I have an Intranet ASP.NET WebForm application that uses Integrated Windows authenication and Impersonation (required becuase triggers are used to create audit logs) to connect to a SQL Server 2005 DB on the same box (no double hop issues). Normal users get their DB permissions via the <Domain\Domain Users AD group, which has a SQL Server login and a user created for the DB. Everything works fine when I explictly grant the associated DB user CONTROL permissions on the DB.
However, after doing more research on the actual permissions granted via CONTROL, this seems to be way too much access. The best decription of the CONTROL permission I found was at http://www.mssqltips.com/tip.asp?tip=1718
, which states, "This grants the equivalent to ownership over the database. The db_owner fixed database role has this permission implicitly." However, every other DB permission combination I've tried without granting CONTROL always fails to connect to the DB. Impersonation is working, the correct accessing Domain/User is referenced in the error message. The approriate User in the DB is in the db_datareader and db_datawriter roles and when I explictly grant them every single permission on the DB except CONTROl they fail with a "
View Complete Post