Reputation: 396
How can I manage stored procedure rights of the role in SQL Server
I want to create three SQL Server database roles.
- That can CREATE, ALTER and EXECUTE all stored procedures in database
- That can only EXECUTE all stored procedures in database
- That have no access to any stored procedures in database
I have created the roles, but I'm facing issues while REVOKE their permissions.
I have executed
REVOKE CREATE PROCEDURE TO [ROLE NAME]
to revoke the permissions to create the procedure and it executed successfully.
But I got error while executing this statement:
Error: Incorrect syntax near 'ALTER'.
I am very new to SQL server role rights so I might be completely wrong with my approach.
Please guide me to achieve my goal in correct way.
Thanks
Upvotes: 0
Views: 4754
Answers (2)
Reputation: 89266
1) That can CREATE, ALTER and EXECUTE all stored procedures in database
That's the db_owner role, or the CONTROL permission on the database. Anyone with all those permissions can escalate their own privileges to a database-level admin. So don't try.
2) That can only EXECUTE all stored procedures in database
GRANT EXECUTE TO [SomeRole]
3) That have no access to any stored procedures in database
A user has no access to any stored procedure unless you grant permissisions or add them to a role that has permissions.
Upvotes: 0
Reputation: 95830
From the documentation Create a Stored Procedure:
Permissions
Requires CREATE PROCEDURE permission in the database and ALTER permission on the schema in which the procedure is being created.
Therefore just giving CREATE PROCEDURE on it's own won't allow you to create a procedure. In fact, giving a ROLE the CREATE PROCEDURE permission, and not ALTER on the schema will result in the below error:
The specified schema name "dbo" either does not exist or you do not have permission to use it.
There is no ALTER PROCEDURE permissions, therefore, for a member of a ROLE to be able to both CREATE and ALTER a PROCEDURE you would need to do:
GRANT CREATE PROCEDURE TO YourRole;
GRANT ALTER ON SCHEMA::dbo TO YourRole; --Replace with appropriate schema name
This, however, will also enable to user to ALTER anyprocedures on said schema. Ut also enable those in the role to ALTER other objects on the schema as well (such as tables) though.
If your ROLE has permissions to ALTER the procedures and you want to remove that, you would need to run the below:
REVOKE ALTER ON SCHEMA::dbo TO YourRole;
This will, as mentioned, also revoke their ability to ALTER any other objects on said schema.
Remember, REVOKE doesn't DENY, it simply means that the USER won't inherited that permission from that ROLE any more. If the USER has the permission from a different ROLE, or they have the permission themselves, they will be able to continue to use the permission. If you must stop a USER from performing an action, regardless of any other permissions, they must have the DENY permission.
Upvotes: 1
Related Questions
- How can I revoke all the permissions a role has in sql server?
- Grant role to exec stored procedures
- ASP.NET Role and Member Management
- In Oracle grant role to a user from within a procedure
- sp_addrolemember and sp_droprolemember - is there a 'sp_isrolemember'?
- SQL Server - Execute Stored Procedure Only Role
- Roles needed for executing Stored Procedure in SQL Server Authentication
- Grant only stored procedure rights for a user
- Stored procedure execution permission for a db-role
- Specific rights to GRANT, REVOKE or DENY on stored procedures