SQL Server Central is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
Search:  
 
Home Articles Editorials Forums Scripts Blogs QotD SQL Jobs Training Authors About us Contact us Newsletters Advertise Write for us
 

Haidong Ji

Add to Technorati Favorites Add to Google
 

Interesting findings on schema owner permissions

By Haidong Ji in Haidong Ji | 03-23-2007 2:08 AM | Categories: Filed under:
Rating: (not yet rated) |  Discuss | 565 Reads | 127 Reads in Last 30 Days |no comments

I found out recently that a schema owner does not necessarily have right to create objects for its own schema, but can drop and grant permissions for its objects, which is kind of strange.

Try this:

1. Create 2 logins:

USE [master]
GO
CREATE LOGIN [Login1] WITH PASSWORD=N’xxx’, DEFAULT_DATABASE=[AdventureWorks], CHECK_EXPIRATION=ON, CHECK_POLICY=ON
CREATE LOGIN [Login2] WITH PASSWORD=N’xxx’, DEFAULT_DATABASE=[AdventureWorks], CHECK_EXPIRATION=ON, CHECK_POLICY=ON
GO
USE [AdventureWorks]
GO
CREATE USER [Login1] FOR LOGIN [Login1]
CREATE USER [Login2] FOR LOGIN [Login2]
GO

2. Grant create schema permissions to both Login1 and Login2.

use adventureworks
go
grant create schema to login1
grant create schema to login2
go

3. Connect to Sql Server as login1, do

create schema Login1Schema

4. With the same connection, do

create table Login1Schema.T1 (C1 int)

and it will fail. It is a little strange. Login1 is indeed the owner of the schema, yet it cannot create objects within the schema it owns.

5. Connect to Sql Server as sa, do

Use AdventureWorks
go

create table Login1Schema.TableCreatedBySa (C1 int)
go

grant create table to Login1
go

6. Connect to Sql server as Login1, do

create table Login1Schema.T1 (C1 int)
go

grant select on Login1Schema.T1 to Login2
grant select on Login1Schema.TableCreatedBySa to Login2
go

7. Connect to Sql server as Login2, do

select * from Login1Schema.T1
select * from Login1Schema.TableCreatedBySa
go

8. In the same session, do

create schema Login2Schema
go

9. Connect to Sql Server as sa, do

use AdventureWorks
go
create table Login2Schema.T1 (C1 int)
go

10. Connect to Sql Server as Login2, do

select * from Login2Schema.t1
go
drop table Login2Schema.T1
go
drop schema Login2Schema
go

So, what did our little test prove?

1. By default, a schema owner cannot create objects in its own schema;
2. By default, a schema owner can grant permissions to other users on objects it owns;
3. By default, a schema owner can drop objects it owns, even if it cannot create them in the first place;
4. By default, a schema owner can drop its own schema, provided it is empty.

To clean up, drop all those tables, users, schemas, and logins.

Comments
There are no comments on this post
Leave a Comment
Only members of SQLServerCentral may leave comments. Register now for your free account or Sign-In if you are already a member.
 
 
Copyright © 2002-2008 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use