SQL 2012 :: List Denied Permissions And Undo A DENY
Dec 18, 2014
1. A few months ago, I received a request to deny delete to a group (Windows AD login) against 3 databases. So I issued a DENY DELETE to the relevant Windows login.
2. Now, someone is having trouble updating data. The issue seems to be that a trigger fires during the update. In the trigger the code tries to delete from a table in the previously delete-denied databases. So the update fails.
-- In retrospect, perhaps I should have used REVOKE - not sure
-- Also, I can't seem to find a listing of the DENY permissions - or rather, how to list what permissions are denied. I guess maybe that is a hard thing to do if the result of a DENY is to leave certain permission columns NULL (vs adding 'DENY'). But it would be useful for me to see what the current permission state is.
-- Finally, I tried to undo the DENY without success. Here is my attempt.
a. I tried GRANT DELETE... - no luck
b. Then I saw an article explaining to use REVOKE, so I tried 'REVOKE DELETE' followed by 'GRANT DELETE' - still no luck.
View 3 Replies
ADVERTISEMENT
Oct 13, 2006
I have a customers table and a stored procedure for deleting records from this table. I connect to sql using a connection string with sql server authentication using a user I've set up in sql server. This user has roles public, db_datareader and db_datawriter and has permissions to execute all my custom stored procedures. Up to this point everything is fine and I can insert, update and delete. Happy days.
If I then select the permissions for the user and deny delete permission on the customers table I thought that because deny overrides everything else I could not delete a customer from my application. Much to my surprise, I can. Why is this?
View 2 Replies
View Related
Nov 9, 2007
SQL2K5 SP2
I€™m trying to lock down PCI sensitive data columns in some product databases
from our developers. We need developers to have data reader rights to the
production database to perform general maintenance and troubleshooting of the
application BUT minus the specific secured columns like credit card number,
etc.
I have a user role setup called RWE created by:
CREATE ROLE RWE
GRANT SELECT TO RWE
GRANT INSERT TO RWE
GRANT UPDATE TO RWE
GRANT DELETE TO RWE
GRANT EXECUTE TO RWE
A standard SQL user is placed inside this role allowing them full read,
write, and execute rights on everything in the DB which is fine.
BUT, now we want those same rights except for the sensitive data files so I
updated the rule with the following script:
DENY SELECT ON [dbo].[TableNameHere] ([strCC]) TO [RWE]
Logging in a developer and doing a SELECT * FROM TableNameHere throws a
permission error on the strCC column as expected, so far so good.
But, I did a SELECT * FROM ViewThatContainsField_strCC and shows them the
denied field. Oh, oh! I also did EXEC spStoredProcThatShows_strCC and again it
shows the denied credit card field. Again, oh, oh!
So, long story short, I€™m stuck. My understanding of SQL permissions, I was
under the understanding that placing a deny at the lowest level (column)
should throw errors in all methods of access that column (either by direct
select, or select through views, procs, etc).
Any suggestions or any hints on what I€™m missing here?
Thx ahead of time!
View 1 Replies
View Related
Feb 4, 2015
Is there a way to deny Security Permissions to a login that has sysadmin? Unfortunately I have to leave the user as sysadmin. I trying denying alter any login and control server but that didn't work.
View 3 Replies
View Related
Jun 4, 2008
Hi all, Is there any easy way to not allow a user to see system views? I have set up 1 view for a login, and I have to use an ODBC connection to access it. However, the 3rd party application I'm using is apparently timing out because of the number of tables/views that are returned. TIA! - Mark
View 2 Replies
View Related
Aug 19, 2015
We have a generic sql login "prduser". Applications use this login. We want the login NOT to have ALTER PROCEDURE and DROP PROCEDURE permissions only on the stored procedures(there are thousands of them).
View 17 Replies
View Related
Jun 18, 2015
I received an alert from one of my two secondary servers (all servers are running 2012 SP1):
File 'E:SQLMS SQL ServerMSSQL11.MSSQLSERVERMSSQLDATAMyDatabaseName_DateTime.tuf' is not a valid undo file for database 'MyDatabaseName (database ID 8). Verify the file path, and specify the correct file.
The detail in the job step shows this additional information:
*** Error: Could not apply log backup file 'MyDatabaseName_DateTime.trn' to secondary database 'MyDatabaseName'.(Microsoft.SqlServer.Management.LogShipping) ***
*** Error: Table error: Page (0:0). Test (m_headerVersion == HEADER_7_0) failed. Values are 0 and 1.
Table error: Page (0:0). Test ((m_type >= DATA_PAGE && m_type <= UNDOFILE_HEADER_PAGE) || (m_type == UNKNOWN_PAGE && level == BASIC_HEADER)) failed. Values are 0 and 0.
Table error: Page (0:0). Test (m_freeData >= PageHeaderOverhead () && m_freeData <= (UINT)PAGESIZE - m_slotCnt * sizeof (Slot)) failed. Values are 0 and 8192.
Starting a few minutes later, the Agent Job named LSRestore_MyServerName_MyDatabaseName fails every time it runs. The generated log backup, copy, and restore jobs run every 15 minutes.
I fixed the immediate problem by running a copy-only full backup on the primary, deleting the database on the secondary and restoring the new backup on the secondary with NORECOVERY. The restore job now succeeds and all seems fine. The secondaries only exists for DR purposes - no one runs reports against them or uses them at all. I had a similar problem last weekend on a different database that is also replicated between the same servers. I've been here for over a year, and these are the first instances of this problem that I've seen. However, I've now seen it twice in a week on the same server.
View 0 Replies
View Related
Aug 6, 2014
Just encountered something that I wasn't expected, in that a user who has an explicit deny on a column in a table was able to select it when referenced through a view in a schema they have the SELECT permission on. This seems to me to go against the principle that DENY overrides everything when it comes to permissions? Is this how it's meant to work?
Code is below:-
--create test user
CREATE USER TestDenyOnViewUser WITHOUT LOGIN
GO
--create test schema (authorization dbo - same owner as dbo schema so ownership chaining will apply)
CREATE SCHEMA TestDenyOnView AUTHORIZATION dbo
[Code] ......
View 6 Replies
View Related
May 31, 2007
Hi All,
I'm just upgrading my business database to SQL 2005 and hit a problem when executing a stored procedure in the msdb database. Error message reading "EXECUTE permission denied on object 'sp_delete_job'".
Obviously this message tells me that I do not have permissions to execute stored procedures in the MSDB database.
In SQL 2000 I never had to mess around with permissions on this database as the security was already pre-configured.
I'm still familiarising myself with SQL 2005 so rather than making a finger in the air guess I'd like to understand how SQL 2000 was configured and the best solution for resolving this in SQL2005.
I'm really after some advice/suggestions!
View 5 Replies
View Related
Jun 15, 2015
So at the moment, I don't have a function by the name CONCATENATE. What I like to do is to list all those different values that go with a single CASE_ID to appear as a a comma separate list. You might have a better way of doing without even writing a function
So the output would look like :
CASE_ID VARIABLE
=====================
1 [ABC],[HDR],[GHHHHH]
2 [ABCSS],[CCHDR],[XXGHHVVVHHH],[KKKJU],[KLK]
SELECT
preop.Case_ID,
dbo.Concatenate( '[' + CAST(preop.value_text AS VARCHAR) + ']' ) as variable
FROM
dbo.TBL_Preop preop
WHERE
preop.Deleted_CD = 0
GROUP BY
preop.Case_ID
View 8 Replies
View Related
Aug 31, 2000
I need to print a list of permissions granted for each Role, can someone tell me how to request the information using query analyzer?
View 1 Replies
View Related
Nov 29, 2007
Hi All,
For listing login details we have sp_helplogins 'LOGIN NAME'
In the same way i want ti know for particular procedure.
can any one help in this.
Thanks in advance.
malathi
View 4 Replies
View Related
Aug 16, 2004
I need to be able to set up a table listing users permissions, this needs to be run daily and then notify me of any changes without using the auditing or profiler software.
Any ideas?? :eek: :eek: :confused:
View 3 Replies
View Related
Oct 17, 2007
Hello,
Does anybody have the transact SQL to find the permissions granted to the public role in a Database ?
Also looking for the SQL to find the permissions granted to the user Guest in a database ?
thanks
View 5 Replies
View Related
Jun 3, 2014
Is there a query that I can run which will give me a list of users that have tried to use SQL resources for which they do not have permissions?
View 1 Replies
View Related
Jul 1, 2014
Under the maintenance plan, i run full backup at the same path and it was successful. The maintenance plan for selected database was run success.
BUT when i want to write the backup report "Write a report to a text file" i receive this error in maintenance plan "view history"
Access to the path 'F:MSSQL11.APPSPRDMSSQLBackupBackup LogCARSCARS DB Backup_Subplan_1_20140701200011.txt' is denied.
Basically i am using defaul NT service for SQL Agent
View 3 Replies
View Related
Apr 25, 2014
I removed MDS web UI which is working before and recreated. I enabled Window Authentication and Disabled Anonymous Authentication in IIS Authentication. I am getting Access denied when I view MDS web Site.
View 1 Replies
View Related
Aug 4, 2015
I found this script online..
SELECT prin.[name] [User], sec.state_desc + ' ' + sec.permission_name [Permission]
FROM [sys].[database_permissions] sec
JOIN [sys].[database_principals] prin
ON sec.[grantee_principal_id] = prin.[principal_id]
WHERE sec.class = 0
ORDER BY [User], [Permission];
but the results are this: 2 columns - User and Permission
User Permission
User1 GRANT CONNECT
User2 GRANT CONNECT
IS there a way in SQL Server (2005/2008/2012) to run a script against a Database that will show all users that have permissions to that Database and the type of permissions?
View 7 Replies
View Related
Jul 2, 2014
I have an availability group with read only replicas, readable secondary set to yes and allow all incoming connections. I have also configured the read only routing (at least I'm pretty sure this is correct).
If I login to SSMS with a user in the sysadmin role I can view the objects in the read only replica database. If I login with a user in the public role I'm unable to get past the obvious error:
"The database databaseA is not accessbile. (ObjectExplorer)"
I've also tried adding the "ApplicationIntent=ReadOnly" option.
View 4 Replies
View Related
Nov 19, 2014
I need to grant create cubes to developers, but if I include them into server administration role, then they could delete or modify all the databases.
Each developer require full administration on their own databases, but not other developer's databases.
View 0 Replies
View Related
Feb 24, 2015
We have a monitor tool to monitor our SQL servers.The vendor has a script to grant permission to application account to SQL server so that they can do the monitoring.
I don't want to grant system admin role, but the script they have is very specific, the minimum is:
must be a member of db_datareader role on the msdb database
must have view server state permissions
view any definition
connection permission to master database
execute permission on the xp_readerrorlog stored procedure
connect permission to the msdb database
must be member of db_Datareader role in the msdb datab ase
connect permission to all databases.
The script given by vendor is as follows in the attachment.I don't like the last execute statement for if a new database is created, we have to remember manually add the monitoring acccount to that database.
I know in SQL 2014 it has a new feature of connect to any database, but unfortunately we are using SQL 2012 and 2008.
script to connect to any database but no need to add that each time we creates a new database.
View 5 Replies
View Related
Feb 10, 2014
We've got 3 SQL Servers all SQL Server 2012. We have a Master server and 2 production servers (let's call them A and B). The Master has linked servers defined for both A and B in an identical way.
A and B both have the same databases and each has a Stored Proc that gets called by the Master server.
An SQL Agent job executes the stored proc on both A and B.
It works fine against A but not B.
If we execute the stored proc in a query window under our windows account (domainowner) it works, if we use SetUser to pretend to be the SQL Server Agent account (let's call it domainagent) A works and B doesn't.
Executing against B returns the error "Access to the remote server is denied because the current security context is not trusted."
domainagent is a sysadmin on both Server A and B.
Trustworthy is set to ON in both the Master Server Database it's executing from and the remote databases on both A and B.
All 3 databases have the same owner (let's call it domainowner).
View 5 Replies
View Related
Jan 15, 2015
I am logging into a SQL instance to run the following query:
DECLARE @ReturnCode int EXECUTE @ReturnCode = [master].dbo.xp_create_subdir N'sharemasterFULL' IF @ReturnCode <> 0 RAISERROR('Error creating directory.', 16, 1)
The share in which the folder is to be created has my account added with full permissions to create files. However this command fails unless I add the SQL Service account user with rights to the folder also.
Is this expected behaviour, is this something specific to extended stored procedures?
View 0 Replies
View Related
May 28, 2015
We have a process that uses the following method to move data quickly:
TableA = 600million records
TableB = 0 records
To "move" data from TableA to TableB
Rename TableA --> TableA_HOLD
Rename TableB --> TableA
Rename TableA_HOLD --> TableB
The problem with this is that after every rename, permission to the TableB is lost so we have to execute a statement to grant permission back to TableB after the process is complete.
My question is why is this necessary? Is the permission tied to the table in such a way that it can't use the name only?
View 9 Replies
View Related
May 29, 2015
I've got a Server setup at work on our RD domain
It's Windows 2012, running SQL Server 2012 with reporting Services
I've installed our application and reports to this server.
If I'm on my CORP domain on my development laptop I can enter the following into IE [URL] ...... and the SSRS reports page opens up fine
I then RDP into this server using my same CORP credentials Open IE on this server and enter the same URL within IE and get User 'CORPORATEjoep' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
I'm on the Server itself. Why does my account not work there, but when I access SSRS from outside this SERVER with same login, it works
View 1 Replies
View Related
May 6, 2014
Only to a specific schema? Can this be done?
View 5 Replies
View Related
Apr 28, 2015
I have stored procedures. I have heard that it is a best practice to use stored procedures to encapsulate some SQL statements and then grant permissions to execute the stored procedure. But when I try this and use EXECUTE AS to test it out, the user in question gets errors about not having access to some of the underlying objects.
How does this best practice work? If I need to grant the user permissions to the underlying objects anyway, I am not sure why a stored procedure is considered best practice in this regard.
View 8 Replies
View Related
Apr 17, 2015
I have a sql server 2012 server and I need to prevent the users from creating new schemas by mistake. Is there any way to revoke that permission alone but still letting the user to create their own objects in dbo (yes I know that shouldn't be in dbo but that is another issue).
View 2 Replies
View Related
May 13, 2015
I have a stored procedure which executes about forty other stored procedures in several different databases. All of these other procedures truncate tables and insert new data into those tables selected from still other tables.
I want to run this top-level procedure using an account which can't do anything else.
Is there a simple way to give it all the permissions it needs without empowering it to do anything else?
View 0 Replies
View Related
Feb 3, 2014
I have attached some test data for you that has two temp tables "#worker" and "#worker_rate".
The issue is to find all workers who are sharing SAME SET of rate_codes.
I'm able to get the output as "workers sharing same rate_codes", but unfortunately I could not get the list of workers sharing same SET of rate_codes. Also definition of SAME SET is not defined.
I don't know what I'm missing.
View 9 Replies
View Related
Feb 10, 2014
I have two tables, a dates table and a values table. They are joined on the date column.The date table has a range, say from today as far as 20 days from now, incrementing by 1 day each row.The values table may have a row for a day, and may not. If the day has a value I want to display that value.If the day does not have a value in the values table I want to display the last known value.
I think this can be done with windowing functions in a set based manner but have not been able to work it out. I have done it procedurally but im not happy with that at all, and really want to see if this is possible in a set based manner.Below is some simplified code to allow testing with sample data.
create table DimDate
(
DateCol date
)
create table TotalsData
(
DateCol date
[code]....
View 6 Replies
View Related
Mar 14, 2014
How to create a script to input one table name(already indexed) to get list of all index for that table?
View 5 Replies
View Related
Nov 11, 2014
I have a table (Event_Table) like:
EmployeeID, CustomerID, Date
1, 11, 2014-11-11
2, 13, 2014-12-10
1, 11, 2014-12-21
2, 13, 2015-01-11
1, 11, 2015-03-02
And now I would like to have a summary with a unique Employee/Customer combination and 3 Date columns like:
EmployeeID, CustomerID, Date1, Date2, Date3
1, 11, 2014-11-11, 2014-12-21, 2015-03-02
2, 13, 2014-12-10, 2015-01-11
Dates should be arranged with the first date in Date1, the next in Date2 and the third in Date3 (if there are forth and more dates I don´t care)
View 2 Replies
View Related
