[dba-SQLServer] Difference between views and queries

Arthur Fuller artful at rogers.com
Mon Jun 28 16:04:29 CDT 2004


Call me stupid, ignorant, inexperienced, whatever, but so far I have
used "DENY" even once. Maybe that means my clients are victims of bad
design, but so far I have done virtually everything additively, i.e.

Levels:
1. access to a very few sprocs, a few of which do inserts, most of which
permit lookups (for cities, states, products, etc.)
2. ability to update records in some tables
3. ability to create and update records in some tables (only certain
users can add products or change their prices, etc.)
4. ability to run the sprocs underlying various management reports
(grained by department, i.e. warehouse folks don't need to see most of
the reports in the system, just the ones relevant to loading boxcars,
etc.)
5. senior managers, who can view any report.
6. President of the company, who thinks he can do anything but actually
can't :-)
7. Me: I can do ANYthing. Trust me :-)

In some (typically large) firms, Me might not be able to do ANYthing.
For example, as a developer, I might not be able to create a new sproc,
or edit an existing one. I might instead have to request a new sproc
that returns X or edit an existing sproc to also include column Y. In a
situation like this, we have to add (at the least) 

8. DBA: can create, destroy, edit anything

And revise 7 to read:

7. Me: I have access (as developer) to any sproc in the system, but
cannot create, edit or delete any sproc. I must request changes from
DBA.

Maybe it's more efficient to create a new role and then grant certain
accesses while denying others. That approach was simply too hard to get
my mind around. I opted for the strictly additive approach. I could be
wrong, and am prepared to be corrected. The approach I took was to
create as many roles as I needed in order to assemble a strictly
additive structure.

For example, on first pass I let any data-entry person add cities. This
quickly proved foolish. So I created a role that could add data to
lookup tables (simplifying). Anyone in this role can add to/edit lookup
tables such as Cities, States, Countries, etc. Different from this is
the ability to add to/edit tables such as Customers (which most of the
time is a lookup, but fundamentally different than Cities). From there,
it's easy to create a role that can do both.

Ok, I am simple-minded. But it's too complex for me to think of a role
minus certain abilities, because then I have to go in both directions. I
prefer to think of roles strictly in terms of what they can do rather
than what they cannot do. Then I can create a new role and say, "include
data-entry, lookup-table edits, customer-creation and nothing else."
After that, for a new hire I simply assign her to the requisite role.

Maybe that means that I create way too many roles. But so far it seems
like the simplest path to me. I admit that until now I haven't really
given this a lot of thought, but now it occurs to me that there is an
algorithm to solve this.

Let's suppose 100 tables and 10 roles. Each higher role gets access to
all lower roles, i.e. role 1 can access 10 tables, role 2 those same 10
plus 10 new ones, role 3 10 additional tables, etc.

That's a simple case. Complicating it a bit more, suppose role 3a can
access the first 20 tables but only view the next 10. I suppose you
could create 3a by cloning 3 and subtracting the insert/update
privileges for tables 21-30. That would work; it just never occurs to me
to do it that way. Instead I would add the first 20 tables and then add
the next 10, specifying view-only.

Upon consideration, I can't really defend the way I do it, except to say
that conceptually it works for me. The other approach may have
advantages that I'm not seeing, such as performance increase,
architectural simplicity, etc. But so far I don't see them.

I've been wrong before, and this could be yet another occasion of same.

Back to the original subject.... Would someone kindly supply an occasion
in which no sproc can handle the requirement, and dynamic SQL is
necessary? 

I am NOT saying that any single sproc can handle all the requirements; I
am including the possibility that I write one sproc for each situation,
passing various parameters, and that the front end examines the parms
and decides which sproc to invoke.

For example, imagine a form that offers 3 combo-boxes or somesuch, and
tracks in which order I make my selections... One is State/Province, and
one is a DateRange and the third is a CompanyName thing that can handle
wildcards. You fill in the CompanyName thing with "W*", the State thing
with "M*" or "N*" (which I think results in 5 states each", and any
given date range.

I can write one or more sprocs that can handle this input, and it won't
take long. Even granted that the sequence in which you fill in the
controls matters (i.e. sort order), a small number of sprocs can do
this. And if you really want to stretch the point, a single sproc could
receive the sort order and deal with it using CASE statements (though
emphatically that is NOT my chosen approach).

So what I would like someone to offer is a situation in which one or
more sprocs cannot handle the input parameters. Ideally, work it against
Northwind so I can easily check my assertion, and try to come up with a
sproc that can handle your various inputs (the one sproc might invoke
another, depending on conditions; you have to grant me that).

I don't mean to issue this as an in-your-face challenge, but rather to
invite you to teach me this non-obvious lesson.

Arthur





More information about the dba-SQLServer mailing list