|
Is there a way to deny a right for all tables in a database without explicitly defining each table in the command? My problem is that I have a user who is assigned to the public role, and should only be able to read the tables. But if I look at the table permissions this user has update granted to him as well. I am able to deny update to the tables by typing them out using the command: DENY UPDATE ON TO What I would like to have is something that would allow me to deny update on all tables, but I don't know if this is possible using the above approach, or if this is scriptable. Any suggestions are appreciated. Kurt Kapferer
(comments are locked)
|
|
You could add the user to the db_denydatawriter dB role.
(comments are locked)
|
|
Try a schema level permission. If all the tables are in the
even if you have multiple schemas, it's surely a lot less than the number of tables?
(comments are locked)
|
|
I agree with the other guys, but - just to show that you should never have to type a load of stuff manually, here is some SQL that writes some SQL. I think your select statement is missing its from clause and where clause. Probably something like: from sys.objects where type = 'U' That, or I am misunderstanding something.
Nov 04 '09 at 02:58 PM
TimothyAWiseman
Ha - I answered that one from my phone and completely forgot that bit... good spot! :)
Nov 04 '09 at 05:05 PM
Matt Whitfield ♦♦
(comments are locked)
|
BlackHawk's answer is good, but you may want to investigate why he has update granted. Most likely he is inheriting from one of the groups he is in (assuming this is a Windows login). In that case, you may wish to track it down and see if he really needs to be in that group.