Solved

How can I give the minimum permission?

Posted on 2010-11-15
7
592 Views
Last Modified: 2012-05-10
How can I give a SQL user ONLY execute permission to a stored procedure that is in the Master DB?
0
Comment
Question by:Negash
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 2

Assisted Solution

by:AarthiPrabakaran
AarthiPrabakaran earned 166 total points
ID: 34142460


try something like this CREATE PROCEDURE dbo.usp_Demo
AS
SELECT user_name();
GO
GRANT EXECUTE ON [dbo].[usp_Demo] TO [test]
0
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 334 total points
ID: 34142496
>> How can I give a SQL user ONLY execute permission to a stored procedure that is in the Master DB?

Few Best practices:

1. Giving CONNECT permission to a user for master db is not recommended.
2. Instead create that procedure in some other user databases and grant CONNECT privilege to Database and EXECUTE privileges to procedure.
3. Make sure public role is revoked and guest account is disabled since all users would be able to view and access objects present in all databases.
0
 

Author Comment

by:Negash
ID: 34142519
It is not only one stored procedure that the user needs permission to. There are at least two dozen. Do I need to grant permission to each of them? Also, I would like to make sure this wouldn't give the user access to any other object in the DB?  
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 57

Expert Comment

by:Raja Jegan R
ID: 34142532
>> It is not only one stored procedure that the user needs permission to. There are at least two dozen

Then you need to GRANT execute permission to all the required stored procedures.
In the meanwhile, why are you having user stored procedures in master database which is not a recommended approach at all.

>> Also, I would like to make sure this wouldn't give the user access to any other object in the DB?  

Revoke Public role and disable guest account.
Now granting CONNECT permissions to only required database and EXECUTE privilege on required stored procedures would suffice (it won't give access to other objects for sure)
0
 

Author Comment

by:Negash
ID: 34142566
Thank you rrjegan17! This was exactly what I wanted to do. But I have an external vendor that requested to have their stored procedures in the master db.  Their reason I think is they use a third party tool that apparently converts their existing Access based DB to SQL.  They never re-wrote their code so they are translating everything.   So now I have to figure out how to give only an execute permission without even giving public role to this user. (Is this even possible?)
0
 

Author Comment

by:Negash
ID: 34142578
I guess you have answered my question. I posted comment with refreshing the browser. I will try that. Thanks much!
0
 
LVL 57

Assisted Solution

by:Raja Jegan R
Raja Jegan R earned 334 total points
ID: 34142618
One more info:

"The guest user cannot be dropped, but it can be disabled by revoking its CONNECT permission. The CONNECT permission can be revoked by executing REVOKE CONNECT FROM GUEST within any database other than master or tempdb."

Guest account which has public role access cannot be REVOKED from master database and hence I don't it would work in your scenario..
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Stored Proc - Rewrite 42 75
Need return values from a stored procedure 8 60
SQL Recursion schedule 13 44
Many to one in one row 2 46
In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question