diff --git a/contrib/babelfishpg_tsql/src/hooks.c b/contrib/babelfishpg_tsql/src/hooks.c index 3faacd2a3f..68ed3069bf 100644 --- a/contrib/babelfishpg_tsql/src/hooks.c +++ b/contrib/babelfishpg_tsql/src/hooks.c @@ -5723,6 +5723,7 @@ handle_grantstmt_for_dbsecadmin(ObjectType objType, Oid objId, Oid ownerId, case OBJECT_TABLE: case OBJECT_COLUMN: case OBJECT_VIEW: + case OBJECT_SEQUENCE: classid = RelationRelationId; break; case OBJECT_FUNCTION: diff --git a/contrib/babelfishpg_tsql/src/rolecmds.c b/contrib/babelfishpg_tsql/src/rolecmds.c index fa32eff09c..52f3ac4c71 100644 --- a/contrib/babelfishpg_tsql/src/rolecmds.c +++ b/contrib/babelfishpg_tsql/src/rolecmds.c @@ -2050,17 +2050,22 @@ check_alter_role_stmt(GrantRoleStmt *stmt) if (has_privs_of_role(GetUserId(), db_owner)) return; + /* + * Members of db_securityadmin role can ALTER ANY ROLE + */ + if (get_db_principal_kind(granted, db_name) == BBF_ROLE && + has_privs_of_role(GetUserId(), get_db_securityadmin_oid(db_name, false))) + { + return; + } + /* * Disallow ALTER ROLE if * 1. Current login doesn't have permission on the granted role * OR - * 2. Granted role is not a fixed db role or current user is a member of db_securityadmin - * OR - * 3. The current user is trying to add/drop itself from the granted role + * 2. The current user is trying to add/drop itself from the granted role */ - if ((!has_privs_of_role(GetSessionUserId(), granted) && - !(get_db_principal_kind(granted, db_name) == BBF_ROLE && - has_privs_of_role(GetUserId(), get_db_securityadmin_oid(get_current_pltsql_db_name(), false)))) || + if (!has_privs_of_role(GetSessionUserId(), granted) || grantee == GetUserId()) ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), diff --git a/test/JDBC/expected/BABEL-ROLE-MEMBER.out b/test/JDBC/expected/BABEL-ROLE-MEMBER.out index 3351cc79f1..d74e180326 100644 --- a/test/JDBC/expected/BABEL-ROLE-MEMBER.out +++ b/test/JDBC/expected/BABEL-ROLE-MEMBER.out @@ -1343,6 +1343,76 @@ GO ~~ERROR (Message: The role has members. It must be empty before it can be dropped.)~~ +-- tsql +-- Test system defined database role memberships +-- Following should return 1 +select is_rolemember('db_ddladmin', 'db_ddladmin') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_securityadmin', 'db_securityadmin') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_accessadmin', 'db_accessadmin') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_datareader', 'db_datareader') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_datawriter', 'db_datawriter') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_owner', 'db_owner') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('db_owner', 'dbo') +GO +~~START~~ +int +1 +~~END~~ + +select is_rolemember('dbo', 'dbo') +GO +~~START~~ +int +1 +~~END~~ + + +-- This should return NULL +select is_rolemember('dbo', 'db_owner') +GO +~~START~~ +int + +~~END~~ + + + -- Clean up DROP USER test_user1 GO diff --git a/test/JDBC/expected/db_securityadmin-vu-cleanup.out b/test/JDBC/expected/db_securityadmin-vu-cleanup.out index 94345389f4..7826938cbf 100644 --- a/test/JDBC/expected/db_securityadmin-vu-cleanup.out +++ b/test/JDBC/expected/db_securityadmin-vu-cleanup.out @@ -23,6 +23,8 @@ DROP FUNCTION babel_5135_schema1.babel_5135_f1(); GO DROP FUNCTION babel_5135_schema1.babel_5135_tvf1(); GO +DROP SEQUENCE babel_5135_schema1.babel_5135_seq1; +GO DROP PROCEDURE babel_5135_roleop_proc1; GO DROP PROCEDURE babel_5135_roleop_proc2; diff --git a/test/JDBC/expected/db_securityadmin-vu-prepare.out b/test/JDBC/expected/db_securityadmin-vu-prepare.out index d1c19b8dd4..64bc1d71a5 100644 --- a/test/JDBC/expected/db_securityadmin-vu-prepare.out +++ b/test/JDBC/expected/db_securityadmin-vu-prepare.out @@ -38,6 +38,9 @@ GO CREATE FUNCTION babel_5135_schema1.babel_5135_tvf1() RETURNS TABLE AS RETURN (SELECT a, b FROM babel_5135_schema1.babel_5135_t1); GO +CREATE SEQUENCE babel_5135_schema1.babel_5135_seq1 START WITH 1 INCREMENT BY 1 MINVALUE 1 MAXVALUE 999999 CYCLE; +GO + CREATE VIEW babel_5135_show_role_mem AS SELECT roles.name AS RolePrincipalName @@ -63,6 +66,7 @@ GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; END GO CREATE PROCEDURE babel_5135_revokeop_proc1 AS BEGIN @@ -71,6 +75,7 @@ REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +REVOKE UPDATE ON babel_5135_schema1.babel_5135_seq1 FROM babel_5135_u1; END GO diff --git a/test/JDBC/expected/db_securityadmin-vu-verify.out b/test/JDBC/expected/db_securityadmin-vu-verify.out index 94082ef7d4..e8bed8ed3f 100644 --- a/test/JDBC/expected/db_securityadmin-vu-verify.out +++ b/test/JDBC/expected/db_securityadmin-vu-verify.out @@ -129,7 +129,9 @@ GO -- tsql -- CASE 3 - Able to manage database roles -- CASE 3.1 - CREATE/ALTER/DROP ROLE - -- CASE 3.2 - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.2.a - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.2.b - ADD/DROP the membership of user-defined database roles to/from current_user + -- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner -- CASE 3.3 - ADD/DROP the membership of system-defined database roles should be blocked -- CASE 3.4 - CREATE/ALTER/DROP USER should not be Allowed -- role created by another user, to test alter/drop on it @@ -157,13 +159,50 @@ GO EXEC babel_5135_roleop_proc1; GO --- CASE 3.2 - ADD/DROP the membership of user-defined database roles +-- CASE 3.2.a - ADD/DROP the membership of user-defined database roles ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_u1; GO ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_u1; GO +-- CASE 3.2.b - ADD/DROP the membership of user-defined database roles to/from current_user +SELECT current_user; +GO +~~START~~ +varchar +babel_5135_dbsecadmin_u1 +~~END~~ + + +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +-- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner +-- Currently it is not supported to add database role to db_owner +ALTER ROLE db_owner ADD MEMBER babel_5135_r1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Adding database roles to db_owner is not currently supported in Babelfish)~~ + + +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE db_owner DROP MEMBER babel_5135_r1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Dropping database roles from db_owner is not currently supported in Babelfish)~~ + + -- alter role add member inside procedure -- execution should be succeeded with no error -- Add @@ -189,6 +228,20 @@ GO ~~ERROR (Message: Cannot alter the role 'db_owner', because it does not exist or you do not have permission.)~~ +ALTER ROLE babel_5135_r1 DROP MEMBER dbo; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot use the special principal 'dbo')~~ + + +ALTER ROLE babel_5135_r1 ADD MEMBER dbo; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: Cannot use the special principal 'dbo')~~ + + -- CASE 3.4 -- CREATE/ALTER/DROP USER should fail CREATE USER babel_5135_user1 FOR LOGIN babel_5135_l2; GO @@ -345,6 +398,13 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_l1 password=12345678 SELECT current_user; GO @@ -392,6 +452,15 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO @@ -455,6 +524,15 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 -- Testing GRANT inside procedure EXEC babel_5135_grantop_proc1; @@ -517,6 +595,14 @@ int#!#int ~~END~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +1 +~~END~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 -- Testing revokes inside procedure EXEC babel_5135_revokeop_proc1; @@ -569,6 +655,14 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 TO babel_5135_u1; @@ -631,6 +725,15 @@ int#!#int ~~END~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 FROM babel_5135_u1; GO @@ -682,6 +785,15 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 -- CASE 5.2 - Validate members of db_securityadmin can not actually access given objects SELECT current_user; @@ -730,6 +842,15 @@ GO ~~ERROR (Message: permission denied for function babel_5135_tvf1)~~ +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO +~~START~~ +bigint +~~ERROR (Code: 33557097)~~ + +~~ERROR (Message: permission denied for sequence babel_5135_seq1)~~ + + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 -- CASE 5.3 - Validate that after GRANT/REVOKE, objectowner/dbo can execute REVOKE/GRANT respectively -- execute GRANT via db_securityadmin member and REVOKE it with object owner @@ -748,6 +869,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO @@ -780,6 +904,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO diff --git a/test/JDBC/input/BABEL-ROLE-MEMBER.mix b/test/JDBC/input/BABEL-ROLE-MEMBER.mix index c1fdca8b48..7119b070fe 100644 --- a/test/JDBC/input/BABEL-ROLE-MEMBER.mix +++ b/test/JDBC/input/BABEL-ROLE-MEMBER.mix @@ -623,6 +623,31 @@ GO DROP ROLE test_role3 GO +-- Test system defined database role memberships +-- tsql +-- Following should return 1 +select is_rolemember('db_ddladmin', 'db_ddladmin') +GO +select is_rolemember('db_securityadmin', 'db_securityadmin') +GO +select is_rolemember('db_accessadmin', 'db_accessadmin') +GO +select is_rolemember('db_datareader', 'db_datareader') +GO +select is_rolemember('db_datawriter', 'db_datawriter') +GO +select is_rolemember('db_owner', 'db_owner') +GO +select is_rolemember('db_owner', 'dbo') +GO +select is_rolemember('dbo', 'dbo') +GO + +-- This should return NULL +select is_rolemember('dbo', 'db_owner') +GO + + -- Clean up DROP USER test_user1 GO diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix b/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix index 94345389f4..7826938cbf 100644 --- a/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix +++ b/test/JDBC/input/ownership/db_securityadmin-vu-cleanup.mix @@ -23,6 +23,8 @@ DROP FUNCTION babel_5135_schema1.babel_5135_f1(); GO DROP FUNCTION babel_5135_schema1.babel_5135_tvf1(); GO +DROP SEQUENCE babel_5135_schema1.babel_5135_seq1; +GO DROP PROCEDURE babel_5135_roleop_proc1; GO DROP PROCEDURE babel_5135_roleop_proc2; diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix b/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix index cb22ffdf6a..e07aa1544e 100644 --- a/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix +++ b/test/JDBC/input/ownership/db_securityadmin-vu-prepare.mix @@ -38,6 +38,9 @@ GO CREATE FUNCTION babel_5135_schema1.babel_5135_tvf1() RETURNS TABLE AS RETURN (SELECT a, b FROM babel_5135_schema1.babel_5135_t1); GO +CREATE SEQUENCE babel_5135_schema1.babel_5135_seq1 START WITH 1 INCREMENT BY 1 MINVALUE 1 MAXVALUE 999999 CYCLE; +GO + CREATE VIEW babel_5135_show_role_mem AS SELECT roles.name AS RolePrincipalName @@ -63,6 +66,7 @@ GRANT SELECT ON babel_5135_schema1.babel_5135_v1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_p1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_f1 TO babel_5135_u1; GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; END GO CREATE PROCEDURE babel_5135_revokeop_proc1 AS BEGIN @@ -71,6 +75,7 @@ REVOKE SELECT ON babel_5135_schema1.babel_5135_v1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_p1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_f1 FROM babel_5135_u1; REVOKE EXECUTE ON babel_5135_schema1.babel_5135_tvf1 FROM babel_5135_u1; +REVOKE UPDATE ON babel_5135_schema1.babel_5135_seq1 FROM babel_5135_u1; END GO diff --git a/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix b/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix index 2f2f15acfc..57a2cee142 100644 --- a/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix +++ b/test/JDBC/input/ownership/db_securityadmin-vu-verify.mix @@ -92,7 +92,9 @@ GO -- CASE 3 - Able to manage database roles -- CASE 3.1 - CREATE/ALTER/DROP ROLE - -- CASE 3.2 - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.2.a - ADD/DROP the membership of user-defined database roles should be allowed + -- CASE 3.2.b - ADD/DROP the membership of user-defined database roles to/from current_user + -- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner -- CASE 3.3 - ADD/DROP the membership of system-defined database roles should be blocked -- CASE 3.4 - CREATE/ALTER/DROP USER should not be Allowed -- role created by another user, to test alter/drop on it @@ -121,13 +123,37 @@ GO EXEC babel_5135_roleop_proc1; GO --- CASE 3.2 - ADD/DROP the membership of user-defined database roles +-- CASE 3.2.a - ADD/DROP the membership of user-defined database roles ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_u1; GO ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_u1; GO +-- CASE 3.2.b - ADD/DROP the membership of user-defined database roles to/from current_user +SELECT current_user; +GO + +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +-- CASE 3.2.c - It should be able to ALTER the membership of database role which is member of db_owner +-- Currently it is not supported to add database role to db_owner +ALTER ROLE db_owner ADD MEMBER babel_5135_r1; +GO + +ALTER ROLE babel_5135_r1 ADD MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE babel_5135_r1 DROP MEMBER babel_5135_dbsecadmin_u1; +GO + +ALTER ROLE db_owner DROP MEMBER babel_5135_r1; +GO + -- alter role add member inside procedure -- execution should be succeeded with no error -- Add @@ -145,6 +171,12 @@ GO ALTER ROLE db_owner ADD MEMBER babel_5135_u1; GO +ALTER ROLE babel_5135_r1 DROP MEMBER dbo; +GO + +ALTER ROLE babel_5135_r1 ADD MEMBER dbo; +GO + -- CASE 3.4 -- CREATE/ALTER/DROP USER should fail CREATE USER babel_5135_user1 FOR LOGIN babel_5135_l2; GO @@ -236,6 +268,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql user=babel_5135_l1 password=12345678 SELECT current_user; GO @@ -258,6 +293,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO @@ -296,6 +334,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- Testing GRANT inside procedure -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 EXEC babel_5135_grantop_proc1; @@ -323,6 +364,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- Testing revokes inside procedure -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 EXEC babel_5135_revokeop_proc1; @@ -350,6 +394,8 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 TO babel_5135_u1; @@ -377,6 +423,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE, EXECUTE ON SCHEMA::babel_5135_schema1 FROM babel_5135_u1; GO @@ -403,6 +452,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- CASE 5.2 - Validate members of db_securityadmin can not actually access given objects -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 SELECT current_user; @@ -426,6 +478,9 @@ GO SELECT * FROM babel_5135_schema1.babel_5135_tvf1(); GO +SELECT NEXT VALUE FOR babel_5135_schema1.babel_5135_seq1; +GO + -- CASE 5.3 - Validate that after GRANT/REVOKE, objectowner/dbo can execute REVOKE/GRANT respectively -- execute GRANT via db_securityadmin member and REVOKE it with object owner -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 @@ -444,6 +499,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO @@ -476,6 +534,9 @@ GO GRANT EXECUTE ON babel_5135_schema1.babel_5135_tvf1 TO babel_5135_u1; GO +GRANT UPDATE ON babel_5135_schema1.babel_5135_seq1 TO babel_5135_u1; +GO + -- tsql user=babel_5135_dbsecadmin_l1 password=12345678 REVOKE SELECT, INSERT, UPDATE, DELETE ON babel_5135_schema1.babel_5135_t1 FROM babel_5135_u1; GO