATE PROC DoTruncate
WITH EXECUTE AS OWNER
AS
TRUNCATE TABLE Mytable
GO
And permission this instead with "normal" rights