In SQL Server MNGT Studio 2012, we have a database that we only want to grant a specific user read-only access.
So me (being an admin), login into the server.. for arguments sake, the database name is SQLSERVER01
Then once logged in I see Databases, Security, Server Objects, Replication, Management, and SQL Server Agent. I go into the Security tab and go to Logins. The user that we want to give read-only access to already has a login. So I double click on their login. I go to User Mapping. Find the database that I want to give them read-only access to. I click the checkbox next to the database name, and below I give the user db_datareader and public.
So, I call the user and they're able to see the tables within the database, but if they were to right-click on a table name, they can still see the option that says Edit Top 200 Rows, and click it and see the editing gui for that table. Now I didn't test out entering data to see if they could actually edit or add data, because it's too risky.
So my question is, did I give this user the right access? If so, how do I grey out the option to 'Edit Top 200 Rows'? If not, what do I need to do?
Any help is appreciated.
答案 0 :(得分:1)
SSMS does not query permissions to determine a user's capabilities or UI options. For example, you may not have DDL modification privileges, but it will let you attempt to script alter/create statements. You can't take away the edit rows option, but if they don't have the permission then the commit will fail when they try to move focus off the row they have edited.
If you want to see the effective permission you can use this function to view the resulting layers of grant/denies: https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql
Generally, make sure the user's login has minimal permissions, then use roles at the DB level that have been previously reviewed/tested.