I have created a SQL Server user with datareader permission to a user database.

Why does this user automatically have permission to drop/create local/global temp tables?

The problem is that any user can mess around with global temporary tables created by other users or applications.

CodePudding user response：

Basically, the temporary tables the datareader user is creating is created on tempDB database. By default, any user can create objects in tempdb database, unless explicitly denied.

Refer to tempdb permissions reference

Any user can create temporary objects in tempdb. Users can access only their own objects, unless they receive additional permissions. It's possible to revoke the connect permission to tempdb to prevent a user from using tempdb. We don't recommend it because some routine operations require the use of tempdb.

For example, in the below sql code, I am creating a user , which is just having public role. It is also able to create temporary tables. public database role is given by default, when you add a user for a login in a database. Read more about public role

use master
go
create database testperm
go
create login testpermlogin with password = 'Somecomplexpassword123#'
go
use testperm
go
create user testpermuser for login testpermlogin
go
execute as user ='testpermuser'
go
select USER_NAME()
go
create table #test(a int)
go

CodePudding user response：

The problem is that any user can mess around with global temporary tables created by other users or applications.

This is just one more reason not to use global temporary tables. They aren't very useful, and they are extremely rarely used.

I can't think of a scenario where it wouldn't be better to use a local temp tables, a permanent tables in TempDb, or a regular table in a user database.