Permissions require to GRANT EXECUTE

2019-07-21 05:42发布

问题:

I am creating a group for users who will need to be able to create and delete procs but also grant execute permissions to other users.

GRANT CREATE PROCEDURE TO [xxx\xxx]
GRANT ALTER ON SCHEMA :: dbo TO [xxx\xxx]

However what permissions to I need to grant the group such that they can grant execute permissions to an object?

Thanks

回答1:

According to the documentation, this is supposed to work:

GRANT EXECUTE ON SCHEMA::dbo TO [xxx\xxx] WITH GRANT OPTION;

However in my minimal testing it required:

GRANT CONTROL ON SCHEMA::dbo TO [xxx\xxx];

I strongly recommend you don't follow the advice in the comments, which suggest it might be a good idea to "grant ALL permissions" or use db_owner or sysadmin. Granting someone more permissions than they need is just a lazy way to ensure you will get fired later. I recommend anyone advocating this blind giving of keys to the castle to review the principle of least privilege.