Database & Object Ownership

The most ANNOYING thing is to come across a database that is still owned by the user that created it. In prior server versions, this was a big deal since users owned objects and ownership had to be changed before the user could be removed from the system. Therefore, if user named ford created a table named brands, the fully qualified table name would be ford.brands.

In SQL Server 2005 and greater, this has changed with a default schema of dbo. All objects created in this schema are owned by dbo.

Today I am going to talk about how to use the ALTER AUTHORIZATION command to take ownership of databases, schemas or objects.

I am going to redesign my simple AUTOS sample database with a schema called USA and a table called BRANDS.

The SQL snipet below will setup the database for my example for usage.

At this point, the database is defaulted to my network id. This is not good. If my id was deactivated, access to the database will be blocked until ownership is changed.

As a rule, I ALWAYS change the ownership of the database back to SA after creation. The ALTER AUTHORIZATION statement allows us to specify the database we want to change and the owner to assign to it.

Sometimes it is neccessary to create an application user or application role that owns the schema. This way, schema objects can be seperated from different applications but reside in the same database.

Code below adds a login and user named [FORD_USER]. The USA schema has ownership transfered from dbo to [FORD_USER].

The before and after images shows that the schema being owned by DBO and FORD_USER respectively.

Like any real life example, a business requirement is to have a BRAND NAMES view which is created in the USA schema.

 

 

 

 

 

I am going to create a new schema called CAN for a new country (CANADA) which is being added to the database.

At this point, we have no access to the view since it is part of the CAN schema owned by dbo. In fact, we can not even see the view in the object explorer.


Either giving FORD_USER rights to the schema or the object allows us to access the view.

As you can see, we now can select data from the view.

To recap the talk, at a minimum PLEASE make sure that the database owned by SA and the default schema is owned by dbo. Objects can be created in various schemas to implment least amount of privledges for users, a common security tactic for DBA’s. If you are unfortunately like me to have existing SQL Server 2000 systems, use the sp_changedbowner and sp_changeobjectowner to manage ownership.

Related posts

One Thought to “Database & Object Ownership”

  1. Wow! Thank you! I continually wanted to write on my website something like that. Can I implement a portion of your post to my blog?

    — Please see the copyright rules. A portion can be copied; However credit should be given to the Crafty DBA.

Leave a Comment