Discussion:
When to use the db_ddladmin DB role ?
(too old to reply)
Robert
2005-12-28 06:03:01 UTC
Permalink
According to the BOL, the db_ddladmin Db role is for adding / dropping
objects.

I have found that objects in SQL Server 2000 means tables / views /
procedures ....

In this way, does it mean that database user with db_ddladmin role can read
/ write to all tables / views / procedures ? When do we usually assign this
fixed database role to database user ?

Thanks
amish
2005-12-28 07:21:47 UTC
Permalink
DDL Admin role Can issue ALL DDL, but cannot issue GRANT, REVOKE, or
DENY statements.When you dont want to give you developer DB Owner right
for security concerns , You can assign this role to your developer with
DB Data Reader and Data Writer permission.

Regards
Amish
amish
2005-12-28 07:21:51 UTC
Permalink
DDL Admin role Can issue ALL DDL, but cannot issue GRANT, REVOKE, or
DENY statements.When you dont want to give you developer DB Owner right
for security concerns , You can assign this role to your developer with
DB Data Reader and Data Writer permission.

Regards
Amish
Dejan Sarka
2005-12-28 07:24:58 UTC
Permalink
Post by Robert
In this way, does it mean that database user with db_ddladmin role can
read / write to all tables / views / procedures ?
The db_ddladmin can create objects. If the creator of an object is also the
owner of the object, then this person has all possible permission on the
object. otherise, explicit permissions are required.
I would say that typically the creator is also the owner of the object.
Post by Robert
When do we usually assign this fixed database role to database user ?
I've seen usage of this role very often In the development environment.
--
Dejan Sarka, SQL Server MVP
Mentor
www.SolidQualityLearning.com
amish
2005-12-28 10:02:26 UTC
Permalink
In my organization which is one of asia's biggest financial
organization, where hundreds of applications of number of diffrent
vendors, we are not giving any vendor db owner right. They are only
given db_ddladmin right , so they can play only with object they
created, not play with db properties , login ,users, backup etc.

Regards
Amish
Dejan Sarka
2005-12-28 10:22:30 UTC
Permalink
Post by amish
In my organization which is one of asia's biggest financial
organization, where hundreds of applications of number of diffrent
vendors, we are not giving any vendor db owner right. They are only
given db_ddladmin right , so they can play only with object they
created, not play with db properties , login ,users, backup etc.
Dev environment is typically not the production environment. I guess your
vendors have their own SQL Servers where they develop their apps.
Also, a db owner is something else than an object owner. And of course,
there is no reason that a vendor would be in the db_owner role in a
production database.
--
Dejan Sarka, SQL Server MVP
Mentor
www.SolidQualityLearning.com
Amish Shah
2005-12-28 12:39:40 UTC
Permalink
For the application team to deploy the changes from dev to test and live
environment we grant DDLADMIN rights to authorised user, but not giving
the DBO right to authorised user.
Only DBA has DBO rights.


Regards
Amish

*** Sent via Developersdex http://www.developersdex.com ***

Loading...