tags:

views:

22

answers:

1
+2  Q: 

Transfer permissions from one domain to another in SQL Server

At the bottom of most of our stored procedures we have a grant similar to 

GRANT EXECUTE ON [dbo].[uspFOO] TO [DOMAIN\SQLServerUsers]

Luckily for me, our domain is changing and we now need to go through and change the permissions. Does anyone know of an easy way to do this using the DB metadata so I can pull out all the places where [DOMAIN\SQLServerUsers] is given permission to run and substitute it with [DOMAIN2\SQLServerUsers]?

Thanks.

For those asking, this is on SQL Server 2005.

+1  A: 

What version of SQL Server are you on??

In 2005 and up, you could

  • create a new database role "db_executor" and do 

    GRANT EXECUTE TO db_executor

  • grant that database role to all necessary users

This will create a "catch all" role that has execute rights on every existing and future (!!) stored proc in your database. Yes, that does include future stored procs, too! Very handy indeed (at least as long as every user is allowed to execute all stored procs)

That way, you don't have to create separate GRANT EXECUTE statements for each and every stored proc.......

marc_s  2010-02-25 15:55:47
We may go this way to ease our pain, but I know that we have specific stored procedures which we don't want users to have access to. If I understand you correctly, then this will give execute on all stored procs to the AD group which is not exactly what we want.
Rebthor  2010-02-25 16:17:09
Not to an AD group - to a SQL database role. This role can be assigned to SQL Server logins as needed and as you want
marc_s  2010-02-25 17:04:45
Ok, but if I have a stored proc named restricted_proc and have the above executor role created, can executor run restricted_proc or not? If yes, then haven't I opened a huge security hole when I assign my big AD group that role?Nonetheless, I'm marking this as accepted since it will get us up and running again quickly while we migrate permissions.
Rebthor  2010-02-25 19:10:46
Yes, sure - the db role "executor" can run *any* stored proc. And if you assign that db executor role to a big AD group, of course, all those users can run the stored procs.
marc_s  2010-02-25 21:34:04

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?