You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/relational-databases/security/authentication-access/ownership-and-user-schema-separation.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: "Ownership and User-Schema Separation in SQL Server"
2
+
title: "Ownership and user-schema separation in SQL Server"
3
3
description: Learn how user-schema separation allows flexibility in managing SQL Server database object permissions. Schemas group objects into separate namespaces.
4
4
ms.date: "08/02/2021"
5
5
ms.prod: sql
@@ -9,11 +9,11 @@ ms.reviewer: vanto
9
9
author: AndreasWolter
10
10
ms.author: anwolter
11
11
---
12
-
# Ownership and User-Schema Separation in SQL Server
12
+
# Ownership and user-schema separation in SQL Server
13
13
14
14
A core concept of SQL Server security is that owners of objects have irrevocable permissions to administer them. You can't remove privileges from an object owner, and you can't drop users from a database if they own objects in it.
15
15
16
-
## User-Schema Separation
16
+
## User-schema separation
17
17
18
18
User-schema separation allows for more flexibility in managing database object permissions. A *schema* is a named container for database objects, which allows you to group objects into separate namespaces. For example, the AdventureWorks sample database contains schemas for Production, Sales, and HumanResources.
19
19
@@ -23,13 +23,13 @@ A core concept of SQL Server security is that owners of objects have irrevocable
23
23
Server.Database.DatabaseSchema.DatabaseObject
24
24
```
25
25
26
-
### Schema Owners and Permissions
26
+
### Schema owners and permissions
27
27
28
28
Schemas can be owned by any database [principal](../authentication-access/principals-database-engine.md), and a single principal can own multiple schemas. You can apply security rules to a schema, which are inherited by all objects in the schema. Once you set up access permissions for a schema, those permissions are automatically applied as new objects are added to the schema. Users can be assigned a default schema, and multiple database users can share the same schema.
29
29
30
30
By default, when developers create objects in a schema, the objects are owned by the security principal that owns the schema, not the developer. Object ownership can be transferred with [ALTER AUTHORIZATION Transact-SQL](../../../t-sql/statements/alter-authorization-transact-sql.md) statement. A schema can also contain objects that are owned by different users and have more granular permissions than those assigned to the schema, although this isn't recommended because it adds complexity to managing permissions. Objects can be moved between schemas, and schema ownership can be transferred between principals. Database users can be dropped without affecting schemas.
31
31
32
-
### Built-In Schemas for backward compatibility
32
+
### Built-in schemas for backward compatibility
33
33
34
34
SQL Server ships with nine pre-defined schemas that have the same names as the built-in database users and roles: *db_accessadmin, db_backupoperator, db_datareader, db_datawriter, db_ddladmin, db_denydatareader, db_denydatawriter, db_owner, db_securityadmin*. These exist for backward compatibility. The recommendation is to not use them for user objects. You can drop the schemas that have the same names as the fixed database roles - unless they're already in use, in which case the drop-command will simply return an error and block the drop of the used schema.
35
35
@@ -83,7 +83,7 @@ The following schemas cannot be dropped:
83
83
> [!NOTE]
84
84
> The `sys` and `INFORMATION_SCHEMA` schemas are reserved for system objects. You cannot create objects in these schemas and you cannot drop them.
85
85
86
-
#### The dbo Schema
86
+
#### The dbo schema
87
87
88
88
The `dbo` schema is the default schema of every database. By default, users created with the CREATE USER Transact-SQL command have `dbo` as their default schema. The `dbo` schema is owned by the `dbo` user account.
89
89
@@ -92,7 +92,7 @@ The following schemas cannot be dropped:
92
92
> [!NOTE]
93
93
> When database objects are referenced by using a one-part name, SQL Server first looks in the user's default schema. If the object is not found there, SQL Server looks next in the `dbo` schema. If the object is not in the `dbo` schema, an error is returned.
94
94
95
-
## External Resources
95
+
## External resources
96
96
97
97
For more information on object ownership and schemas, see the following resources.
0 commit comments