Take a look at the fixed db roles in books online:
The roles grant select, insert and delete along with view database, nothing to do with DDL though.
You will need to take a look at maybe granting access on an object level, or maybe the DDL Admin fixed role, although that allows alot more than just constraints.
answered Apr 04, 2011 at 12:58 PM
No. If a user has such ability and you're thinking they only have db_datareader and db_datawriter, check to see if they are coming into the database with a Windows group. Also check to see if they have explicit permissions granted that permit them to create tables or alter the schema containing the tables. Use the sp_helprotect stored procedure in SQL Server 2000 or query the sys.database_permissions catalog view in SQL Server 2005/2008/2008R2.
answered Apr 04, 2011 at 06:17 PM
K. Brian Kelley
Like there are db_denydatareader and db_denydatawriter fixed roles which given to an individual user would override roles inherited from Windows Groups, I'd like to see a db_denyddladmin fixed role, to solve the scenario: "Allow everyone in the Windows group Statistic Creators except user A and user B to create new views, alter table A, table B and table C"
answered Apr 05, 2011 at 04:53 AM