I'm a SysAdmin who's inherited some DBA duties. I did a DBA course back in the MSSQL 7.0 days, but al lot has changed since then. Right now I'm trying to get my head around permissions.
I've got AD users in an AD group. I've created a login on the SQL2012 instance got the AD group and mapped that login as a user on the database in question. Assigning permissions on the database or on tables to that user is having the desired result. So far, so good.
What I'm trying to do now is set specific, granular permissions on a schema to allow devs to create tables. In general terms, across the entire database, we're trying to set things up so that developers can add data, but not change it or remove it. That's pretty important to us on an auditing front. If data genuinely needs to be changed because it's incorrect, we have a process where a sysadmin makes the change using a specific app that only updates a "record_valid_to" field on the "bad" row and then creates a new row with the correct data. The app then creates an entry in a table in a different schema, recording what was changed, when, by who, and why. So yeah, Devs need to add stuff, but never change or delete stuff that's already been added.
At the table level, the Insert permission works beautifully. Devs can insert new rows into tables, but they can't update data in existing rows, or delete rows. The idea behind this permission of non-destructive change is exactly what I'm shooting for almost everywhere.
At the schema level, I want to be able to give devs Create Table and the ability to create new columns in existing tables. They have a dev copy of the DB where they can create and delete all they like while they're getting things right. When committing changes to the production DB they damn well better be only creating the table or column once. =)
Unfortunately, as far as I can work out, I can't do what I want with permissions. In order to create a table the user needs the Create Table permission on the database, and the Alter permission on the schema. If I grant Alter at the Schema level that seems to give them Alter to all sub-objects of the schema too. They can then change and delete existing data and tables, which I don't want at all.
My first question is, am I missing something? Am I understanding it right so far, or is there a way of granting just the permissions I want at the schema level without (what would be called in NTFS land) inheritance?
Second question is, if I am understanding it right, what's next? I've been reading a bit about triggers and using them to block certain actions. Should I be granting the user Alter and then setting up a database level trigger to block the user from doing anything destructive with their Alter?
Another possibility is Application Roles. If we created a small one-shot app that let the devs create tables and add columns to existing tables, then gave that app the Alter permission on the schema, that feels like it would do the job, if slightly clumsily.
I'd really welcome any suggestions, corrections, explanations or pointers.
Cheers,
Ryan