ALTER TABLE [dbo].[Client] ADD [Awesomness] [nvarchar](max)
ALTER TABLE [dbo].[Client] DROP COLUMN [Awesomness]
The second command I don't want to be successful, I don't want any DROP COLUMN
to succeed. So I created a user for my database, just wondering how I can deny this user the permission to DROP COLUMN
. I set up a trigger but that doesn't seem to take care of DROP COLUMN
. Is there anyway I could restrict this?
CREATE TRIGGER [TR_DB_NO_DROPPING_OBJECTS_2]
on DATABASE
FOR
DROP_PROCEDURE,DROP_FUNCTION,DROP_VIEW,DROP_TABLE, DROP_DEFAULT,DROP_EXTENDED_PROPERTY
AS
BEGIN
IF --only two accounts allowed to drop stuff
suser_name() NOT IN('test' )
BEGIN
--raise an error, which goes to the error log
RAISERROR('Unauthorized use of drop object from inpermissible host.', 16, 1)
--prevent the drop
ROLLBACK
END
--if it got to here, it was the "right" user from the "right" machine (i hope)
END
The roles I've assigned my user.
use Hasan
go
EXEC sp_addrolemember N'db_datareader', N'TestUser'
go
use Hasan
go
EXEC sp_addrolemember N'db_datawriter', N'TestUser'
go
use Hasan
GO
GRANT EXECUTE TO [TestUser]
GO
use Hasan
GO
GRANT INSERT TO [TestUser]
GO
use Hasan
GO
GRANT SELECT TO [TestUser]
GO
use Hasan
GRANT ALTER TO [TestUser]
GO
use Hasan
GO
GRANT UPDATE TO [TestUser]
GO
use Hasan
GO
GRANT DELETE TO [TestUser]
GO
That would be an Alter_Table DDL event. See if that works for you.
Also, I am not sure if you have looked into roles. Granting dbwriter and dbreader allows CRUD operations but no changes to DDL.
https://msdn.microsoft.com/en-us/library/ms189121.aspx
EDIT: This example does not check for a user but it works on my test table:
CREATE TRIGGER testtrig
ON Database
FOR alter_table
AS
Declare @Msg nvarchar(max) = (SELECT EVENTDATA().value('(/EVENT_INSTANCE/TSQLCommand/CommandText)[1]','nvarchar(max)'))
If @Msg Like '%Drop Column ColumnA%'
Rollback
GO
There is probably a better way than parsing the message text like in my example, this was just a quick test.
Also remember this is just a safety to let the user know they should not drop this column. If they have DDL rights they can disable or delete the trigger.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.