Create an database user/role that has the permission to grant on dbo schema

0
votes

I have some stored procs under schema dbo.

I also database level role: Tech, and a database level user: Jack. Jack is a member of Tech.

As sa I am able to run: GRANT EXEC ON SCHEMA :: dbo TO Tech

Then Jack would have EXEC permissions to all stored procs. Now what I wonder is that whether or not there is a way for me to run the same command not as sa, but as Jack, to grant the same EXEC permissions to other users which Jack created(Jack does have permission to create server level logins, database level users/roles etc.)? In other words, what permissions does sa need to give to Jack so that Jack can grant EXECs to all stored procs under schema dbo?

Update: I just tested and found out that granting CONTROL on schema dbo to Jack can do it. My question now becomes: is CONTROL the absolute minimum that's needed to enable Jack to grant EXEC on schema dbo?

2
sql-serverschemadbo

2 Answers

0
votes

If you need to GRANT someone permissions on something, and give them the permission to then GRANT it to someone else, you need to do your GRANT using the WITH GRANT clause.

0
votes

After testing, it seems that WITH GRANT OPTION only works on an user, but not on a role. Use the example in my original question, we have role Tech and user Jack, where Jack is a member of Tech:

Running GRANT EXEC ON SCHEMA :: dbo TO Tech WITH GRANT OPTION; will not enable Jack to then grant EXEC to other users.

However running GRANT EXEC ON SCHEMA :: dbo TO Jack WITH GRANT OPTION; will work.

Greg's answer is in a way correct and he should get credit. Although since I have figured out the specifics myself, I will use my own answer.

Update: Further information, found this in the Microsoft document:

The GRANT ... WITH GRANT OPTION specifies that the security principal receiving the permission is given the ability to grant the specified permission to other security accounts. When the principal that receives the permission is a role or a Windows group, the AS clause must be used when the object permission needs to be further granted to users who are not members of the group or role. Because only a user, rather than a group or role, can execute a GRANT statement, a specific member of the group or role must use the AS clause to explicitly invoke the role or group membership when granting the permission. The following example shows how the WITH GRANT OPTION is used when granted to a role or Windows group.