Solved

How can I give the minimum permission?

Posted on 2010-11-15
7
587 Views
Last Modified: 2012-05-10
How can I give a SQL user ONLY execute permission to a stored procedure that is in the Master DB?
0
Comment
Question by:Negash
  • 3
  • 3
7 Comments
 
LVL 2

Assisted Solution

by:AarthiPrabakaran
AarthiPrabakaran earned 166 total points
ID: 34142460


try something like this CREATE PROCEDURE dbo.usp_Demo
AS
SELECT user_name();
GO
GRANT EXECUTE ON [dbo].[usp_Demo] TO [test]
0
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 334 total points
ID: 34142496
>> How can I give a SQL user ONLY execute permission to a stored procedure that is in the Master DB?

Few Best practices:

1. Giving CONNECT permission to a user for master db is not recommended.
2. Instead create that procedure in some other user databases and grant CONNECT privilege to Database and EXECUTE privileges to procedure.
3. Make sure public role is revoked and guest account is disabled since all users would be able to view and access objects present in all databases.
0
 

Author Comment

by:Negash
ID: 34142519
It is not only one stored procedure that the user needs permission to. There are at least two dozen. Do I need to grant permission to each of them? Also, I would like to make sure this wouldn't give the user access to any other object in the DB?  
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 57

Expert Comment

by:Raja Jegan R
ID: 34142532
>> It is not only one stored procedure that the user needs permission to. There are at least two dozen

Then you need to GRANT execute permission to all the required stored procedures.
In the meanwhile, why are you having user stored procedures in master database which is not a recommended approach at all.

>> Also, I would like to make sure this wouldn't give the user access to any other object in the DB?  

Revoke Public role and disable guest account.
Now granting CONNECT permissions to only required database and EXECUTE privilege on required stored procedures would suffice (it won't give access to other objects for sure)
0
 

Author Comment

by:Negash
ID: 34142566
Thank you rrjegan17! This was exactly what I wanted to do. But I have an external vendor that requested to have their stored procedures in the master db.  Their reason I think is they use a third party tool that apparently converts their existing Access based DB to SQL.  They never re-wrote their code so they are translating everything.   So now I have to figure out how to give only an execute permission without even giving public role to this user. (Is this even possible?)
0
 

Author Comment

by:Negash
ID: 34142578
I guess you have answered my question. I posted comment with refreshing the browser. I will try that. Thanks much!
0
 
LVL 57

Assisted Solution

by:Raja Jegan R
Raja Jegan R earned 334 total points
ID: 34142618
One more info:

"The guest user cannot be dropped, but it can be disabled by revoking its CONNECT permission. The CONNECT permission can be revoked by executing REVOKE CONNECT FROM GUEST within any database other than master or tempdb."

Guest account which has public role access cannot be REVOKED from master database and hence I don't it would work in your scenario..
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

     When we have to pass multiple rows of data to SQL Server, the developers either have to send one row at a time or come up with other workarounds to meet requirements like using XML to pass data, which is complex and tedious to use. There is a …
Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now