Database Schema Access

Question 1

I have a database with multiple (10) schemas. I need a user to have access to two of them. If I grant access to the database and then GRANT SELECT to 2 schemas, is access to the other schemas DENY-ed by implication? Or must I grant permissions to those schemas and then DENY SELECT to the rest of them?

Question 2

You should create roles and grant access to roles rather than granting users access directly to schema.

Once you assign permissions to the role, you can just add users to the role. This way you dont have to manage permissions for individual users. The users inherit permissions granted to role.

 -- Create the database role
CREATE ROLE TableSelector AUTHORIZATION [dbo]
GO
 ---- Grant access rights to a specific schema in the database
GRANT 
 SELECT, INSERT, UPDATE, DELETE, ALTER 
ON SCHEMA::dbo
 TO TableSelector 
GO
-- Add an existing user to the new role created 
EXEC sp_addrolemember 'TableSelector', 'MyDBUser'
GO
-- Revoke access rights on a schema from a role 
DENY ALTER -- you can customize here ...
ON SCHEMA::dbo
 TO TableSelector

see my answer to : Setting user permissions for different SQL Server schemas

Question 3

Note REVOKE and DENY are different. REVOKE removes a GRANT, DENY overrides it. So you can GRANT the whole schema and DENY one table, but not REVOKE it.

Question 4

As an Accidental DBA I sincerely appreciate this advice, but my base question remains unanswered. Does the "Principle of Least Privilege" apply here, or do I totally misunderstand the concept? Let me rephrase. Using the example above, if I grant SELECT to 'TableSelector' for one schema, is access to the other schema denied? Or do I need to explicitly DENY access to those schema?

Question 5

If you grant select on one schema then the role wont have access to other schemas.

Question 6

Thanks Kin, I sincerely appreciate this. I will be implementing the roles as you suggest.

Kin Shah Kin Shah 62.6k6 gold badges124 silver badges247 bronze badges · Accepted Answer · 2018-05-31 22:00:15Z

You should create roles and grant access to roles rather than granting users access directly to schema.

Once you assign permissions to the role, you can just add users to the role. This way you dont have to manage permissions for individual users. The users inherit permissions granted to role.

 -- Create the database role
CREATE ROLE TableSelector AUTHORIZATION [dbo]
GO
 ---- Grant access rights to a specific schema in the database
GRANT 
 SELECT, INSERT, UPDATE, DELETE, ALTER 
ON SCHEMA::dbo
 TO TableSelector 
GO
-- Add an existing user to the new role created 
EXEC sp_addrolemember 'TableSelector', 'MyDBUser'
GO
-- Revoke access rights on a schema from a role 
DENY ALTER -- you can customize here ...
ON SCHEMA::dbo
 TO TableSelector

see my answer to : Setting user permissions for different SQL Server schemas

Note REVOKE and DENY are different. REVOKE removes a GRANT, DENY overrides it. So you can GRANT the whole schema and DENY one table, but not REVOKE it.
As an Accidental DBA I sincerely appreciate this advice, but my base question remains unanswered. Does the "Principle of Least Privilege" apply here, or do I totally misunderstand the concept? Let me rephrase. Using the example above, if I grant SELECT to 'TableSelector' for one schema, is access to the other schema denied? Or do I need to explicitly DENY access to those schema?
If you grant select on one schema then the role wont have access to other schemas.
Thanks Kin, I sincerely appreciate this. I will be implementing the roles as you suggest.

Stack Exchange Network

Database Schema Access

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Linked

Hot Network Questions

Database Schema Access

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Linked

Related

Hot Network Questions