locked
Schema Separation Permissions not stopping developers from Creating Schemas RRS feed

  • Question

  • Hi,

    I was looking for some help on what is going wrong with my permissions.  I have an AD group that has the permissions at the end of this.  When a developer creates an nonhigh-level qualified stored procedure "PROCEDURE Usp_storedProcName" it ends up creating a schema under the developer's PIN that is in the AD Group.  And putting that stored procedure in that schema.  It also creates a new user in the database, although the user gets their permission from the AD group.  As you can see I've tried to do an explicit DENY, however this does not appear to work.  Any thoughts?  Thanks for the time and effort.

    Mike

    Login DatabasePermission (No column name) (No column name) (No column name)
    Domain\AD_Group DENY CREATE SCHEMA DATABASE NULL DatabaseName
    Domain\AD_Group GRANT CONNECT DATABASE NULL DatabaseName
    Domain\AD_Group GRANT CREATE FUNCTION DATABASE NULL DatabaseName
    Domain\AD_Group GRANT CREATE PROCEDURE DATABASE NULL DatabaseName
    Domain\AD_Group GRANT EXECUTE DATABASE NULL DatabaseName
    Domain\AD_Group GRANT VIEW DEFINITION DATABASE NULL DatabaseName
    Domain\AD_Group GRANT DELETE SCHEMA NULL R/W Schema
    Domain\AD_Group GRANT INSERT SCHEMA NULL R/W Schema
    Domain\AD_Group GRANT SELECT SCHEMA NULL R/W Schema
    Domain\AD_Group GRANT UPDATE SCHEMA NULL R/W Schema
    Domain\AD_Group GRANT SELECT SCHEMA sysrowsets ReadOnlySchema
    Domain\AD_Group GRANT ALTER SCHEMA NULL ProgramObjSchema
    Domain\AD_Group GRANT EXECUTE SCHEMA NULL ProgramObjSchema
    Domain\AD_Group GRANT SELECT SCHEMA NULL ProgramObjSchema
    Monday, November 25, 2013 3:31 PM

Answers

All replies