April 2, 2004 at 2:59 pm
Hello,
I'm trying to deny Insert, Update, and Delete permissions to our Production Database for our Developers.
We are in mixed mode and the Developers use NT Authentication. Using a test database I have changed the permissions for their User Name's to deny table level Insert, Update, and Delete, yet an Update will still work.
Can anyone suggest a solution?
Thanks,
Steve DiDomenico
Nashua, NH
April 2, 2004 at 3:09 pm
Deny should work. Have they disconnected and reconnected? Not that it should matter.
I'd make a role that has DENY access and add them instead of their individual permissions.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
April 7, 2004 at 12:01 pm
Thanks Steve, I'll give that a try.
April 15, 2004 at 4:05 pm
Yes, we have disconnected and connected and it still did not work. I created the role and added myself to the role. Then denied I, U, & D to a table. Then I did an Insert on that table and it worked. We are using NT Domain Accounts to access the DB. Would this matter? Could the Network guys have given access rights to our Accounts to over-ride the Deny? I thought Deny over-rides everything.
Thanks, Steve
April 16, 2004 at 8:20 am
How did you run Deny command?
Remember, Deny has to be run on individual objects. ALL won't work. I have tried that myself and just like you it didn't work for me.
To check- run this..
sp_helprotect null,'usertobedenied', null,o
You should see Deny permission on different objects ( which I believe you won't in your case)
So now.. You need to run this..
deny insert,update,delete on objectname to Username
And now run
sp_helprotect null,'usertobedenied', null,o
Now you will see denied permission.
Run test insert/update/delete..
Should work.
April 16, 2004 at 12:50 pm
Hi hirenk,
How did you run Deny command? I am using Roles from EM.
I cannot seem to get the Deny to work with an NT Domain Account "CompanyDom\UserName." I have also read Books On-line for Deny and I cannot figure it out.
Any ideas?
Thanks, Steve DiDomenico, Nashua, NH
April 16, 2004 at 2:55 pm
What do you get when you run
sp_helprotect null,'usertobedenied/Roletobedenied', null,o
April 16, 2004 at 3:22 pm
I can now get the DENY to work like this:
deny select,insert,update,delete on table to "Domain\Account"
sp_helprotect null,'Domain\Account', null,o returns information showing: ProtectType=deny for the object which is the table.
But, this does not DENY access, a select will run against this table for the Domain\Account.
I cannot get the following to execute with the Domain\Account and the Database Role as 'Domain\Account/DenyRole'
sp_helprotect null,'usertobedenied/Roletobedenied', null,o
Now I'm told taht the Domain\Accounts may have local Admin rights and therefore the DENY is bypassed. So I'm talking to the Network guys.
Thanks for the info, I learned some new stuff and it was helpful.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply