stackoom
  简体   繁体   中英

Restricting permission to drop column in SQL Server?

 原文  2016-06-08 18:40:33       sql/ sql-server

Question

ALTER TABLE [dbo].[Client] ADD [Awesomness] [nvarchar](max)
ALTER TABLE [dbo].[Client] DROP COLUMN [Awesomness]

The second command I don't want to be successful, I don't want any DROP COLUMN to succeed. So I created a user for my database, just wondering how I can deny this user the permission to DROP COLUMN . I set up a trigger but that doesn't seem to take care of DROP COLUMN . Is there anyway I could restrict this? 

CREATE TRIGGER [TR_DB_NO_DROPPING_OBJECTS_2]
on DATABASE
FOR 
DROP_PROCEDURE,DROP_FUNCTION,DROP_VIEW,DROP_TABLE, DROP_DEFAULT,DROP_EXTENDED_PROPERTY
AS
 BEGIN
    IF  --only two accounts allowed to drop stuff
   suser_name() NOT IN('test' )

 BEGIN
 --raise an error, which goes to the error log
 RAISERROR('Unauthorized use of drop object from inpermissible host.', 16, 1)
 --prevent the drop
  ROLLBACK
    END
 --if it got to here, it was the "right" user from the "right" machine (i hope)
 END

The roles I've assigned my user. 

use Hasan
go
EXEC sp_addrolemember N'db_datareader', N'TestUser'
go

use Hasan
go
EXEC sp_addrolemember N'db_datawriter', N'TestUser'
go

use Hasan
GO
GRANT EXECUTE TO [TestUser]
GO

use Hasan
GO
GRANT INSERT TO [TestUser]
GO

use Hasan
GO
GRANT SELECT TO [TestUser]
GO

use Hasan
GRANT ALTER TO [TestUser]
GO

use Hasan
GO
GRANT UPDATE TO [TestUser]
GO

use Hasan
GO
GRANT DELETE TO [TestUser]
GO

1 answers

solution1
 0  2016-06-08 18:46:33

That would be an Alter_Table DDL event. See if that works for you.

Also, I am not sure if you have looked into roles. Granting dbwriter and dbreader allows CRUD operations but no changes to DDL.

https://msdn.microsoft.com/en-us/library/ms189121.aspx

EDIT: This example does not check for a user but it works on my test table: 

CREATE TRIGGER testtrig 
ON Database 
FOR alter_table 
AS 
    Declare @Msg nvarchar(max) = (SELECT EVENTDATA().value('(/EVENT_INSTANCE/TSQLCommand/CommandText)[1]','nvarchar(max)'))
     If @Msg Like '%Drop Column ColumnA%'
     Rollback
GO

There is probably a better way than parsing the message text like in my example, this was just a quick test.

Also remember this is just a safety to let the user know they should not drop this column. If they have DDL rights they can disable or delete the trigger.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Drop empty column SQL Server Permission to DROP Tables in SQL Server (T-SQL) Microsoft SQL Server - restricting subqueries Permission to update single column in SQL Server table SQL Server : drop column @variable not working SQL Server different ways to drop a column Stored procedure to drop the column in SQL Server Drop a column with a default constraint in SQL Server (IF EXISTS) Restricting distinct keyword on single column in Sql plus Restricting a SQL Server schema to a single user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM