Problem Statement
Is it possible to provide admin access to an Azure AD group on a specific schema within Azure SQL Database.
Prerequisites
- AD Admin Account
- Azure SQL Database
Solution
- To grant access to an Azure AD group, one needs to either login to Azure SQL Database via SQL Server Management Studio, Azure Data Studio, or Azure Query Editor using an Active Directory Admin account.
- Execute the below Set of SQL Statements on the logged in system.
You need one GRANT CREATE per object type.
Now Grant DDL, DML and DQL access at Schema level.
Note. The CREATE TABLE permission is granted at the database level and the ALTER permission is granted at the schema level. The combination of these 2 permissions will allow a user to actually create a table within the particular schema.
For better security, also make sure to ALTER the authorization by executing the below statement so the “dbo” is not the default authorization. This is to avoid the users any access to impact / manipulate other schemas having same authorization as the schema in which they have been granted Admin access.
One can verify this by executing “Select * from SYS.SCHEMAS”
How can one impact other schema objects via the schema in which user has admin access (This is applicable if the schemas are tagged to same AUTHORIZATION / Principal_Id from Sys.Schemas output) :
- As the user has Admin access and Create Stored Procedure access on a schema, the user can create a Stored Procedure dropping objects from other schema ( sharing same Authorization)
The below Statements would enable the user to drop a table from another schema via his Admin access on a particular schema due to common authorization link between the 2 schemas.
Note. The user can perform any DDL, DML and DQL on the non admin schema via the Admin schema.