Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / August 2007

Tip: Looking for answers? Try searching our database.

db_ddladmin rights in Management Studio

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
gj111 - 17 Aug 2007 02:12 GMT
Hello,

We are running SQL Server 2005 enterprise with SP2.  Recently, after
assigning db_ddladmin permissions to someone, I ran across something that I'm
curious about.  It seems that as a db_ddladmin of a database in the dbo
schema, it's possible to create and drop objects, but not alter them using
Management Studio.  However, it is possible to alter objects in Query Editor
as db_ddladmin.  This isn't really a problem as we can use TSQL for these
modifications.  Just curious as to what appears to be a difference in
behavior between Management Studio and Query Editor.  

I'm new to SQL Server 2005's security model, but from the messages returned
when attempting to modify with the GUI, my guess is that this has something
to do with the differences in SQL Server 2000 and 2005 regarding users and
schemas owning objects.  But I'm not sure why the behavior appears
inconsistent between the GUi and TSQL.  Is the behavior different or am I
missing something?

Thanks,
Greg
Reply to this Message
Erland Sommarskog - 18 Aug 2007 22:42 GMT
> We are running SQL Server 2005 enterprise with SP2.  Recently, after
> assigning db_ddladmin permissions to someone, I ran across something
[quoted text clipped - 11 lines]
> behavior appears inconsistent between the GUi and TSQL.  Is the behavior
> different or am I missing something?

I ran Profiler to see what queries Mgmt Studio runs, and I found that it
runs:

  select Has_Perms_By_Name(N'dbo.binary', 'Object', 'ALTER') as ALT_Per,                    
     Has_Perms_By_Name(N'dbo.binary', 'Object', 'VIEW DEFINITION') as            
         View_def_Per,
     Has_Perms_By_Name(N'dbo.binary', 'Object', 'CONTROL') as Contr_Per

This query returns 1, 0, 0 for a user with db_ddladmin, why Mgmt Studio
thinks that this guy is not good enough. It appears that Mgmt Studio
has overlooked db_ddladmin.

This could be construed as a good thing, at least when it comes to
the Table Designer and the diagrams, as these tools are seroiusly
buggy and are dangerous to use for table modifications, unless you
understand what they do, including what they shouldn't do.

Signature

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.