![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 32%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
14,494 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
This is all covered in the documentation that you can read. I recommend you start there.
At a very high level.
- Create the database role.
- On the Properties for the role go to the
Securablessection. - Select the objects (tables, sprocs, etc) that you want to grant access to (or deny as the case may be).
- Select the permissions for the object (select, insert, etc).
- Apply the changes.
- Add users to the role. Note that a user may be in multiple roles so ensure that you don't add a user to a role that has more permissions then the locked down role otherwise you defeated the purpose of doing that.
To be honest, in my opinion, securing users at this fine grain a level is going to be hard to manage. It's almost like giving users specific access to only some files in a folder structure. You might do better to:
- Give them only db_datareader role if they shouldn't be modifying any data.
- Give them only exec sproc rights and wrap all DB access in the sprocs
- Don't give them any access to DB and create a wrapper API that they can call to get the data based upon permissions in the API.