I have Sql Server 2019
I want to create a user with limited privileges, that user have permission only to SELECT on one database tables, I will have 4 different users with same privileges on one(same) database
When I create everything, login, db user for this login, grant select to user,
and log in as that new user in SSMS, when I click on the database where there is no user for my login popup tells me that I have no privileges and I don't see any tables
If I click on the database I have select rights for, I see tables, I can select, but I can also alter, exec, update, insert, everything....
if I write query 'USE anotherDatabase', I can, and then I can select, insert, everything on those other database tables, although I am not a user on that other database
i can also exec
SELECT * FROM SYSOBJECTS WHERE xtype = 'U' GO
on any database
Do I have to setup the server differently so that I can create user that can only SELECT on one database
Any help
I tried creating roles, addrolemember, deny, revoke, everything i colud find as a solution
Related
I do have admin permission for a certain Azure SQL Server. So using my admin login I created a database user against a specific Azure SQL database in the following manner:-
CREATE USER myuser WITH PASSWORD = '<pwd>'
ALTER ROLE [db_datareader] ADD MEMBER [myuser]
After this I successfully logged into the database using this new credential for myuser. I discovered that while I can query data from most of the tables , there are certain tables for which I can't select any data. I can see the table name in SSMS , also no error for SELECT queries against those tables I receive , the only issue is that SELECT doesn't return any data ( 0 rows ) for those tables. If I fire SELECT using my admin credentials , I can very much see the result.
I tried to reproduce the same issue using the same commands which you have shared.
FYI, as a part of repro, I created an Azure SQL Server and then SQL database in the same server. I added three sample tables to match the scenario as you mentioned. Then I created user and grant db_datareader role with the same commands as you mentioned. It worked fine for me. I’m able to read the data of all the table in that specific database.
I suggest you consider How to Create Login, User & Assign Permissions in SQL Server and Overview of db_datareader role.
Alternatively, you can grant select permission to those tables which you are unable to read using below command:
GRANT SELECT ON <tablename> TO <user>;
I am connecting to my SQL studio manager using Power BI (a report writing software). I only want tables appearing listed under a certain schema, and deny permission to access all others, instead of displaying all tables which it currently does.
Usually, when preventing individual users from accessing a schema, I would use the following code:
revoke select on schema::UnwantedSchema to User
grant select on schema::WantedSchema To User
However, now I want it so ALL users and Logins have these permission settings. Not just the individual user. Is there a way I can do this without having to set the permissions for every individual user?
If you wanted to set the privileges to multiple user logins, You need to create a role and assign the role to the ers to that role. The give required permission to the role created.
Following are the sample steps.
--Create a new role
EXEC sp_addrole 'yourRole'
GO
--Assiging role to the user
EXEC sp_addrolemember 'yourRole', 'yourUser';
GO
--Assigning permissions to the Role
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
UPDATE, VIEW DEFINITION ON SCHEMA::YourSchema TO yourRole;
GO
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO yourRole;
GO
If I have two databases 'dbA' and 'dbB' using a normal account I know I can run a query such as
SELECT *
FROM dbA.dbo.TableA a
JOIN dbB.dbo.TableB b ON a.columnA=b.columnB
But I can not figure out how to grant permissions to a loginless account
USE dbA;
CREATE USER [test_user] WITHOUT LOGIN WITH DEFAULT_SCHEMA=[dbo]
GRANT SELECT ON DATABASE::dbA TO [test_user];
I receive an error when trying to give select permission to the loginless user 'test_user' on the other database.
GRANT SELECT ON DATABASE::dbB TO [test_user];
Is it possible to do a database join using loginless users? If so what should the grant statement look like for setting correct permissions?
A user without a login can only access other databases that have the guest user enabled. You might consider using a certificate-mapped user instead if you have a cross-database requirement. See http://www.sommarskog.se/grantperm.html for code.
Users exist at the database level. Only logins exist at the server level.
I believe you can create a view in dbA like so:
use dbA;
create view dbB_TableB as
select *
from dbB.dbo.TableB;
And you can then assign SELECT permissions for the user in dbA to the view.
I have two databases.
Databases:
1. DB1
2. DB2
I have created two new logins.
Logins:
1. DB1_login
2. DB2_login
Next, I created user for each database mapped to the above logins.
create user DB1_login1_user1 for login DB1_login;
create user DB2_login2_user2 for login DB2_login;
So, DB1_login1_user1 user of DB1 database will be mapped to DB1_login1 login and DB2_login2_user2 user of DB2 database will be mapped to DB2_login2 login.
Granted database role permissions for both users is db_datareader and db_datawriter.
In DB2, I have a table named dbo.sample_table.
My requirement:
Let us consider that I have logged in as DB1_login1.
In this login, I have granted permissions for DB1_login1_user1 user to DB1 database.
Now from DB1, I have to select a table dbo.sample_table at DB2, which was mapped to another login DB2_login2.
Below is the query what am I trying to do is.
--CURRENTLY LOGGED IN AS DB1_LOGIN1
USE DB1;
EXECUTE as login='DB2_login2'
select * from DB2.dbo.sample_table
GO
I tried GRANT IMPERSONATE on LOGIN::DB2_login2 to DB1_login1, but it didn't work and also, I'm not aware about granting permissions across logins. I think granting permissions matters and I need help in doing that.
How can I execute the above query successfully?
Any help would be appreciable.
The users you created exist only in their respective databases, so what you're trying to do is not possible. Even if it were, or you allow acces (create users for login) in both databases and give then permissions and enable cross-database access, it would be too much of a security risk.
I'd suggest using stored procedures to acces data cross database. Stored procedure should be signed with a certificate, and the same certificate created in both databases. I've had it implemented on various occasions and it works flawlessly.
There is a great sample of this by Erland Sommarskog here.
I did granting permissions on login.
From administrator login "Sa", I executed the below query.
GRANT IMPERSONATE ON LOGIN::DB2_login to DB1_login;
And then from DB1_login, executed the below query for accessing DB across logins.
USE MASTER;
EXECUTE as login='DB2_login';
SELECT * FROM DB2.dbo.sample_table;
REVERT;
GO
Finally for my situation, I have solved the problem.
I am having trouble adding a user to a test database I set up on my local machine. I have added the user fine but the user does not have permission to SELECT (Or anything else for that matter) on the database. I have tried gone the the permission tab under the server, the database, and the table (there is only one it is a very simple database just for testing) and selected grant for every single option yet it still does not work. I have also tried doing a Transact-SQL command like:
use testing
GRANT SELECT, UPDATE, DELETE, INSERT TO User
and a couple of other combinations that return successfully but I still do not have permission to select data from the table. Any suggestions?
Add the user to the db_datareader role to give the user select access to all of the tables.
Add the user to the public database role and they should be able to SELECT against the database (unless you have changed the public role's permissions).