x

Deny update on all tables for user

Is there a way to deny a right for all tables in a database without explicitly defining each table in the command? My problem is that I have a user who is assigned to the public role, and should only be able to read the tables. But if I look at the table permissions this user has update granted to him as well. I am able to deny update to the tables by typing them out using the command: DENY UPDATE ON TO

What I would like to have is something that would allow me to deny update on all tables, but I don't know if this is possible using the above approach, or if this is scriptable. Any suggestions are appreciated.

Kurt Kapferer

more ▼

asked Nov 03, 2009 at 05:27 PM in Default

user-463 gravatar image

user-463
11 1 1 1

BlackHawk's answer is good, but you may want to investigate why he has update granted. Most likely he is inheriting from one of the groups he is in (assuming this is a Windows login). In that case, you may wish to track it down and see if he really needs to be in that group.
Nov 03, 2009 at 07:37 PM TimothyAWiseman
(comments are locked)
10|1200 characters needed characters left

3 answers: sort voted first

You could add the user to the db_denydatawriter dB role.

more ▼

answered Nov 03, 2009 at 05:46 PM

Blackhawk-17 gravatar image

Blackhawk-17
11.9k 28 31 36

(comments are locked)
10|1200 characters needed characters left

Try a schema level permission.

If all the tables are in the dbo schema, then

DENY UPDATE on SCHEMA::dbo TO user

even if you have multiple schemas, it's surely a lot less than the number of tables?

more ▼

answered Nov 03, 2009 at 06:23 PM

Kev Riley gravatar image

Kev Riley ♦♦
52.8k 47 49 76

(comments are locked)
10|1200 characters needed characters left

I agree with the other guys, but - just to show that you should never have to type a load of stuff manually, here is some SQL that writes some SQL.

DECLARE @sql varchar(MAX) SET @sql = '' SELECT @sql = @sql + 'DENY UPDATE on OBJECT::[' + SCHEMA_NAME(schema_id) + '].[' + name + '] TO user GO ' from sys.objects where type = 'u' EXEC (@sql) 
more ▼

answered Nov 03, 2009 at 08:26 PM

Matt Whitfield gravatar image

Matt Whitfield ♦♦
29.4k 61 65 87

I think your select statement is missing its from clause and where clause. Probably something like:

from sys.objects where type = 'U'

That, or I am misunderstanding something.
Nov 04, 2009 at 02:58 PM TimothyAWiseman
Ha - I answered that one from my phone and completely forgot that bit... good spot! :)
Nov 04, 2009 at 05:05 PM Matt Whitfield ♦♦
(comments are locked)
10|1200 characters needed characters left
Your answer
toggle preview:

Up to 2 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

New code box

There's a new way to format code on the site - the red speech bubble logo will automatically format T-SQL for you. The original code box is still there for XML, etc. More details here.

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

SQL Server Central

Need long-form SQL discussion? SQLserverCentral.com is the place.

Topics:

x129
x85

asked: Nov 03, 2009 at 05:27 PM

Seen: 3738 times

Last Updated: Nov 05, 2009 at 05:34 AM