问题
I am not so into SQL Server and I have the following doubt: I have to require the creation of an user that can work on some databases. This user have to create\delete table, insert\delete records in these tables.
What type of permission have to be set for this user on these databases? Is dbowner ok to perform these operations? (in particular is very important that this user can create\delete tables) or am I missing something?
回答1:
Just to understand first the benefits of using roles :
- Roles are a part of the tiered security model:
- Login security—Connecting to the server
- Database security—Getting access to the database
- Database objects—Getting access to individual database objects and data**
Predefined database roles You may need to create your own, but you have access to several predefined database roles:
- db_owner: Members have full access.
- db_accessadmin: Members can manage Windows groups and SQL Server logins.
- db_datareader: Members can read all data.
- db_datawriter: Members can add, delete, or modify data in the tables.
- db_ddladmin: allows a user to create, drop, or modify any objects within a database, regardless of who owns.
- db_securityadmin: Members can modify role membership and manage permissions.
- db_bckupoperator: Members can back up the database.
- db_denydatareader: Members can’t view data within the database.
- db_denydatawriter: Members can’t change or delete data in tables or views.
Fixed roles : The fixed server roles are applied serverwide, and there are several predefined server roles:
- SysAdmin: Any member can perform any action on the server.
- ServerAdmin: Any member can set configuration options on the server.
- SetupAdmin: Any member can manage linked servers and SQL Server startup options and tasks.
- Security Admin: Any member can manage server security.
- ProcessAdmin: Any member can kill processes running on SQL Server.
- DbCreator: Any member can create, alter, drop, and restore databases.
- DiskAdmin: Any member can manage SQL Server disk files.
- BulkAdmin: Any member can run the bulk insert command.
回答2:
From the SQL Documentation:
Members of the db_owner fixed database role can perform all configuration and maintenance activities on the database, and can also drop the database in SQL Server.
Are you certain that is the right that you want to grant this user? It seems like a more restricted set of permissions would be more suitable for them.
For example, the roles db_ddladmin, db_datareader, and db_datawriter could be more suitable:
db_ddladmin:
Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database.
db_datareader:
Members of the db_datareader fixed database role can read all data from all user tables.
db_datawriter:
Members of the db_datawriter fixed database role can add, delete, or change data in all user tables.
Alternatively, you can grant specific privileges to the user account against that database and it's user objects in order to restrict their access to the functionality subset you want.
来源:https://stackoverflow.com/questions/58976190/what-privileges-are-needed-to-create-delete-tables-on-a-microsoft-sql-server-is