locked
Seemingly simple question: Who is allowed to update? RRS feed

  • Question

  •  

    On the surface, this may seem like a trivial question: Who is allowed to update any database on a particular server?

     

    In other words, who has more than a read-only access into the server?

     

    The answer probably comes from a combination of sources, including Server Logins and their Roles, as well as Database Users and their roles?

     

    Is there a definitive way to answer this question with 100% accuracy?

     

    Ben Aminnia

    Monday, September 22, 2008 3:50 PM

Answers

  • Any login which is in the server role System Administrator will have access to the entire server and so can update any database.

     

    Other than that, a login will need to be a user in a database and belong to either the db_owner or db_datawriter database roles within that database.

     

    Another possibility would be that explict UPDATE permissions have been assigned to particular database objects for a particular user or the database public role (all users inherit these permissions). The issue can get clouded somewhat if explicit DENY permissions have been set anywhere as these always take precedence.


    HTH!

     

    Wednesday, September 24, 2008 8:49 AM

All replies

  • Any login which is in the server role System Administrator will have access to the entire server and so can update any database.

     

    Other than that, a login will need to be a user in a database and belong to either the db_owner or db_datawriter database roles within that database.

     

    Another possibility would be that explict UPDATE permissions have been assigned to particular database objects for a particular user or the database public role (all users inherit these permissions). The issue can get clouded somewhat if explicit DENY permissions have been set anywhere as these always take precedence.


    HTH!

     

    Wednesday, September 24, 2008 8:49 AM
  • Thanks.  You're right, the explicit DENY permissions would complicate this.

     

    Ben

    Wednesday, September 24, 2008 11:24 AM