Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to permit a SQL Server user to insert/update/delete data, but not alter schema?

Tags:

My application (C#, ASP.Net) needs to insert, update and delete data in the DB, and run stored procedures. I need to prevent it from modifying the DB schema - no altering tables, creating or dropping, no changes to stored procedures.

What permissions combination do I need to grant to the application user? Just 'select' isn't going to work, because it needs to insert/update/delete data in tables.

How do I check permissions and access for a particular login? How do I grant or deny permissions and access for a login? I need to give permissions to a new user (login) to access only one database.

Using SQL Server 2008 R2, with SSMS.

like image 792
jprusakova Avatar asked Jun 18 '12 16:06

jprusakova

People also ask

How do I grant permission to update SQL Server?

Login to SQL Server Management Studio. In Object Explorer on the left pane, expand the Databases folder and select the concerned database and navigate to the by expanding Security and Users folders. Right-click the User to which you want to GRANT or REVOKE the permissions.

How do you grant permission on a schema in SQL Server?

The U1 user has the CREATE VIEW permission on the database and the SELECT permission on the S1 schema. Therefore, the U1 user can create a view in the S1 schema to query data from the denied object T1, and then access the denied object T1 by using the view.

How do you grant permission for a schema?

Only an authorization ID with ACCESSCTRL or SECADM can grant the following privileges on schema names starting with SYS: SELECTIN privilege on SYSCAT, SYSFUN, SYSSTAT or any schema names starting with SYSIBM (SQLSTATE 42501). SELECTIN, CREATEIN and DROPIN privileges on SYSPROC, SYSPUBLIC or SYSTOOLS schemas.

1 Answers

If you really want to control this at the object level, you can do:

GRANT SELECT,UPDATE,INSERT,DELETE ON dbo.table TO user;

At the schema level:

GRANT SELECT,UPDATE,INSERT,DELETE ON SCHEMA::dbo TO user;

Ideally, though, you would not allow ad hoc DML against your tables, and control all DML through stored procedures. In which case you just need to grant exec on the procedure itself, and not to the objects it touches:

GRANT EXEC ON dbo.procedure TO user;

Similarly if you want to allow exec on all procedures in a specific schema, you can say:

GRANT EXEC ON SCHEMA::dbo TO user;

The one exception is when your stored procedure composes dynamic SQL. In those cases you might still need to apply permissions to the underlying tables in the context of the dynamic SQL execution, or you may be able to use EXECUTE AS OWNER.

like image 104
Aaron Bertrand Avatar answered Sep 23 '22 16:09

Aaron Bertrand
Sign in to Comment

Related questions

Remove PDB references from released file
Using a C string like a FILE*
Memory Stream as DB
Best way to convert English numbers to Arabic [duplicate]
Variable generic return type in C#
Embedding a lightweight web server into a .net application (node.js)? [closed]
Insert row into database with PreparedStatement
Convert local time to UTC in Rails
stream live video to Android
Linking to a section of an Accordion from another page
Waiting/loading transparent GIF/APNG animations [closed]
Exporting Objects with the Exports Object

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!