How do I Grant drop permission of stored procedure in SQL Server to user via script?
I tried the following, but it does not work
use XpressFeed_Dev
GRANT DROP ON procedure::getPartyDuns TO "INT\svc-w-corerefdata-de";
use XpressFeed_Dev
ALTER AUTHORIZATION ON [getPartyDuns] TO "INT\svc-w-corerefdata-de";
Permissions
Requires CONTROL permission on the procedure, or ALTER permission on
the schema to which the procedure belongs, or membership in the
db_ddladmin fixed server role.
DROP PROCEDURE (Transact-SQL)
So the minimum permission of all mentioned above is control on a procedure because after it will be dropped the user will have no additional permissions
GRANT CONTROL ON object::getPartyDuns TO [INT\svc-w-corerefdata-de];
You must specify schema before the procedure name - like this:
GRANT DROP ON procedure::XpressFeed_Dev.getPartyDuns TO [INT\svc-w-corerefdata-de];
ALTER AUTHORIZATION ON XpressFeed_Dev.[getPartyDuns] TO [INT\svc-w-corerefdata-de];
Related
Is there a way I can grant truncate permission to a user without altering privileges in SQL Server?
The minimum permission required is ALTER on table_name. TRUNCATE TABLE permissions default to the table owner, members of the sysadmin fixed server role, and the db_owner and db_ddladmin fixed database roles, and are not transferable. However, you can incorporate the TRUNCATE TABLE statement within a module, such as a stored procedure, and grant appropriate permissions to the module using the EXECUTE AS clause.
CREATE PROCEDURE dbo.usp_Demo
WITH EXECUTE AS 'CompanyDomain\SqlUser1'
AS
SELECT user_name();
Source
You can go through this official documentation.
Create a test Login and User id then grant it execute permission on the stored procedure Truncate_Table_Loner. This id will be used to perform the truncate.
-- Grant Execute Permission
-- Setup ID on Database with Connect permission
USE master
GO
CREATE LOGIN [test_user_id] WITH PASSWORD = 'JustConnect123';
GO
USE TestSQL
GO
CREATE USER [test_user_id] FOR LOGIN [test_user_id];
GO
-- Grant Permission
GRANT EXECUTE ON dbo.Truncate_Table_Loner TO [test_user_id];
GO
I hope you can help me with this.
We have an application that we need to restrict access to. The application will be using login TestApp.
I've been testing this using SQL Server Management Studio v 17.9.1 and we are using SQL Server 2016.
This Login will have access to all tables, stored procedures, views, functions and triggers within its own schema Test in the tatabase: Testing, and only to certain tables from dbo schema that we specify in the permissions of the TestAPP user.
I've used the following script to achieve that.
The problem we are having is that the Login can access all system views and stored procedures and we don't want this level of access (attached pictures enter image description here) enter image description here
This login shouldn't be able to do those under schema TEST.
Create, drop, alter tables from Test schema
Create, alter, drop views from Test schema
Create, alter, drop stored procedures from Test schema
We are trying to use Roles so that we don't have to specify each and every sys object that we want to deny access to.
I've created the Role [db_TestExecutor] and attached the role to the user. and then gave specific permissions for the dbo tables but still they can see all sys objects.
Used SQL code below:
USE [Testing]
GO
CREATE SCHEMA [Test] AUTHORIZATION [dbo]
GO
CREATE ROLE [db_TestExecutor]
GO
GRANT EXECUTE ON SCHEMA::Test TO [db_TestExecutor]
GO
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::Test TO [db_TestExecutor]
USE [mASTER]
GO
IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE [name] = 'TestApp')
BEGIN
CREATE LOGIN TestApp WITH PASSWORD=N'Password123', DEFAULT_DATABASE=[tempdb], DEFAULT_LANGUAGE=[British], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
END
USE [Testing]
GO
CREATE USER [TestApp] FOR LOGIN [TestApp]
GO
ALTER ROLE [db_TestExecutor] ADD MEMBER [TestApp]
GO
GRANT INSERT ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT SELECT ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT UPDATE ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT SELECT ON [dbo].[test] TO [TestApp]
I expect the TestApp login to be able to see only objects from Test schema and only certain dbo tables.
Please see below the desired result:
Thank you very much for your help!
I'm currently working on an MVC5, EF6 project and needed a stored procedure for a piece of the project. I've written the stored procedure, and now when I try to use it within my code I get an error saying:
The EXECUTE permission was denied on object ....
Yet when I test the stored procedure in SQL Management Studio it let's me run the stored procedure just fine. I'm not really sure what to do to fix this as I've never come across this before.
First create an executor role and then grant exec permission to this role.Then make your user member of this role.
CREATE ROLE db_executor;
GRANT EXECUTE TO db_executor;
EXEC sp_addrolemember 'db_executor', 'user1'
Hopefully this is enough but in case you still have issue check the below.
The schema owner of SP and underlying objects should be the same for sql chaining permission to work.
Check schema owners by:
select name, USER_NAME(s.principal_id) AS Schema_Owner from sys.schemas s
To change the owner of an schema you can:
ALTER AUTHORIZATION ON SCHEMA::YOUR_SCHEMA TO YOUR_USER;
Examples:
ALTER AUTHORIZATION ON SCHEMA::Claim TO dbo
ALTER AUTHORIZATION ON SCHEMA::datix TO user1;
Finally if within your SP you are truncating a table or changing structure you may want to add WITH EXECUTE AS OWNER in your SP:
ALTER procedure [myProcedure]
WITH EXECUTE AS OWNER
as
truncate table etl.temp
Create a separate user role with access 'Execute' and then assign that to your current user. This is the best solution and helped me.
Please follow this link:
https://stackoverflow.com/a/26871428/6761105
I want a database user to have ALTER and EXECUTE permissions to a stored procedure. Do I need to grant those separately, or does granting ALTER allow the user to EXECUTE also?
e.g.
GRANT ALTER ON [STOREDPROC] TO [SP_USER];
GRANT EXECUTE ON [STOREDPROC] TO [SP_USER];
or just:
GRANT ALTER ON [STOREDPROC] TO [SP_USER];
(does ALTER imply EXECUTE?)
Thanks!
The short answer is: no, ALTER does not imply EXECUTE.
Slightly longer answer: there's a chart that says what permissions imply other permissions. Check it out!
https://msdn.microsoft.com/en-us/library/ms188371.aspx
What are min permission we need to truncate table ? Apart from DDLAdmin. And what is best pratice to give permission to the user to truncate the user on SQL 2008 R2
Truncate table documentation at books online here
Permissions
The minimum permission required is
ALTER on table_name. TRUNCATE TABLE
permissions default to the table
owner, members of the sysadmin fixed
server role, and the db_owner and
db_ddladmin fixed database roles, and
are not transferable. However, you can
incorporate the TRUNCATE TABLE
statement within a module, such as a
stored procedure, and grant
appropriate permissions to the module
using the EXECUTE AS clause. For more
information, see Using EXECUTE AS to
Create Custom Permission Sets.
MSDN:
The minimum permission required is
ALTER on table_name. TRUNCATE TABLE
permissions default to the table
owner, members of the sysadmin fixed
server role, and the db_owner and
db_ddladmin fixed database roles, and
are not transferable.
If you don't want to grant rights (which are excessive, really, and described in other answers) you can escalate permissions within a stored procedure...
CREATE PROC DoTruncate
WITH EXECUTE AS OWNER
AS
TRUNCATE TABLE Mytable
GO
And permission this instead with "normal" rights