What are min permission we need to truncate table ? Apart from DDLAdmin. And what is best pratice to give permission to the user to truncate the user on SQL 2008 R2
Truncate table documentation at books online here
Permissions
The minimum permission required is
ALTER on table_name. TRUNCATE TABLE
permissions default to the table
owner, members of the sysadmin fixed
server role, and the db_owner and
db_ddladmin fixed database roles, and
are not transferable. However, you can
incorporate the TRUNCATE TABLE
statement within a module, such as a
stored procedure, and grant
appropriate permissions to the module
using the EXECUTE AS clause. For more
information, see Using EXECUTE AS to
Create Custom Permission Sets.
MSDN:
The minimum permission required is
ALTER on table_name. TRUNCATE TABLE
permissions default to the table
owner, members of the sysadmin fixed
server role, and the db_owner and
db_ddladmin fixed database roles, and
are not transferable.
If you don't want to grant rights (which are excessive, really, and described in other answers) you can escalate permissions within a stored procedure...
CREATE PROC DoTruncate
WITH EXECUTE AS OWNER
AS
TRUNCATE TABLE Mytable
GO
And permission this instead with "normal" rights
Related
I think I'm missing something when it comes to grant alter table. I'm looking at the AWS docs
https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html
And they say I can grant alter table to a role. I've tried running grant alter table to user but that gives me SQL Error [0LP01]: ERROR: Grant/Revoke system privilege on User is not supported.. So, I'm confused on what exactly a role in redshift is and how it works. Using rows, could I grant a group of people alter table permissions on a single schema?
I think you are being crossed up by the fact the GRANT ALTER is for external datalake objects only. It has to do with modifying the external datastore and isn't meant for normal Redshift tables.
If memory serves the ability to ALTER a normal table is linked with DROP permission. Otherwise it is linked to table ownership.
You can grant "ALTER TABLE" in this way.
create role testingaltertablerole;
create user testingaltertableuser with password disable;
grant alter table to role testingaltertablerole;
grant role testingaltertablerole to testingaltertableuser;
At the moment, there's no way to grant this permission for a single table, AFAIK.
Is there a way I can grant truncate permission to a user without altering privileges in SQL Server?
The minimum permission required is ALTER on table_name. TRUNCATE TABLE permissions default to the table owner, members of the sysadmin fixed server role, and the db_owner and db_ddladmin fixed database roles, and are not transferable. However, you can incorporate the TRUNCATE TABLE statement within a module, such as a stored procedure, and grant appropriate permissions to the module using the EXECUTE AS clause.
CREATE PROCEDURE dbo.usp_Demo
WITH EXECUTE AS 'CompanyDomain\SqlUser1'
AS
SELECT user_name();
Source
You can go through this official documentation.
Create a test Login and User id then grant it execute permission on the stored procedure Truncate_Table_Loner. This id will be used to perform the truncate.
-- Grant Execute Permission
-- Setup ID on Database with Connect permission
USE master
GO
CREATE LOGIN [test_user_id] WITH PASSWORD = 'JustConnect123';
GO
USE TestSQL
GO
CREATE USER [test_user_id] FOR LOGIN [test_user_id];
GO
-- Grant Permission
GRANT EXECUTE ON dbo.Truncate_Table_Loner TO [test_user_id];
GO
I want a RoleGroup to have certain privileges on a specific column in a table ….the roleGroup not DB owner :
grant SELECT, INSERT ,UPDATE (colOne) on table schemaOne.tableOne
to roleGroup;
When I want alter default privileges of this column (to include future users), I get ERROR saying can’t alter default privileges of one column only :
alter default privileges for role DB_OWNER in schema schemaOne grant
select,insert,update(colOne) on table schemaOne.tableOne to
roleGroup;
which forced me to do this :
Alter Default priviliges for role DB_OWNER in schema schemOne grant
select,insert,update to roleGroup ;
what’s the point of the first grant then ?!! Or am I making some mistake ?
The whole question is a bit unclear as both of your statements are syntactically incorrect.
GRANT grants privileges on existing objects, while ALTER DEFAULT PRIVILEGES defines what privileges will automatically be granted to objects created in the future. So the scope of these statements does not overlap, but they complement each other.
I guess you misunderstood that point, otherwise you wouldn't try to ALTER DEFAULT PRIVILEGES on an existing table.
A valid form would be:
ALTER DEFAULT PRIVILEGES FOR ROLE db_owner IN SCHEMA schemaone
GRANT INSERT, SELECT, UPDATE ON TABLES TO rolegroup;
This will grant the privileges on all tables created in that schema by db_owner in the future.
The title of your question suggests that you are wondering why you cannot use ALTER DEFAULT PRIVILEGES to grant privileges on columns.
The likely answer is that not all future tables need to have a column colone, and what should happen with tables that don't have a column of that name. You might argue that no privileges should be granted in that case, and I guess that is a valid option. But it seems hard to come up with a use case for that, which may explain why nobody has considered implementing such a feature so far.
Alternatively, your desire could be that a column that will be added to an existing table in the future should automatically receive the privileges, but again I don't consider such a feature as very useful.
How do I Grant drop permission of stored procedure in SQL Server to user via script?
I tried the following, but it does not work
use XpressFeed_Dev
GRANT DROP ON procedure::getPartyDuns TO "INT\svc-w-corerefdata-de";
use XpressFeed_Dev
ALTER AUTHORIZATION ON [getPartyDuns] TO "INT\svc-w-corerefdata-de";
Permissions
Requires CONTROL permission on the procedure, or ALTER permission on
the schema to which the procedure belongs, or membership in the
db_ddladmin fixed server role.
DROP PROCEDURE (Transact-SQL)
So the minimum permission of all mentioned above is control on a procedure because after it will be dropped the user will have no additional permissions
GRANT CONTROL ON object::getPartyDuns TO [INT\svc-w-corerefdata-de];
You must specify schema before the procedure name - like this:
GRANT DROP ON procedure::XpressFeed_Dev.getPartyDuns TO [INT\svc-w-corerefdata-de];
ALTER AUTHORIZATION ON XpressFeed_Dev.[getPartyDuns] TO [INT\svc-w-corerefdata-de];
I am managing a database that has a number of schemas. I am having some difficulty with setting privileges and would like to request some help.
I have the schema called schemaA and a group_role db_writer
I use the following sql:
GRANT USAGE ON SCHEMA schemaA TO db_writer;
GRANT UPDATE, INSERT, SELECT, DELETE ON ALL TABLES IN SCHEMA schemaA TO db_writer;
However, the db_writer is unable to create views. They are returned with a permission denied error. Also, when I create views, she is then unable to select them...and I have to set the priviliges again for that view.
It was my understanding the views were treated as tables with respect to privileges...and if one is granted certain permissions to all tables in a schema this would apply to views also.
What am I missing? Any advice appreciated.
The problem is USAGE does not allow users to create objects within the database.
Try
GRANT USAGE, CREATE ON SCHEMA schemaA TO db_writer
Edit:
New objects will get default privileges, for the user to have those privileges for objects created in the future you can do it as:
ALTER DEFAULT PRIVILEGES IN SCHEMA schemaA GRANT UPDATE, INSERT, SELECT, DELETE ON TABLES TO db_writer;
ALTER DEFAULT PRIVILEGES IN SCHEMA schemaA GRANT SELECT ON TABLES TO db_reader;
Check this answer for more info