tags:

views:

604

answers:

3
Q: 

How to Revoke SELECT Permission for system_views To public

I have the following T-SQL to display all the permissions granted to principals on my SQL server 2005:

select dp.NAME AS principal_name, --1
  dp.type_desc AS principal_type_desc, --2
  o.NAME AS object_name, --3
  p.permission_name, --4
  p.state_desc AS permission_state_desc --5
from    sys.database_permissions p
  left    OUTER JOIN sys.all_objects o
  on     p.major_id = o.OBJECT_ID
  inner   JOIN sys.database_principals dp
  on     p.grantee_principal_id = dp.principal_id
order by principal_name, object_name

The result displays public with SELECT granted:

 1      2             3            4      5
 ...
 public DATABASE_ROLE system_views SELECT GRANT
 ....

I think object_name system_views is for all the views in my database Views|system_views folder. I tried the following T-SQL (just to see if it works by GRANT again):

GRANT SELECT ON system_views TO public

I got error "Cannot find the object 'system_views', because it does not exist or you don't have permission". I do connect the SQL server as sa.

My question is how to revoke SELECT permission on system_views for public (user or principal?) and roll permission back if I have to. The second question is if the revoke on system_views for public have any side-effect for other users?

A: 

Hi,

select * from sys.system_views

Does public have VIEW DEFINITION on any of these?

I would highly recommend against mucking about with any of this.

You could just 

DENY VIEW DEFINITION ON SCHEMA::DBO TO PUBLIC
Sam  2009-03-10 23:28:47
A: 

public is a "special" role. Don't mess with it. Every user is a member of public by default, for example.

Metadata visibility actually determines what a user sees. So even if someone does SELECT * FROM sys.columns, they will see only the columns for objects they have rights on. No other rights = only info on the columns for system views.

You're likely to break stuff if you do this, especially in SSMS or direct access clients (Access, Excel etc)

gbn  2009-03-11 04:30:59
+1  A: 

There's no reason to revoke rights to view the system views. Users can only see the objects that they already have access to, so they already know those objects exist.

If you want to grant a user the right to see all objects in the database then grant them view definition on the schema or the database.

mrdenny  2009-03-31 04:24:44

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?