Solved

How can I give the minimum permission?

Posted on 2010-11-15
7
589 Views
Last Modified: 2012-05-10
How can I give a SQL user ONLY execute permission to a stored procedure that is in the Master DB?
0
Comment
Question by:Negash
  • 3
  • 3
7 Comments
 
LVL 2

Assisted Solution

by:AarthiPrabakaran
AarthiPrabakaran earned 166 total points
ID: 34142460


try something like this CREATE PROCEDURE dbo.usp_Demo
AS
SELECT user_name();
GO
GRANT EXECUTE ON [dbo].[usp_Demo] TO [test]
0
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 334 total points
ID: 34142496
>> How can I give a SQL user ONLY execute permission to a stored procedure that is in the Master DB?

Few Best practices:

1. Giving CONNECT permission to a user for master db is not recommended.
2. Instead create that procedure in some other user databases and grant CONNECT privilege to Database and EXECUTE privileges to procedure.
3. Make sure public role is revoked and guest account is disabled since all users would be able to view and access objects present in all databases.
0
 

Author Comment

by:Negash
ID: 34142519
It is not only one stored procedure that the user needs permission to. There are at least two dozen. Do I need to grant permission to each of them? Also, I would like to make sure this wouldn't give the user access to any other object in the DB?  
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 57

Expert Comment

by:Raja Jegan R
ID: 34142532
>> It is not only one stored procedure that the user needs permission to. There are at least two dozen

Then you need to GRANT execute permission to all the required stored procedures.
In the meanwhile, why are you having user stored procedures in master database which is not a recommended approach at all.

>> Also, I would like to make sure this wouldn't give the user access to any other object in the DB?  

Revoke Public role and disable guest account.
Now granting CONNECT permissions to only required database and EXECUTE privilege on required stored procedures would suffice (it won't give access to other objects for sure)
0
 

Author Comment

by:Negash
ID: 34142566
Thank you rrjegan17! This was exactly what I wanted to do. But I have an external vendor that requested to have their stored procedures in the master db.  Their reason I think is they use a third party tool that apparently converts their existing Access based DB to SQL.  They never re-wrote their code so they are translating everything.   So now I have to figure out how to give only an execute permission without even giving public role to this user. (Is this even possible?)
0
 

Author Comment

by:Negash
ID: 34142578
I guess you have answered my question. I posted comment with refreshing the browser. I will try that. Thanks much!
0
 
LVL 57

Assisted Solution

by:Raja Jegan R
Raja Jegan R earned 334 total points
ID: 34142618
One more info:

"The guest user cannot be dropped, but it can be disabled by revoking its CONNECT permission. The CONNECT permission can be revoked by executing REVOKE CONNECT FROM GUEST within any database other than master or tempdb."

Guest account which has public role access cannot be REVOKED from master database and hence I don't it would work in your scenario..
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have written a PowerShell script to "walk" the security structure of each SQL instance to find:         Each Login (Windows or SQL)             * Its Server Roles             * Every database to which the login is mapped             * The associated "Database User" for this …
     When we have to pass multiple rows of data to SQL Server, the developers either have to send one row at a time or come up with other workarounds to meet requirements like using XML to pass data, which is complex and tedious to use. There is a …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question