Solved

Executing DDL statements as non privileged user

Posted on 2006-11-13
11
366 Views
Last Modified: 2011-09-20
Any ideas on how to execute DDL statements as a non-sysadmin user.  I prefer not to use osql because it would require username and password in a stored procedure which is granted execute permissions to the non-sysadmin users.  I would like to use Windows authentication as much as possible.

I found this solution http://www.experts-exchange.com/Databases/Microsoft_SQL_Server/Q_10212489.html?query=assigning+sql+server+ddl+permissions&clearTAFilter=true but I really do not want to use SQL server users.
0
Comment
Question by:optimacommunications
  • 5
  • 4
  • 2
11 Comments
 
LVL 11

Expert Comment

by:rw3admin
ID: 17933674
you will have to create a new user who has db_admin rights on that database and run these DDLs as that, thats simple ... so maybe I am not understanding your question clearly
0
 

Author Comment

by:optimacommunications
ID: 17933793
I would like to use some type of proxy/chaining to facilitate the user rather than give them powerful ddl_admins rights.  I do not want to use OSQL to run an sql command as a privileged user.
0
 
LVL 11

Expert Comment

by:rw3admin
ID: 17933835
ok, we do use windows authentication for lot of that, you would basically be creating user in Active Directory and then adding them back in SQL Enterprise Manager>>Security>>Logins this is where you will define this login's role to db_ddladmin and nothing else.
one more thing though you would wanna make sure you still create objects as "create table dbo.tablename" instead of just "create table tablename"

rw3admin
0
 

Author Comment

by:optimacommunications
ID: 17933927
I do not want the user to be a member of the ddladmin role!  I need users to create and drop permanent tables when they access a report.  These actions will be transparent to them.  If I permit them as members of admin, this will give them too much power and potentially unnecessary grief for me.

Let me try to explain the scenario a bit more: developers create reports in excel.  I do not want SQL login connection strings in the excel sheets so they now use Windows authentication. The users of the excel sheets (windows users), will run stored procedures which have DDL statements embedded.  Non ddladmins are unable to run ddl statements so I want a work around that will enable the users to run the statements but still have little or no priviliges outside of the stored procedure permissions assigned to them.

I hope this clarifies stuff a bit more.  It is certainly more tricky that it appears.
0
 
LVL 11

Expert Comment

by:rw3admin
ID: 17933984
yes that clears the confusion, thanks
I hope users have data write access, if yes then since regular users dont have access to DDL, you can insert this DDL command in a table now create a job as db_admin on the server that check this table and execute DDL commands out of that every 30 seconds or so, the tricky part around programming would be to return handle back to the proc containing this DDL statement


 
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:optimacommunications
ID: 17934073
Hmm ... this is turning out to be more messy than I imagined!!!  I will keep looking and see if we can come up with a simpler solution.
0
 
LVL 11

Expert Comment

by:rw3admin
ID: 17934112
:)
sorry for my messy design, I am actually doing something like that right now, I dont want support to be able to start and stop jobs without checking if its going to effect other jobs and server activity, so I wrote them a interface where they come and schedule job to run as soon as its "OK" to run them, this insert the user_id, request and date in database they dont have any access to it.
Now I created a job on that server which runs every minute and check this table for any new request and will only run it after checking against some conditions/rules that I have defined in another table.
This way my life is much easier I dont get into server lock issues, niether client calls and yell and everyone is happy

rw3admin
0
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 17936085
>I need users to create and drop permanent tables when they access a report.
why do the tables need to be dropped and recreated?
would a truncate or simply a global temp table not be better suited?


otherways, unless you can create the tables in advance, you have to do like rw3admin indicates, although I would put a insert trigger in the table he mentionned to the job would start immediately... anyhow, there would be no easy way out.
0
 

Author Comment

by:optimacommunications
ID: 17937854
The tables need to be permanent because the structure may change and they need to be available for later retrieval.  I guess there is no easy way out which confirms my worst fears!

I guess this is a dead end issue which can be closed by the moderator.  Guys, thank you for your thoughts.
0
 
LVL 142

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 17937932
>I prefer not to use osql because it would require username and password in a stored procedure which is granted execute permissions to the non-sysadmin users.
let me come back to this.
actually, if sql server runs as a (dedicated) domain user, and that domain user has login permissions (ie the required DDL permissions), you can use the -E flag of osql to connect with windows authentication.
0
 

Author Comment

by:optimacommunications
ID: 17938002
Geez ... simple solution!! Thank you.  All the time, I thought -E was for the currently logged in user rather than the SQL Server account!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now