security configuration

Question

security configuration

bababalush 21

Hi All.
I want to give a user ([test user]) permissions to read data only from specific schema (schema: test) in specific DB (db: ods) in sql server.
it's need to be only with windows authentication login and not with sql server authentication.

i created a login (with public role)
created user inside the DB
and mapped the user to the login.
i give the user default schema :test
and grant the user permissions: GRANT SELECT ON SCHEMA :: test TO [test user]

it's not working, the user can see all the schemas inside the db.

then i tried to do the same with sql server authentication.
and now he can see only objects with :test schema.
but when trying to select the view, it's failed because the user don't have permissions to the tables that created the view.

what is the best way to do it?
give a user ([test user]) permissions to read data only from specific schema (schema: test) in specific DB (db: ods) in sql server. only with windows authentication login and not with sql server authentication?

CathyJi-MSFT 22,431 Reputation points Microsoft External Staff

2022-04-20T10:03:56.627+00:00

Hi @bababalush ,

We have not received a response from you. Did the reply(s) could help you? If the response helped, do "Accept Answer". If it is not work, please let us know. Then we can give you a continued help.

2 answers

Your answer

CathyJi-MSFT 22,431 Reputation points Microsoft External Staff

2022-04-20T10:03:56.627+00:00

Hi @bababalush ,

We have not received a response from you. Did the reply(s) could help you? If the response helped, do "Accept Answer". If it is not work, please let us know. Then we can give you a continued help.

Answer 1

CathyJi-MSFT 22,431 Microsoft External Staff

Hi @bababalush ,

Did you grant the permission on database level?

I did a test in my environment. Please follow below steps ;

1.created an user at server level under Security
2.Server Roles=Public (Default)
3.User Mapping--> Checked on my BD and left Database Role Member for my DB=Public (Default)
4.Expanded my DB-->Security--> and i can see newly created user is there.
5.Opened a new session under this DB and executed GRANT SELECT ON SCHEMA :: [test] TO [test user]
6.That is all. It will works as expected. Once I logged in with new user, I was able to see objects only under Schema test.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

bababalush 21 Reputation points

2022-04-25T07:55:25.49+00:00

Hi Cathyji,
Thanks for the quick response.
steps 1-6: this is exactly what i did.
but it's not working with windows authentication login, works just with SQL server authentication.
is it suppose to be like this? or i doing something wrong?
Erland Sommarskog 134.7K Reputation points MVP Volunteer Moderator

2022-04-25T21:21:37.407+00:00

So did you try the query that I posted above?

It's quite apparent that the user gets the other permissions from an AD group it's a member of.

Answer 2

The solution is the same in both cases. The difference is that with SQL authentication, you have full control since the user exist only in SQL Server. With an AD user, you need to consider that the user may be member of an AD group that has wider permissions in the database. If this is the case, you should probably review whether you want to have in that way.

One way to investigate this is to run:

EXECUTE AS LOGIN = 'domain\user'
go
SELECT * FROM sys.user_token
go
REVERT

This will list all tokens associated with this user on database level. This includes AD groups the user is a member of, but also database roles the user is member of, directly or indirectly.

Share via

security configuration

2 answers

Your answer