SQL Server Login Lockdown

shaikh shoaib 171 Reputation points
2021-06-16T23:55:33.28+00:00

Is it possible to lock down MS SQL sql logins? Like a read only user only should be able to access DB data but will not be able to access/view stored procedures/views etc.?

Thanks

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,641 questions
{count} votes

Accepted answer
  1. Seeya Xi-MSFT 16,461 Reputation points
    2021-06-17T06:39:24.1+00:00

    Hi @shaikh shoaib ,

    Create or change the read and write permissions on the account.
    1.Create a new user
    You could add the user to the Database Level Role db_datareader.
    Members of the db_datareader fixed database role can run a SELECT statement against any table or view in the database.
    Please to this blog about how to create a read-only user: https://hub.acctivate.com/articles/create-a-read-only-sql-server-user-account
    Please to this blog about db_datareader: https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2005/ms189121(v=sql.90)?redirectedfrom=MSDN
    2.Change properties
    Security->Logins->UserName->Properties
    Follow the same steps like before.
    Note: The important steps are selecting the database for mapping and granting permissions.

    Then use this account to log in.
    Lastly, you can see that the account can only read and not write.
    106492-deny.png

    > but will not be able to access/view stored procedures/views etc.

    Login with your sa account, select YourDatabase->Views->System Views-> Properties and follow the steps:
    106418-set1.png
    Then set the permission.
    Finally, use your account(such as my [Oh]) to login in.

    Best regards,
    Seeya


    If the response is helpful, please click "Accept Answer" and upvote it, as this could help other community members looking for similar queries.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Olaf Helper 43,901 Reputation points
    2021-06-17T05:45:12.937+00:00

    Not very clear, what you are looking for.
    Grant SELECT permissions only = ReadOnly on the table as per your requirement; so in which detail do you have an issue/question on?

    0 comments No comments

  2. Erland Sommarskog 109.9K Reputation points MVP
    2021-06-17T21:47:55.277+00:00

    Yes, it is possible. In fact, by default a login has very little permission. No access to any database beyond the system databases, and if you add a user to a database, the user by default has access to no tables at all.

    So if you want a login DOMAIN\USER to be a readonly user in database DB1, you would do:

    USE DB1
    go
    CREATE USER [DOMAIN\USER]
    ALTER ROLE db_datareader ADD MEMEBER [DOMAIN\USER]
    

    If you find that the login can do more than this, this may be because the login is member of an AD group which has wider permissions, or permissions have been granted to public.

    0 comments No comments

  3. shaikh shoaib 171 Reputation points
    2021-06-22T08:09:56.43+00:00

    Thanks all, will go through your kind replies soon.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.