Schemas permission in SQL DB

Question 1

I am a fresh admin in SQL DB and I need to learn how to establish the security settings in SQL DB. I have encountered an issue that is somehow unclear or even weird for me.

I know that if one user has Fixed Database-Level Roles db_datareader, he or she can perform "SELECT" on all user tables in DB. https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles

But in my SQL DB, even the user which has already been added to that role can not perform "SELECT" on any table/view unless the "SELECT" permission is explicitly granted in "Schemas settings" which implies db_datareader role does not work at all.

Could anyone please give me advice on this? Many thanks

Question 2

Either deny is active or you could have synonym in place. If you could elaborate the issue with example, one could help.

Question 3

@Learning_DBAdmin It cannot be DENY because he says "unless the "SELECT" permission is explicitly granted", it there was DENY in place it could not be bypassed by any SELECT granted

Question 4

@Hongnam What do you mean by saying "schemas settings"?

Question 5

these are the standard permission:

enter image description here

for this mapped user settings:

enter image description here

you have in place some kind of deny for your users.

Question 6

One more time: if there was "some kind of deny", it could not be bypassed by granting explicit SELECT, DENY will always win.

Question 7

Right! Deny wins above grant

Question 8

So if he says " unless the "SELECT" permission is explicitly granted" there is no DENY...

Question 9

The answer to your question is in the result of following code:

execute as user = 'your_user'
select *
from sys.user_token
where principal_id <> USER_ID()
revert

Please update your question with the result where 'your_user' is problematic user

MBuschi MBuschi 5,1361 gold badge6 silver badges18 bronze badges · Answer 1 · 2021-01-11 06:55:59Z

1

these are the standard permission:

enter image description here

for this mapped user settings:

enter image description here

you have in place some kind of deny for your users.

Share

Improve this answer

answered Jan 11, 2021 at 6:55

MBuschi's user avatar

MBuschi MBuschi

5,1361 gold badge6 silver badges18 bronze badges

3

One more time: if there was "some kind of deny", it could not be bypassed by granting explicit SELECT, DENY will always win.

sepupic
– sepupic

2021年01月14日 13:51:43 +00:00
Commented Jan 14, 2021 at 13:51
Right! Deny wins above grant

MBuschi
– MBuschi

2021年01月14日 15:00:02 +00:00
Commented Jan 14, 2021 at 15:00
So if he says " unless the "SELECT" permission is explicitly granted" there is no DENY...

sepupic
– sepupic

2021年01月14日 15:03:28 +00:00
Commented Jan 14, 2021 at 15:03

Add a comment |

sepupic sepupic 11.3k18 silver badges27 bronze badges · Answer 2 · 2021-01-14 13:54:18Z

The answer to your question is in the result of following code:

execute as user = 'your_user'
select *
from sys.user_token
where principal_id <> USER_ID()
revert

Please update your question with the result where 'your_user' is problematic user

Stack Exchange Network

Schemas permission in SQL DB

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

Schemas permission in SQL DB

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related

Hot Network Questions