I am currently limiting permissions of some database users.
The issue is this, Once I remove db_owner permission from some users,they no longer have access to execute stored procedures.
How do you grant permission to a database user to be able to execute stored procedure without making the user a db_owner ?
Assuming you are using SQL Server, you can just grant the EXECUTE permission to this user as:
GRANT EXECUTE ON YourProc TO User;
Btw, db_owner is a database ROLE in SQL Server, not a permission.
For more information visit GRANT Object Permissions
Related
I am granting permission on some objects to my user in a database, Is there any way to grant permission to user without using database role?
I can easily do it by creating database role, but I do not want to use role.
I assigned some objects to my user by Database User, in Securables tab, it didn't work!
create user [user_test] for login [login_test]
create role role_test authorization user_test
exec sp_addrolemember 'role_test', 'user_test'
grant select on object::dbUser.tbl_05 to role_test
I expected I could grant permission to my user and not to use Database Role.
You have (at least) 2 options here, you can assign the permission straight to your DB user (as mentioned in the comment) or you can grant permission on a certificate, which might give you better control in a production environment.
What least privileges are required by a user to view all database users? I have tried granting
SELECT/ALTER on sys.database_principals TO TestUser
at the database level but no luck. I have also tried granting
VIEW SERVER STATE/VIEW ANY DATABASE for TestUser login
and no luck. The only way I made work to assign syadmin server role to the TestUser Login, but certainly I don't wand to do that. I am using SQL server 2014.
I have 2 database users called SQLUser1 and SQLUser2. How can I grant INSERT permission to SQLUser2 at database level using SQLUser1?
After reading about database membership roles, I think I can achieve the solution by playing with memberships of SQLUser1. Can it be solved by giving db_securityadmin and db_accessadmin to SQLUser1?How can I control permissions of one user by another user in database level?
Any help appreciated.
Thanks,
Deeps
You must grant all/specific privilege to SQLUser1 with grant option as sa (sys admin or other higher privileged user). Then SQLUser1 will become eligible to grant privilege to SQLUser2 as outlined below
GRANT ALL TO SQLUser1 WITH GRANT OPTION
You need not to assign ALL privilege to SQLUser1. Even SQLUser1 can have only INSERT permission but WITH GRANT OPTION make him eligible to grant the same permission to other user.
Then as SQLUser1 grant specific privilege to SQLUser2
GRANT INSERT TO SQLUser2
You can do the above mentioned steps using GUI (SSMS) as well.
For more information on GRANT see HERE
you need to use a user which is db_owner.
Select the user2 and click Properties, then user mappings... using SQL Server Management Studio.
Problem
I have a SQL Server login that is allowed to create stored procedures, but not execute them. I cannot use another login to grant execute so I am looking for an alternative way to either run the code in the sp or to grant these permissions.
The EXECUTE permission was denied on the object 'sp_mystoredprocedurename', database 'mydatabasename', schema 'dbo'.
The user cannot grant execute to itself
Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
Background
We have a Windows software application, written in Powerbuilder, that creates and updates the SQL Server database it works on itself.
On first startup the application prompts for a database admin login which it uses 1 time (we don't store this information) to create the database and a login. The login is given db_ddladmin, db_datareader and db_datawriter permissions. We currently have hundreds of these applications and databases running on servers managed by us, but also on our customers' own servers.
For this reason I would do anything to prevent the need to ask the user for a db admin login again so I can grant the execute permissions, which would be the easiest way... Downgrading all servers to SQL Server 2000 is of course also not an option :)
The stored procedure I am trying to implement is a "getnewid" method. Currently my Powerbuilder code uses multiple embedded TSQL statements to achieve this but because of network performance issues I would like to move these to a single stored procedure.
Does this help ?
CREATE ROLE db_executer
GRANT EXECUTE to db_executer
EXEC sp_addrolemember N'db_executer', N'<username>'
Try this.
GRANT EXECUTE ON sp_OACreate to UserLogin
GO
I am creating some users on SQL server but I am a little confused as to whether I grant "alter any login" or "alter any linked server" to my LOGIN or to the USER account?
As you all know, on SQL server, you create users in this order:
Create LOGIN sysUser1 (in master db)
Create USER myUser1 for LOGIN sysUser1 (in users db)
CREATE SCHEMA myUser1 AUTHORIZATION myUser1
then, run sp_addrolemember for myUser1 as needed
then, do grants
I am confused as to whether I should:
grant alter any login to myUser1
or
grant alter any login to sysUser1
Can anyone clarify? Am I thinking of this incorrectly?
ALTER LOGIN is a server level permission, so you can't grant it to database users. You need to grant it to sysUser1 in your case.
See http://msdn.microsoft.com/en-us/library/ms186717.aspx
Edit: Dito for linked server.
Logins and Linked Servers are both objects that exist at the instance level, as opposed to at the database level, so these permissions both need to be applied to the login, rather than the user.
If you are using SQL Server 2012, then it is possible to create you own Instance level roles, but in 2008 and below, you are rrestricted to the built in server roles.
There is a server role called setupadmin that lets members manage linked servers.