A. Set up Read/Write
- Go to Security/Logins and find your login, double click it
- Go to user mapping, and click on the database that you have access to
- In the bottom pane under 'Database Role Membership', tick
db_datareader
anddb_datawriter
This gives the user Login SELECT, INSERT, UPDATE, DELETE
B. Revoke DELETE and grant EXECUTE
Create a role that does this:
- Go to your database / Security / Roles
- Right click, New / Database Role
- Give the role a name, I will use
executor
for this example and press OK
I don't know how to do the next steps in SSMS, You'll need to do it in T-SQL:
- Start a new query in your database
Type this and press F5:
GRANT EXECUTE TO executor;
DENY DELETE TO executor;
Now repeat A3 but select your newly created role, 'executor'
Every new user (or group) that you create needs to be a member of these three roles. The best practice is to add a windows group to SQL Server once, and add users to that windows group.
Lastly test this - I don't know for sure that it works.
With regards to the database user securables:
You have to explicitly populate this list to see what it contains. It doesn't populate automatically. Press Search and search for some objects (i.e. all objects belonging to the schema dbo). Now you have a list of objects in the top. Click on an object and click the 'Effecttive' tab on the bottom. This is the users effective (final) permissions for this object. If you want to override this at the object level you can assign something on the explicit tab