permissions not working

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

JEM - 15 Feb 2008 16:01 GMT

Hi. I have a SQL Server 2000 database,using Windows Authentication,
and have created some new roles and assigned permissions to the
various tables, views and sprocs. However, the permissions are not
working. When I log on as a user in one of the roles, i still have
access to insert, update, delete records in tables that i have
specifically denied permissions on (they should only have select
permissions which they have). I am able to log onto Query Analyzer
and do everything with the table that i should not be able to do. The
user is only a member of public and this role. The objects are all
owned by dbo. Any ideas?

Thanks,
jenn

Reply to this Message

Russell Fields - 15 Feb 2008 19:49 GMT

Jenn,

I imagine that there is some unexpected rights that your user has that you
have not found. By now, you have probably already done:

use yourdatabase
exec sp_helplogins 'loginname' -- login overall rights
exec sp_helpuser 'username' -- user role membership
exec sp_helprotect @username='username' -- directly assigned rights

Be sure to repeat the sp_helprotect for each role that has the user as a
member.

Slightly more mysterious:

I understand that this is a Windows login you are testing. Do you tend to
grant rights to Windows Groups (as I do) rather than Windows Logins? If so,
then another thing to check is "What Windows Groups with access to my server
have this login as a member?" Then, "What rights are granted to those
groups?" This is a little more subtle if you don't have access to domain
tools, but you can do the following from SQL Server running as the
'loginname' that you are having trouble with.

select name from master.dbo.syslogins where is_member(name) = 1

This will return all logins with the current login as a member. If this
exposes a security context that you did not know about, then you can pursue
what rights that group has.

FWIW,
RLF

> Hi. I have a SQL Server 2000 database,using Windows Authentication,
> and have created some new roles and assigned permissions to the
[quoted text clipped - 9 lines]
> Thanks,
> jenn

Reply to this Message

Erland Sommarskog - 15 Feb 2008 23:21 GMT

> Hi. I have a SQL Server 2000 database,using Windows Authentication,
> and have created some new roles and assigned permissions to the
[quoted text clipped - 6 lines]
> user is only a member of public and this role. The objects are all
> owned by dbo. Any ideas?

If you say "SELECT USER" what does it say? The name of this user or
does it by chance say "dbo"? In the latter case your login somehow
is a sysadmin member and is of course able to do anything.

Signature

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Reply to this Message

JEM - 18 Feb 2008 15:29 GMT

> > Hi. I have a SQL Server 2000 database,using Windows Authentication,
> > and have created some new roles and assigned permissions to the
[quoted text clipped - 16 lines]
> Books Online for SQL Server 2005 athttp://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books...
> Books Online for SQL Server 2000 athttp://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Thanks for the help! When I do SELECT USER it does give me dbo. I am
not an expert with networking or with SQL server. Does this mean that
at the windows NT level they have sysadmin rights because I did not
give them these rights on the database?

Reply to this Message

Dan Guzman - 18 Feb 2008 16:52 GMT

> Thanks for the help! When I do SELECT USER it does give me dbo. I am
> not an expert with networking or with SQL server. Does this mean that
> at the windows NT level they have sysadmin rights because I did not
> give them these rights on the database?

It is likely that the user in question is a member of the Windows
Administrators group on the SQL Server. Administrators group members access
the SQL Server via membership of the BUILTIN\Administrators login are
sysadmin role members by default in SQL 2000. Sysadmin role members are dbo
in all databases and is why Erland suggested you check SELECT USER.

Signature

Hope this helps.

Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/

On Feb 15, 6:21 pm, Erland Sommarskog <esq...@sommarskog.se> wrote:

> JEM (J...@jemconsulting.org) writes:
> > Hi. I have a SQL Server 2000 database,using Windows Authentication,
[quoted text clipped - 19 lines]
> Books Online for SQL Server 2000
> athttp://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Reply to this Message

JEM - 18 Feb 2008 18:11 GMT

On Feb 18, 11:52 am, "Dan Guzman" <guzma...@nospam-
online.sbcglobal.net> wrote:

> > Thanks for the help! When I do SELECT USER it does give me dbo. I am
> > not an expert with networking or with SQL server. Does this mean that
[quoted text clipped - 45 lines]
>
> - Show quoted text -

That makes sense. I have put in a call to the Network admin who set
up these accounts to discuss. Thanks so much for your help!

Reply to this Message

Dan Guzman - 18 Feb 2008 21:19 GMT

> That makes sense. I have put in a call to the Network admin who set
> up these accounts to discuss. Thanks so much for your help!

Erland is the one who deserves your thanks since he is the one who suggested
the SELECT USER for troubleshooting.

Signature

Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/

On Feb 18, 11:52 am, "Dan Guzman" <guzma...@nospam-
online.sbcglobal.net> wrote:

> > Thanks for the help! When I do SELECT USER it does give me dbo. I am
> > not an expert with networking or with SQL server. Does this mean that
[quoted text clipped - 49 lines]
>
> - Show quoted text -

That makes sense. I have put in a call to the Network admin who set
up these accounts to discuss. Thanks so much for your help!

Reply to this Message