sqlserversdba

site for sql server DBA

How to Grant limited permissions to create views in another schema?

How to Grant limited permissions to create views in another schema?

In SQL Server 2005 and 2008R2 you can grant permissions at the schema level and, in fact, this is what you’ll need to do to give them the ability to create the views. 


This script below creates an example database along with a role to which we’ll assign the permissions to. Note that while I’m using the dbo schema, that’s only because there’s no logical schema name to use since this isn’t a real world example. Typically you would name your schema to group objects and the schema name should reflect what the grouping is.

For instance, Person or Product. As can be seen from the example, the LimitedCreatorRights role has the ability to create views in the database and select on tables and views that are located in the dbo schema.

CREATE DATABASE yourdb;
GO

USE yourdb;
GO

CREATE ROLE LimitedCreatorRights;
GO

GRANT CREATE VIEW TO LimitedCreatorRights;
GO

GRANT SELECT ON SCHEMA::dbo TO LimitedCreatorRights;
GO

CREATE USER TestUser WITHOUT LOGIN;
GO

EXEC sp_addrolemember ‘LimitedCreatorRights’, ‘TestUser’;
GO

CREATE TABLE dbo.ATest (TestID INT);
GO

One thing we’ve not given is the permission to create tables. In the following examples you will see that I am using the EXECUTE AS and the REVERT commands.

The EXECUTE AS allows you to still be logged in with sysadmin rights, but run these examples using the TestUser permissions and the REVERT returns permissions back to the original user.

So if a user that is a member of this role attempts to create a table in the dbo schema, it’ll fail:

USE yourdb;
GO

— This will fail, as TestUser doesn’t have CREATE TABLE permissions
EXECUTE AS USER = ‘TestUser’;
GO

CREATE TABLE dbo.ASecondTable (TestID INT);
GO

REVERT;
GO

Error Msg 262, level 14, state 1, line 2

Create table permission denied in database ‘yourdb’

And, in fact, so will the creation of a view:

— This will fail, as TestUser does have CREATE VIEW rights
— but does not have permission to alter the dbo schema
EXECUTE AS USER = ‘TestUser’;
GO

CREATE VIEW dbo.AView AS SELECT TestID FROM dbo.ATest;
GO

REVERT;
GO

Error Msg 2760, level 16, state 1, procedure Aview, line2

The Specified schema name dbo either does not exist or you don’t have permissions

The catch is that the TestUser must have the permission to modify the dbo schema. We can accomplish this by assigning that permission to a role the TestUser is a member of:

— Once permission is granted, re-run the previous CREATE VIEW statement. It will now succeed.

GRANT ALTER ON SCHEMA::dbo TO LimitedCreatorRights;
GO

Now, if you go back and re-run the CREATE TABLE and the CREATE VIEW statements above, you’ll see the CREATE TABLE statement fails (we didn’t give TestUser or any role it is a member of the permission to create a table), but the create view statement will succeed.

Create Table Fails: Error msg create table permission denied in database ‘yourdb’

Create View is Now Successful

, , , ,

Posted by:

almightyprakash

2 responses to “How to Grant limited permissions to create views in another schema?”

  1. Cody Avatar
    Cody

    I wasn’t sure from your post what type of user or environment this was modeled for, but I disagree that this provides “limited” permissions as ALTER is not a “limited” permission in any way; it is very much an elevated permission. Granting ALTER at the schema level is very, very risky because it allows the user to alter schema-owned objects in that schema. This would also be a red flag to an auditor (and a finding on an audit) as it adds a significant amount of risk to the integrity and availability of the asset, e.g., the data. I can’t think of a scenario in a production system housing valuable data where anyone other than the DBA should have the ability to ALTER database objects. If there is such a scenario where an auditor (internal or external) would allow this in an production system please let me know.

    In a development environment – maybe; in a production environment – no.

    Granting this permission at the schema level can also provide unintended access to the user (https://msdn.microsoft.com/en-us/library/ms187940.aspx). Per the link: “A user with ALTER permission on a schema can use ownership chaining to access securables in other schemas, including securables to which that user is explicitly denied access. This is because ownership chaining bypasses permissions checks on referenced objects when they are owned by the principal that owns the objects that refer to them. A user with ALTER permission on a schema can create procedures, synonyms, and views that are owned by the schema’s owner. Those objects will have access (via ownership chaining) to information in other schemas owned by the schema’s owner. When possible, you should avoid granting ALTER permission on a schema if the schema’s owner also owns other schemas.”

    Like

    Reply
    1. almightyprakash Avatar
      almightyprakash

      hi .. at the start i have mentioned that u can use different schema. and u can list down the object under that schema and give the permission on that schema .

      Like

      Reply

Leave a comment

About Me

I am a MS SQL DBA Admin, born And brought up in Mumbai . Done My engineering in Electronics And Telecommunications.

I started working In IT industry because of lack opportunity in telecommunication field. I joined this industry in 2011.

I have work with Different companies and with different clients  and with Different versions Of SQL server ranging from SQL server 2000 to SQL server 2019.

I am lucky enough to be surrounded by People who have strong knowledge in there domain who tends share there wisdom unlike many who just show off but don’t share any.  Taking a lesson from their behavior, I am sharing whatever I learn in My professional life.

Currently I am working with one of the prestigious organization LTI as Senior Infra Engineer.  Here we have very vast SQL environment. I am following SQL server blogs written by  many of the BIG SHOTS in the industry . and writing my own .

The posts on my blog features many of SQL server related data, tricks and updates .. I love sharing my experience, problems troubleshooting tips and ideas with you

and hopefully the result is that you…..  enjoy!

Recent Posts

Newsletter