All we need is an easy explanation of the problem, so here it is.
I’ve got a payroll-related schema that I need to secure. I figure if I prevent all users from directly modifying the tables, and create a set of procedures to handle all data modifications, we should be in good shape. I can have the procedures handle all the audit logging, wrap things in transactions as needed, etc.
But to do this, I need to deny direct DML statements to everybody on this particular schema – even the sysadmin server role. Is there any simple way to do this without resorting to INSTEAD OF triggers (which wouldn’t be quite as bulletproof)? I don’t see any syntax like “DENY INSERT, UPDATE, DELETE ON SCHEMA::schemaname TO ALL”, and denying permissions to the “public” role doesn’t seem to have the desired effect.
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
If all data access is via stored procedures, then permissions on the table are not checked of the same user (dbo probably) owns both procedure and tables. This is called ownership chaining
This also means the no permissions are needed on the tables at all. You don’t need to deny or grant anything on the tables because they won’t be checked. Lack of GRANT means no rights anyway, so you don’t need DENY
Now, this means nothing to folk with elevated privileges: sysadmin, db_owner etc. These will always have rights. You can only use triggers to block these: but they can disable or drop triggers of course.
I assume that your “end users” are not running as db_owner or sysadmin…
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂