Grant a user the select permission on a view that references external objects
Hi all,
SQL Server 2012 Enterprise Edition SP2.
I've a database (let's say SRC_DB) that contains a series of views, some of these views refercenses tables or other views in other databases (let's say EXT_DB). I'm searching the best way to grant a user permission to SELECT from that view without granting
permission to every single obejct in external databases referenced by the view.
There is a dmv that tells you all the referenced views and tables. you can use that to get the list of all the tables,views being referenced in the cross database and them scrip the to grant only on those views\tables.
the link is here: https://msdn.microsoft.com/en-us/library/bb677315.aspx
example from the link that woulf work for your suitation:
CREATE DATABASE db1;
GO
USE db1;
GO
CREATE PROCEDURE p1 AS SELECT * FROM db2.s1.t1;
GO
CREATE PROCEDURE p2 AS
UPDATE db3..t3
SET c1 = c1 + 1;
GO
SELECT OBJECT_NAME (referencing_id),referenced_database_name,
referenced_schema_name, referenced_entity_name
FROM sys.sql_expression_dependencies
WHERE referenced_database_name IS NOT NULL;
GO
USE master;
GO
DROP DATABASE db1;
GO
Hope it Helps!!
Similar Messages
-
Error while selecting from view that references external table
Can someone explain why the error near the bottom of the code below is occuring? If USER1 grants SELECT on the external table to USER2, then USER2 can select from the view without any problems; however, I want to avoid giving USER2 access to all of the columns in the external table. (I only want to give USER2 access to two of the four columns.)
SQL> CONNECT sys AS SYSDBA
Connected as SYS@ as sysdba
SQL> CREATE USER user1 IDENTIFIED BY user1
User created.
SQL> CREATE USER user2 IDENTIFIED BY user2
User created.
SQL> GRANT CONNECT, CREATE TABLE, CREATE VIEW TO user1
Grant complete.
SQL> GRANT CONNECT TO user2
Grant complete.
SQL> GRANT READ, WRITE ON DIRECTORY EXT_DATA_DIR TO user1, user2
Grant complete.
SQL> CONNECT user1/user1
Connected as USER1@
SQL> CREATE TABLE emp_xt
emp_id NUMBER,
first_name VARCHAR2(30),
last_name VARCHAR2(30),
phone VARCHAR2(15)
ORGANIZATION EXTERNAL
TYPE ORACLE_LOADER
DEFAULT DIRECTORY EXT_DATA_DIR
ACCESS PARAMETERS
RECORDS DELIMITED BY NEWLINE
FIELDS TERMINATED BY ','
OPTIONALLY ENCLOSED BY '"'
LOCATION ('emp.txt')
REJECT LIMIT 0
Table created.
SQL> SELECT COUNT(1) FROM emp_xt
COUNT(1)
4
1 row selected.
SQL> CREATE OR REPLACE VIEW emp_xt_view AS SELECT first_name, last_name FROM emp_xt;
View created.
SQL> SELECT COUNT(1) FROM emp_xt_view
COUNT(1)
4
1 row selected.
SQL> GRANT SELECT ON emp_xt_view TO user2
Grant complete.
SQL> CONNECT user2/user2
Connected as USER2@
SQL> SELECT COUNT(1) from user1.emp_xt_view
SELECT COUNT(1) from user1.emp_xt_view
Error at line 0
ORA-29913: error in executing ODCIEXTTABLEOPEN callout
ORA-29400: data cartridge error
ORA-04043: object "USER1"."EMP_XT" does not exist
SQL> CONNECT user1/user1
Connected as USER1@
SQL> GRANT SELECT ON user1.emp_xt TO user2
Grant complete.
SQL> CONNECT user2/user2
Connected as USER2@
SQL> SELECT COUNT(1) from user1.emp_xt_view
COUNT(1)
4
1 row selected.
{code}user503699 wrote:
user1983440 wrote:
Can someone explain why the error near the bottom of the code below is occuring? If USER1 grants SELECT on the external table to USER2, then USER2 can select from the view without any problems; however, I want to avoid giving USER2 access to all of the columns in the external table. (I only want to give USER2 access to two of the four columns.)As you have demonstrated, I guess the view approach only works for database tables. External tables are actually files on the file system. Even through OS, it is not possible to grant READ/WRITE access to only part of the file. The access is for entire file. An "External Table" is just a "wrapper" provided by oracle (using data cartridge) to allow user to be able to access the file as a "table". So it can definitely not do something that underlying OS can not do.
p.s. In fact, oracle does not even allow to edit data in external tables using SQL.Why not just make a second external table (only including the 2 columns you need) and grant select directly on that to the user. I know you say "views only" but there's an exception to every rule ... just because it's called a table doesn't make it so. You could argue an external table is nothing more than a fancy view.
Worst case, make a view on top of the second external table.
CREATE TABLE emp_xt_less_information
first_name VARCHAR2(30),
last_name VARCHAR2(30)
ORGANIZATION EXTERNAL
TYPE ORACLE_LOADER
DEFAULT DIRECTORY EXT_DATA_DIR
ACCESS PARAMETERS
RECORDS DELIMITED BY NEWLINE
FIELDS TERMINATED BY ','
OPTIONALLY ENCLOSED BY '"'
emp_id number,
first_name char,
last_name char,
phone char
LOCATION ('emp.txt')
REJECT LIMIT 0
{code}
Should do it, but my syntax may be off a touch .... -
I have created a user and given him the owner rights for the database. Though I can LogIn as the user, I cannot access the databases. I am having the error mesage:
Failed to retrieve data for this request. (Microsoft.SqlServer.Management.Sdk.Sfc)
For help, click:
http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&LinkId=20476
ADDITIONAL INFORMATION:
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
The SELECT permission was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'. (Microsoft SQL Server, Error: 229)
For help, click:
http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=10.50.1600&EvtSrc=MSSQLServer&EvtID=229&LinkId=20476
Sha_woopSince there are so many possibilities for what might be wrong. Here's another possibility to look at. I ran into something where I had set up my own roles on a database. (For instance, "Administrator", "Manager", "DataEntry", "Customer",
each with their own kinds of limitations) The only ones who could use it were "Manager" role or above--because they were also set up as sysadmin because they were adding users to the database (and they were highly trusted). Also, the users that
were being added were Windows Domain users--using their domain credentials. (Everyone with access to the database had to be on our domain, but not everyone on the domain had access to the database--and only a few of them had access to change it.)
Anyway, this working system suddenly stopped working and I was getting error messages similar to the above. What I ended up doing that solved it was to go through all the permissions for the "public" role in that database and add those permissions to
all of the roles that I had created. I know that everyone is supposed to be in the "public" role even though you can't add them (or rather, you can "add" them, but they won't "stay added").
So, in "SQL Server Management Studio", I went into my application's database, in other words (my localized names are obscured within <> brackets): "<Computername> (SQL Server <version> - sa)"\Databases\<MyAppDB>\Security\Roles\Database
Roles\public". Right-click on "public" and select "Properties". In the "Database Role Properties - public" dialog, select the "Securables" page. Go through the list and for each element in the list, come up with an SQL "Grant" statement to
grant exactly that permission to another role. So, for instance, there is a scalar function "[dbo].[fn_diagramobjects]" on which the "public" role has "Execute" privilege. So, I added the following line:
EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @RoleName + '];' )
Once I had done this for all the elements in the "Securables" list, I wrapped that up in a while loop on a cursor selecting through all the roles in my roles table. This explicitly granted all the permissions of the "public" role to my database roles.
At that point, all my users were working again (even after I removed their "sysadmin" access--done as a temporary measure while I figured out what happened.)
I'm sure there's a better (more elegant) way to do this by doing some kind of a query on the database objects and selecting on the public role, but after about half and hour of investigating, I wasn't figuring it out, so I just did it the brute-force method.
In case it helps someone else, here's my code.
CREATE PROCEDURE [dbo].[GrantAccess]
AS
DECLARE @AppRoleName AS sysname
DECLARE AppRoleCursor CURSOR LOCAL SCROLL_LOCKS FOR
SELECT AppRoleName FROM [dbo].[RoleList];
OPEN AppRoleCursor
FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
WHILE @@FETCH_STATUS = 0
BEGIN
EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_alterdiagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_creatediagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_dropdiagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagramdefinition] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagrams] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_renamediagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[allocation_units] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assemblies] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_files] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_references] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[asymmetric_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[certificates] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[change_tracking_tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[check_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[column_type_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[column_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[computed_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_endpoints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_groups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_priorities] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[crypt_properties] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[data_spaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_audit_specification_details] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_audit_specifications] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_files] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_permissions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_principal_aliases] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_principals] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_role_members] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[default_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[destination_data_spaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[event_notifications] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[events] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[extended_procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[extended_properties] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[filegroups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[foreign_key_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[foreign_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_catalogs] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_catalog_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_fragments] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_stoplists] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_stopwords] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[function_order_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[identity_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[index_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[internal_tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[key_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[key_encryptions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[message_type_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[module_assembly_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[numbered_procedure_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[numbered_procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameter_type_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameter_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_functions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_range_values] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_schemes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partitions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[plan_guides] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[remote_service_bindings] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[routes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[schemas] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contract_message_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contract_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contracts] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_message_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_queue_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_queues] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[services] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[spatial_index_tessellations] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[spatial_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sql_dependencies] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[stats] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[stats_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[symmetric_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[synonyms] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syscolumns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syscomments] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysconstraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysdepends] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfilegroups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfiles] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysforeignkeys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfulltextcatalogs] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysindexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysindexkeys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysmembers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysobjects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syspermissions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysprotects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysreferences] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[systypes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysusers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[table_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[transmission_queue] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[trigger_events] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[triggers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[type_assembly_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_attributes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_collections] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_component_placements] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_components] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_elements] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_facets] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_model_groups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_namespaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcard_namespaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcards] TO [' + @AppRoleName + '];' )
FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
END
CLOSE AppRoleCursor
RETURN 0
GO
Once that is in the system, I just needed to "Exec GrantAccess" to make it work. (Of course, I have a table [RoleList] which contains a "AppRoleName" field that contains the names of the database roles.)
So, the mystery remains: why did all my users lose their "public" role and why could I not give it back to them? Was this part of an update to SQL Server 2008 R2? Was it because I ran another script to delete each user and add them back so to refresh
their connection with the domain? Well, this solves the issue for now.
One last warning: you probably should check the "public" role on your system before running this to make sure there isn't something missing or wrong, here. It's always possible something is different about your system.
Hope this helps someone else. -
Why The SELECT permission was denied on the object 'Facts', database
What this error means?
I have configured Data Source to use a specific Windows user name and password. The SQL database have the windows user account with db_owner rights.
Error 11 OLE DB error: OLE DB or ODBC error: The SELECT permission was denied on the object 'Facts', database 'Customer_2011_CBA', schema 'dbo'.; 42000.
Error 12 Errors in the OLAP storage engine: An error occurred while processing the 'Facts' partition of the 'Facts' measure group for the 'Customer 2011 CBA Cube' cube from the Customer Analysis Services 1 database.
Kenny_II'm beginning point:
Error 11 OLE DB error: OLE DB or ODBC error: The SELECT permission was denied on the object 'Facts', database 'Customer_2011_CBA', schema 'dbo'.; 42000.
Error 12 Errors in the OLAP storage engine: An error occurred while processing the 'Facts' partition of the 'Facts' measure group for the 'Customer 2011 CBA Cube' cube from the Customer Analysis Services 1 database.
The Windows account do have right in the SQL Server->Object Explorer->Databases->'Customer_2011_CBA'->Security->The user->Properties->All server roles
Kenny_I
can you try your SQL account?
If you think my suggestion is useful, please rate it as helpful.
If it has helped you to resolve the problem, please Mark it as Answer.
Sevengiants.com -
Can we write the select statement on maintence view for data retreval
Can we use the select statement on maintence view
Regrads
DivaNo. U cannot write a select on maintenance view.
-
I am tring to installe OS X Mavericks. When I get to the select disk page it says that the HD is uesd as time machine drive. How can I remove time machine backup from my Mac.
Open up your Finder and click on Go on the top menu bar. Select Computer and then double click Macintosh HD. In here delete the backup folder. Might be called backups.backupdb.
-
Grant a user the permission to view only specified objects
Hi all,
I want a such user to connect to my SQL Server 2008R2 instance but I wish that:
1) it can't view all database listed, I want that it can see only the database it has the permission
2) it can see only some object in the list for example I want that it can see a such view and or a such table
is it possible?The only way to "hide" databases is to deny VIEW ANY DATABASE permissions. But now you don't see *any* databases, unless you in fact own a database - then you will see that database. Not really useful, but that is all we got.
As for objects (tables etc), you can play with GRANT and DENY VIEW DEFINITION permissions on the object in question.
Tibor Karaszi, SQL Server MVP |
web | blog -
Changing the background color of the row of the selected cell in table view
How can I change the background color of the table row when user clicks on table cell in table view?
Edited by: a_brar on May 5, 2012 11:12 PMYou could apply the following css style (by defining a custom stylsheet with the following lines and loading it into your app).
The last color sets the background color of the selected row while the table-view has focus (in this case to orange).
.table-view:focused .table-row-cell:filled:focused:selected {
-fx-background-color: -fx-focus-color, -fx-cell-focus-inner-border, orange;
}There are quite a lot of subtleties in the css styling for the tableview (e.g. different colors for the selected row when the control has focus vs when it doesn't or when the user hovers over a selected row in an unfocussed tableview), which you may want to cater for when chaning the background color of the selected row in a table view. There is also alternate styling for when the tableview is in row selection vs cell selection mode. So you may want to look at customizing further based on the css styles in caspian.css in sdk/rt/lib/jfxrt.jar if you can understand the complex css there. -
Apply XSLT while importing the xml to the selected node in structure view
Hi All,
I would like to apply XSLT while importing the xml file to the selected node in the structure view.
How to go about it?
Thanks
SakthiHi All,
Got the solution,
UIDRef documentUIDRef = ::GetUIDRef(activeContext->GetContextDocument());
InterfacePtr<IDocument> document(documentUIDRef, UseDefaultIID());
InterfacePtr<IXMLImportOptionsPool> prefsPool( document->GetDocWorkSpace(), UseDefaultIID() );
InterfacePtr<IK2ServiceRegistry> serviceRegistry(gSession, UseDefaultIID());
InterfacePtr<IK2ServiceProvider> serviceProvider(serviceRegistry->QueryServiceProviderByClassID(kXMLImportMatchMakerSignal Service, kXMLThrowAwayUnmatchedRightMatchMakerServiceBoss));
InterfacePtr<IXMLImportPreferences> prefs(serviceProvider, IID_IXMLIMPORTPREFERENCES);
XMLImportPreferencesInitializer initializer(prefs, prefsPool);
bool16 prefBool = prefs->GetNthPrefAsBool(0);
prefs->SetNthPref(0, kTrue);
The above code set the import option "Delete elements, frames, and content that do not match imported XML"
Thanks
Sakthi -
The SELECT permission was denied on the object 'syscategories', database 'msdb', schema 'dbo'.
Hi all,
I have a single select statement to monitor JOB status at database msdb, it works perfectly at versions 2000, 2005 and 2008 but in version 2012 got denied access to views syscategories, sysjobactivity, sysjobhistory, sysjobs and sysjobsteps even having applied
"grant select on" to user (principals) at database msdb.
Anyone have seen this and found an solution?
--- SQL Server Version
Microsoft SQL Server 2012 (SP1) - 11.0.3000.0 (X64)
Oct 19 2012 13:38:57
Copyright (c) Microsoft Corporation
Enterprise Edition: Core-based Licensing (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
--- My Query
set nocount on
select x.job_name, x.job_status, x.monitor_status from (
select j.name job_name
, case
when datediff(minute,s.login_time,current_timestamp) >= 8
then 'In progress (more than 8h) '
when datediff(minute,s.login_time,current_timestamp) >= 24
then 'In progress (more than 24h) '
else 'In progress'
end job_status
, case
when datediff(minute,s.login_time,current_timestamp) >= 8
then 8 -- 'In progress (more than 8h) '
when datediff(minute,s.login_time,current_timestamp) >= 24
then 9 -- 'In progress (more than 24h) '
else 7 -- 'In progress'
end monitor_status
from sys.dm_exec_sessions s
join msdb.dbo.sysjobs j
on master.dbo.fn_varbintohexstr(convert(varbinary(16), j.job_id))COLLATE Latin1_General_CI_AI
= substring(replace(s.program_name, 'SQLAgent - TSQL JobStep (Job ', ''), 1, 34)
inner join msdb.dbo.syscategories c
on c.category_id = j.category_id
where s.program_name like '%SQLAGENT - TSQL JOBSTEP%'
and c.name like 'REPL-%'
union all
select j.name
, case
when datediff(minute,current_timestamp,ja.next_scheduled_run_date) <= -10
then 'Delayed'
else
case jh.run_status
when 0 then
case when lower(left(j.name,8)) = 'uoldiveo'
then 'Failed (admin)'
else 'Failed'
end
when 1 then 'Succeeded'
when 2 then 'Retry'
when 3 then
case when lower(left(j.name,8)) = 'uoldiveo'
then 'Cancelled (admin)'
else 'Cancelled'
end
when 4 then 'In progress'
end
end
, case
when datediff(minute,current_timestamp,ja.next_scheduled_run_date) <= -10
then 0 -- Delayed
else
case jh.run_status
when 0 then
case when lower(left(j.name,8)) = 'uoldiveo'
then 1 -- 'Failed (admin)'
else 2 -- 'Failed'
end
when 1 then 3 -- 'Succeeded'
when 2 then 4 -- 'Retry'
when 3 then
case when lower(left(j.name,8)) = 'uoldiveo'
then 5 -- 'Cancelled (admin)'
else 6 -- 'Cancelled'
end
when 4 then 7 -- 'In progress'
end
end
from (msdb.dbo.sysjobactivity ja left join msdb.dbo.sysjobhistory jh on ja.job_history_id = jh.instance_id)
join msdb.dbo.sysjobs j on ja.job_id = j.job_id
where ja.session_id=(select max(session_id) from msdb.dbo.sysjobactivity where job_id = ja.job_id)
and j.enabled = 1
and jh.run_status <= 3
) xI was able to run the below without problems on SQL 2012:
USE master
CREATE LOGIN ove WITH PASSWORD = 'ÖLKJLKJ?="#'
GRANT VIEW SERVER STATE TO ove
go
USE msdb
go
CREATE USER ove
GRANT SELECT ON syscategories TO ove
GRANT SELECT ON sysjobactivity TO ove
GRANT SELECT ON sysjobhistory TO ove
GRANT SELECT ON sysjobs TO ove
GRANT SELECT ON sysjobsteps TO ove
go
EXECUTE AS LOGIN = 'ove'
-- your query here
REVERT
go
DROP USER ove
go
USE tempdb
go
DROP LOGIN ove
Have you checked that there is no active DENY in force?
Rather than granting these permissions, you could package this in a stored procedure that you signed with a certificate and then grant a login and user create from the certificate the required permissions. I discuss this technique in detail in an article
on my web site:
http://www.sommarskog.se/grantperm.html
(But certs will not help you against DENY.)
Erland Sommarskog, SQL Server MVP, [email protected] -
Highlighting in Design View the selected code in Code View
I'm a complete newbie to DW so forgive the probable obvious question. I've loaded up a complete site template that was created outside of Dreamweaver in order to modify it for use elsewhere.
I want to be able to select chunks of code in the code view, mainly <DIV>'s and have them highlighted in the design view, just imagine the "Inspect" functionality, but in reverse.
Is this something that's already possible that I just haven't found?
Thanks In Advance
AndrewA couple of options to consider:
Turn off your CSS. View > Style Rendering > un-tick display styles.
You'll see an unstyled page you can work with.
Read about Design Time Style Sheets (F1 help). DT style sheets are simplified css files that you can use while you edit your site.
DT style sheets have no effect when you preview in browsers.
Nancy O.
Alt-Web Design & Publishing
Web | Graphics | Print | Media Specialists
http://alt-web.com/
http://twitter.com/altweb
http://alt-web.blogspot.com/ -
What is the best way to handle collections that contains different object
Hi
Suppose i have two class as below
class Parent {
private String name;
class Child extends Parent {
private int childAge;
}I have a list that can contains both Child and Parent Object but in my jsp i want to display a childAge attribute ( preferrably not to use scriplet )
what is the best way to achieve this?Having a collection containing different object types is already a bad start.
How are parent and child related to each other? Shouldn't Child be a property of Parent?
E.g.public class Parent {
private Child child;
}In any way, you could in theory just check Object#getClass()#getName(), but this is a nasty design. -
User mapping error: NO systems available for the selected principal
I have a problem related to User mapping. After creating system alias, I mapped my j2ee_admin user successfully. Then I created 15 more users and when I click usermapping for all of them, it is not displaying the system alias. It is giving error "There are no systems available for user mapping for the selected principal"
I cannot understand that when I click connection test, it is successful. The user mapping for j2ee_admin user is working. But when I try to do the same for other users, it is not displaying the system alias and giving me the above error.
Can anybody guide me through the error. I have given "Everyone" role to all the 15 users. Any kind of help will be appreciated and points will be rewarded.Hello Abdul,
This is a permission problem. Open the permission editor of the system and assign any role/group in the permission editor and select the checkbox corresponding to end-user.
Now assign this role/group to all the users.
It will solve ur problem.
Regards
Deb
[Reward Points for helpful answers] -
Select permission mssqlsystemresource
Hi
I have created a database named "xyz" and created a user in logins and in the database named "user1". i have made the user1 as db_owner to the data.
when i am installing the application i give the username user1 and password, but the application installation fails wih the following error.
The SELECT permission was denied on the object 'TABLES', database 'mssqlsystemresource', schema 'INFORMATION_SCHEMA'.
can any one please help to solve this issue.Azmathulla,
Perhaps a modification of this might help.
Since there are so many possibilities for what might be wrong. Here's another possibility to look at. I ran into something where I had set up my own roles on a database. (For instance, "Administrator", "Manager", "DataEntry", "Customer",
each with their own kinds of limitations) The only ones who could use it were "Manager" role or above--because they were also set up as sysadmin because they were adding users to the database (and they were highly trusted). Also, the users that
were being added were Windows Domain users--using their domain credentials. (Everyone with access to the database had to be on our domain, but not everyone on the domain had access to the database--and only a few of them had access to change it.)
Anyway, this working system suddenly stopped working and I was getting error messages similar to the above. What I ended up doing that solved it was to go through all the permissions for the "public" role in that database and add those permissions to
all of the roles that I had created. I know that everyone is supposed to be in the "public" role even though you can't add them (or rather, you can "add" them, but they won't "stay added").
So, in "SQL Server Management Studio", I went into my application's database, in other words (my localized names are obscured within <> brackets): "<Computername> (SQL Server <version> - sa)"\Databases\<MyAppDB>\Security\Roles\Database
Roles\public". Right-click on "public" and select "Properties". In the "Database Role Properties - public" dialog, select the "Securables" page. Go through the list and for each element in the list, come up with an SQL "Grant" statement to
grant exactly that permission to another role. So, for instance, there is a scalar function "[dbo].[fn_diagramobjects]" on which the "public" role has "Execute" privilege. So, I added the following line:
EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @RoleName + '];' )
Once I had done this for all the elements in the "Securables" list, I wrapped that up in a while loop on a cursor selecting through all the roles in my roles table. This explicitly granted all the permissions of the "public" role to my database roles.
At that point, all my users were working again (even after I removed their "sysadmin" access--done as a temporary measure while I figured out what happened.)
I'm sure there's a better (more elegant) way to do this by doing some kind of a query on the database objects and selecting on the public role, but after about half and hour of investigating, I wasn't figuring it out, so I just did it the brute-force method.
In case it helps someone else, here's my code.
CREATE PROCEDURE [dbo].[GrantAccess]
AS
DECLARE @AppRoleName AS sysname
DECLARE AppRoleCursor CURSOR LOCAL SCROLL_LOCKS FOR
SELECT AppRoleName FROM [dbo].[RoleList];
OPEN AppRoleCursor
FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
WHILE @@FETCH_STATUS = 0
BEGIN
EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_alterdiagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_creatediagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_dropdiagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagramdefinition] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagrams] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_renamediagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[allocation_units] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assemblies] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_files] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_references] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[asymmetric_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[certificates] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[change_tracking_tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[check_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[column_type_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[column_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[computed_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_endpoints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_groups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_priorities] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[crypt_properties] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[data_spaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_audit_specification_details] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_audit_specifications] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_files] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_permissions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_principal_aliases] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_principals] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_role_members] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[default_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[destination_data_spaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[event_notifications] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[events] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[extended_procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[extended_properties] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[filegroups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[foreign_key_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[foreign_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_catalogs] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_catalog_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_fragments] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_stoplists] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_stopwords] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[function_order_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[identity_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[index_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[internal_tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[key_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[key_encryptions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[message_type_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[module_assembly_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[numbered_procedure_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[numbered_procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameter_type_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameter_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_functions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_range_values] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_schemes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partitions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[plan_guides] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[remote_service_bindings] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[routes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[schemas] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contract_message_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contract_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contracts] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_message_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_queue_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_queues] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[services] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[spatial_index_tessellations] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[spatial_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sql_dependencies] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[stats] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[stats_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[symmetric_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[synonyms] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syscolumns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syscomments] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysconstraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysdepends] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfilegroups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfiles] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysforeignkeys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfulltextcatalogs] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysindexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysindexkeys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysmembers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysobjects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syspermissions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysprotects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysreferences] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[systypes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysusers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[table_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[transmission_queue] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[trigger_events] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[triggers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[type_assembly_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_attributes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_collections] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_component_placements] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_components] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_elements] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_facets] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_model_groups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_namespaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcard_namespaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcards] TO [' + @AppRoleName + '];' )
FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
END
CLOSE AppRoleCursor
RETURN 0
GO
Once that is in the system, I just needed to "Exec GrantAccess" to make it work. (Of course, I have a table [RoleList] which contains a "AppRoleName" field that contains the names of the database roles.)
So, the mystery remains: why did all my users lose their "public" role and why could I not give it back to them? Was this part of an update to SQL Server 2008 R2? Was it because I ran another script to delete each user and add them back so to refresh
their connection with the domain? Well, this solves the issue for now.
One last warning: you probably should check the "public" role on your system before running this to make sure there isn't something missing or wrong, here. It's always possible something is different about your system.
Hope this helps someone else. -
SELECT permission denied with ownership chaining on
I have a database ('Datamart') that contains views on the tables another database ('Rawdb') on the same server. All tables and views are in 'dbo' in each database. I turned cross-database ownership chaining on. I created the roles RawdbReadRole
to set up the select permissions in the tables and DatamartReadRole for the views. I my users logins on each database, and made them members of the DatamartReadRole.
The permissions are working on my PROD server, but have stopped working in TEST: I get "SELECT permission was denied on the object 'tbl1', database 'Rawdb', schema 'dbo' when I test the views using EXECUTE AS LOGIN = N'domain\loginname' (for a
user that is still okay in PROD). I have spent days comparing the security settings by eye and cannot see any differences. I even dropped the TEST databases and rebuilt the security principals and permissions. I cannot see a link (in PROD)
between RawdbReadaRole and DatamartReadRole and I don't remember if there is supposed to be a dependence there.
I don't know what else I can do now besides changing careers. Are there some system views/queries that would help to identify ownership chain breaks or compare the security settings between the two servers?
- Desperate AlHi,
I got the same error message if I disable the cross-database ownership chaining.
“The SELECT permission was denied on the object 'tablename', database 'dbname', schema 'dbo'.”
Make sure that cross-database ownership chaining was enabled on database ('Datamart') and
database ('Datamart') in your test environment.
The following sample turns on cross-database ownership chaining for specific databases:
ALTER DATABASE Database1 SET DB_CHAINING ON;
ALTER DATABASE Database2 SET DB_CHAINING ON;
Hope it helps.
Tracy Cai
TechNet Community Support
Thanks, Tracy,
I knew about that one, but I re-ran that part of the script just to be safe. (It wasn't the problem in this case.)
Maybe you are looking for
-
How to transfer music from 1 itunes library to another
hello, i need help both my dada and i have 30gb ipod videos. He has some music on his ipod that i want to put on mine. how do i do that. My teacher says to create a new playlist, and then drag the files into my library. tahnks
-
Hi folks, I am looking for a report that will provide Vendor price history for a material. Is there any standard SAP report or any table that gives this information? Sincerely, Sanjay
-
Hi all, Please tell me what is the major difference between BI and BO? or What is the major functionality of BO? I know that BO has been integrated with BI, how much it is helpful for a BI consltant? Do BO should have a seperate server or can we inst
-
In my Windows email application, I have the capability of putting multiple email recipients on the Bcc line. When they receive the email from me, it does not list others who received the same email from me. In Mac's mail, I only have a To: and Cc: li
-
H:selectManyCheckbox is failing
while migrating from JSF1.1 to 1.2 the component <h:selectManyCheckbox> is failing with the following error form:comp_id: An error occurred when processing your submitted information.any idea what it could be ?