| Author |
Topic |
|
SQLServerDBA_Dan
Aged Yak Warrior
752 Posts |
 Posted - 2001-02-09 : 17:02:59
|
| Ok. I have another question that has bugged me for a long time. I have been unable to find a way to grant a few permissions on all objects in a db to a user. Something like this: GRANT SELECT, DELETE ON * TO USER001 orGRANT SELECT, DELETE ON ALL TO USER001I have written a cursor to loop thru all of the objects for me. Although the cursor works well, I can't stop thinking that there is a better way or that I am missing something... Well that's my question for the day. Thanks to anyone that responds.TheNewDBA |
|
|
lancepr
Starting Member
17 Posts |
Posted - 2002-07-30 : 21:33:27
|
| Do you have th code for that looping cursor?I need to do a similar task |
 |
|
|
Mits
Starting Member
48 Posts |
Posted - 2004-05-14 : 11:29:36
|
| hi SQLServerDBA_Dan i want to do exactly what you are doing thru your cursor. if possible could you please give me that codeMits |
|
|
|
SQLServerDBA_Dan
Aged Yak Warrior
752 Posts |
Posted - 2004-05-14 : 13:18:30
|
quote:
Originally posted by lancepr
Do you have th code for that looping cursor?I need to do a similar task
LOl sorry guess I missed the request for this a few years ago.  quote:
Originally posted by Mits
hi SQLServerDBA_Dan i want to do exactly what you are doing thru your cursor. if possible could you please give me that codeMits
I'll post it in the next couple minutes.DanielSQL Server DBA |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-05-14 : 13:38:07
|
You can use my stored proc:------------------------------------------------------------------------------------------------------ OBJECT NAME : isp_Grant_Permissions---- AUTHOR : Tara Duggan-- DATE : June 12, 2002---- INPUTS : None-- OUTPUTS : None---- DEPENDENCIES : None---- APPLICATION(s) : GT---- DESCRIPTION : This stored proc is used to grant permissions-- on all stored procedures that start with usp_,-- all functions that start with udf_,-- and all views that start with v_.-- -- EXAMPLES (optional) : EXEC isp_Grant_Permissions---- MODIFICATION HISTORY :------------------------------------------------------------------------------------------------------ MM/DD/YYYY - (Name)-- (Description)----------------------------------------------------------------------------------------------------CREATE PROC isp_Grant_PermissionsASSET NOCOUNT ONDECLARE @objName varchar(80)DECLARE @objType char(2)DECLARE grant_perms_on_sps CURSOR FOR SELECT name, typeFROM SYSOBJECTS WHERE ( (type = 'P' AND name LIKE 'usp[_]%') OR (type = 'FN' AND name like 'udf[_]%') OR (type = 'TF' AND name like 'udf[_]%') OR (type = 'U') OR (type = 'V' AND name like 'v[_]%') ) AND uid = 1 AND status > -1OPEN grant_perms_on_spsFETCH NEXT FROM grant_perms_on_sps INTO @objName, @objTypeWHILE @@FETCH_STATUS = 0BEGIN IF @objType NOT IN ('TF', 'T', 'V') BEGIN EXEC ('GRANT EXECUTE ON dbo.' + @objName + ' TO GT_Apps') END ELSE BEGIN EXEC ('GRANT SELECT ON dbo.' + @objName + ' TO GT_Apps') END FETCH NEXT FROM grant_perms_on_sps INTO @objName, @objTypeENDCLOSE grant_perms_on_spsDEALLOCATE grant_perms_on_spsGOJust change the role name and tweak the object names if you don't have a strict naming convention like we do. Modifying the select in the cursor declaration will allow you to get the objects that you care about.Tara |
|
|
|
SQLServerDBA_Dan
Aged Yak Warrior
752 Posts |
Posted - 2004-05-14 : 13:41:09
|
First off. I dont really use the cursor anymore. I saw NR once said: "Cursors are for people that dont know SQL" 
Here is what I do today:DECLARE @GRANTWHAT as varchar(100), @GRANTEDROLE as varchar(50)SET @GRANTWHAT = 'SELECT, INSERT, UPDATE, DELETE'SET @GRANTEDROLE = 'rl_ACCOUNTING'SELECT 'GRANT ' + @GRANTWHAT + ' ON ' + TABLE_CATALOG + '.' + TABLE_SCHEMA + '.' + TABLE_NAME + ' TO ' + @GRANTEDROLEfrom INFORMATION_SCHEMA.tables where TABLE_TYPE = 'BASE TABLE' I then take the query results and paste that into the query window, make sure its what I wanted and then run it. After which I assign users to that role. This makes it much easier to manage then putting permissions on individual users.
The cursor went something like this ***PLEASE NOTE THAT I WOULD USE THE TOP METHOD.*** (This cursor basically sucks) :declare addpermis_cursor cursorforselect name from <DATABASE>..sysobjectswhere type = 'U' and name not like 'sys%' and name not like 'dt%' -- Selects all Objects in the DB that are user tablesopen addpermis_cursordeclare @name varchar(40), @numofrows varchar(4)select @numofrows = 0fetch next from addpermis_cursor into @name -- Opens 1st variable into the @Name var from the cursordeclare @CMD varchar(255), -- String used to hold the SQL Query and Command Line @cmdstatus int -- Variable for XP_Cmdshell return status (-1 = fail or 0 = success)while @@fetch_status = 0 begin select @CMD = 'grant execute on ' + @name + ' to db_data_insertupdate' -- SQL Grant statement to grant permissions select @CMD = 'isql -E -S<SERVERNAME> -d<DATABASE> -Q"' + @CMD + '"' -- SQL O/S Command line. -E Trusted Authentication | -S = Server | -d = DB Name | -Q = Query to run exec @CMDstatus = master..xp_cmdshell @CMD, no_output fetch next from addpermis_cursor into @name select @numofrows = @numofrows + 1 endif @CMDstatus = 0 print 'Addpermis_cursor has granted ' + @numofrows + ' objects!'CLOSE addpermis_cursorDEALLOCATE addpermis_cursor DanielSQL Server DBA |
|
|
|
SQLServerDBA_Dan
Aged Yak Warrior
752 Posts |
Posted - 2004-05-14 : 13:43:25
|
quote:
Originally posted by tduggan
You can use my stored proc: code, code, blah, blah.. Just change the role name and tweak the object names if you don't have a strict naming convention like we do. Modifying the select in the cursor declaration will allow you to get the objects that you care about.Tara
Hey nice proc. If I wasnt set in my ways of using the simple query I might've looked into using it.DanielSQL Server DBA |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-05-14 : 13:47:12
|
| I had to put it into a loop (I haven't changed it to a WHILE statement yet) so that I could schedule it on the dev server. Developers forget to add permissions when they create their objects, so I decided to just schedule a job to do it for them. It was much easier in my case. Other people use templates for the creation of their objects. If I could get them to use it, I wouldn't need to do this.Tara |
|
|
|
SQLServerDBA_Dan
Aged Yak Warrior
752 Posts |
Posted - 2004-05-14 : 13:56:02
|
quote:
Originally posted by tduggan
I had to put it into a loop (I haven't changed it to a WHILE statement yet) so that I could schedule it on the dev server. Developers forget to add permissions when they create their objects, so I decided to just schedule a job to do it for them. It was much easier in my case. Other people use templates for the creation of their objects. If I could get them to use it, I wouldn't need to do this.Tara
Personally I enjoy my simple query. It gets the job done with precision. I dont have to worry about the cursor accidentally granting something it shouldnt have.DanielSQL Server DBA |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-05-14 : 14:00:46
|
| So you grant INSERT/UPDATE/DELETE on tables? Does that mean you don't use stored procedures or your stored procedures use dynamic sql? Just curious of course.Tara |
|
|
|
SQLServerDBA_Dan
Aged Yak Warrior
752 Posts |
Posted - 2004-05-14 : 14:19:08
|
quote:
Originally posted by tduggan
So you grant INSERT/UPDATE/DELETE on tables? Does that mean you don't use stored procedures or your stored procedures use dynamic sql? Just curious of course.Tara
No no no no... I was just showing the options to put into that variable.SET @GRANTWHAT = 'SELECT, INSERT, UPDATE, DELETE'SET @GRANTWHAT = 'SELECT'SET @GRANTWHAT = 'SELECT, INSERT'SET @GRANTWHAT = 'SELECT, INSERT, UPDATE'All kinds of combo's to use.If you write an SP with the select statement or dml then you dont need any permissions at all on the base table. So I would just grant EXECUTE to the proper roles when I write the SP. And that does bring up a good point to point out: You should try not to grant permissions to the base tables or views. You should grant them on the SP's; however, the problem is that if you have a table in a separate database then the implicit permissions wont carry over to the other DB.Hope that makes sence.DanielSQL Server DBA |
|
|
|
jharwood
Starting Member
41 Posts |
Posted - 2004-05-14 : 14:23:55
|
| Wouldn't EXECUTE sp_MSforeachtable 'GRANT SELECT ON ? TO user' work as well? |
|
|
|
|
Granting a few permissions on all objects