Greetings. After years of granting everyone db_dataReader to our replicated databases, we now have a requirement to restrict access to just Views for one group.
Easy enough.
The problem will be remembering that this one off group has different requirements than all other groups in this scenario, and never assigning them more permissions than they should have.
One option may be to use a trigger that will not allow us to assign direct table access or groups. The trigger would then need to be disabled before proceeding. Something like:
alter TRIGGER admin_viewsOnly ON all server FOR ADD_ROLE_MEMBER AS PRINT 'The group FOO should only be allowed to read Views. Disable trigger admin_viewsOnly and re-try to continue.' ROLLBACK ;
This works for keeping people from being added to Views, but I can't figure out if I can stop people from being given direct table access this way or not?
Thanks!
TIA, ChrisRDBA