On the master db of a Serverless Synapse Analytics instance an external login is created for AAD Security Group.
CREATE LOGIN [sg-aad-name] FROM EXTERNAL PROVIDER;
The login does not show up in the table sys.server_principals.
The following query doesn't return any results:
SELECT SUSER_SID('sg-aad-name')
But I can't ALTER or DROP the login. The message that is returned: 'it does not exist or you do not have permission'. When I try to create it again, it indicates that is already exists.
When I try to add the login to a server role, it again indicates 'it does not exist or you do not have permission'.
I have SQL Administrator rights and so does the AAD security group for which I try to create the login. This issues appears on two instances. On another instance it worked and is functioning properly.
What am I overlooking? Can someone enlighten me on what is happening here or how this can be solved? I want to create an external login, have it visible in the sys.server_principals table and add to server role.
Tried all statements above. Read various blog posts and fora such a Stackoverflow.
Issue solved. The security group already had a login in sys.server_principals where the name was the Azure object ID of the security group. Dropping this login allowed for creation of the new login. This new external login was stored under the name of the security group in sys.server_principals.
Related
Disclosure: I am not an IT professional and I am certainly not a DBA.
That said, I can usually find my way around. I am following some instructions from a third party vendor to create a login, two databases, a user in each and ultimately a DSN to each.
Here are the steps:
Create a login (let's call it Test) with SQL Server Authentication and assign it a Public server role
Create two databases, both owned by the login we created (Test)
In each database, create a user with User Name and Login Name both set to Test and the default schema as dbo. Assign each user db_owner in Owned Schemas and Membership
Create a DSN to each database
If I follow these instructions, when I attempt to create the users I get an error: The login already has an account under a different user name. (Microsoft SQL Server, Error: 15063)
If I try creating a user with a different User Name (login name still Test), I get the same error.
If I try creating a user with a different Login Name, I get a different error: 'Test1' is not a valid login or you do not have permission. (Microsoft SQL Server, Error: 15007)
If I try skipping the users entirely and creating the DSN with the original Login, I get an error that login failed for user Test.
I have tried completely removing and re-installing SQL Server in case there was some duplicate name stored somewhere, but it didn't help.
So, I am not sure what else I can try. Clearly I am missing something, but I have no idea what.
If the Login owns the database, it's mapped to the user dbo (which stands for "database owner") so you can't create another user for that login.
Normal practice is to have the databases owned by SA or your Windows Login, then you can create the user for the SQL Login and assign whatever permissions you need.
Our problem is follow:
We have an Azure App Service and Azure SQL Database. Recently, we have a problem of data missing from the SQL Database. The App Service was running and the users could create and retrieve the records from App Service. However, when we did a select statement using SSMS, the record could not be found. The next day, record cannot be seen via App Service as well.
We also have Azure Function App which was running during the same problematic period, but there was no issues with the updating. All records were updated into the database successfully.
Does anyone having similar problem? Any advice is greatly appreciated.
Best regards,
Ben
The issue seems like with User permission for Azure SQL Server user. If the user is able to update it looks like he has only updating permission in the schema. I suggest you to cross-check the User permission on table(s) and schema for better clarity.
Refer below example to create Login, User and GRANT permission:
CREATE LOGIN utkarsh WITH PASSWORD = 'Uuxwp7Mcxo7Khy';
USE AdventureWorks;
CREATE USER utkarsh FOR LOGIN utkarsh;
GO
Grant Select permission:
GRANT SELECT TO utkarsh
Refer: GRANT Database Permissions (Transact-SQL)
You can add a database user to a database role using the following query:
EXEC sp_addrolemember N'db_datareader', N'userName'
I have got myself into a little bit of a bind, using SQL Server Management Studio to create a database in Azure SQL. My issue appears to be with assigning roles to users in the database. When I created the database, it prompted me to create a new login, with an associated user, that appeared to have all the rights of a database owner. However, I am now trying to create two additional logins and I realize I am screwed. The login that I created when I made the database isn't the database owner, even though I could do all the DDL / DML necessary to create the full schema under that account. I created an additional login, and I added two users to that login. I now want to add that login to a role (db_datareader, db_denywrite) but I cannot.
It appears that the database owner is a user / login called "dbo" that I did not set up. This is the only user that is added as a database owner, and subsequently is the only one that can edit roles. But I do not know the login credentials for this user!
if I use what I believed to be the administrator account (the one I made) to add a role I get the error:
Cannot alter the role 'db_datareader', because it does not exist or you do not have permission.
How can I fix this? How can I get my original account added as a DB Owner? There has got to be a way, but everything I tried points to the fact that I am not the owner of the resource I created; I'm an outcast in my own country...
Thanks!
Can someone tell me how can I add Azure Active Directory groups into the azure sql server, I am using server manager tool to do this but cant find any way to figure this out, I can add simple Azure Active Directory user though..What about groups?
I will assume that you are wanting to provide access for end-users to connect, not Database Administrators. For my example below, let's say that the end-users are in a group called "AZ-Users", and that your Database Administrators (including you) are in a group called "AZ-DBAs".
For Azure SQL Databases, there are key things that must be in place to get this to work:
There must be an "Active Directory admin" configured for your server. This can be any AAD user or an AAD group. You can check if this has been set or not by going to the Azure portal page for your server. Be careful that you are looking at the Overview page for the server, not the individual database, they are not the same thing. Detailed instructions here. In our example, we would configure this to be the AAD group called "AZ-DBAs".
When you are ready to create the AAD login for "AZ-Users" on your Azure SQL Database, you must yourself be logged in using AAD... meaning a member of the "AZ-DBAs" group from my example above. You can use SSMS or any other similar tool for executing TSQL commands. Note that if you try a SQL auth connection instead, it won't work for step 4 below - you'll get this error:
Msg 33159, Level 16, State 1, Line 1
Principal 'AZ-Users' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Change the context to the database you want to provide access to for your end users.
Execute this statement:
CREATE USER [AZ-Users] FROM EXTERNAL PROVIDER
Note that this will create a "contained database user", as detailed here. That's it. This process works for AAD groups and AAD users.
You will probably also want to grant some level of permissions as well, such as:
EXEC sp_addrolemember 'db_datareader', 'AZ-Users'
All you need to know about how to configure and manage Azure Active Directory Authentication you can find it in this article.
Then to connect to SQL Azure using Azure Active Directory authentication please read here.
Connect to the server via SSMS as your Azure AD admin. Create a new query with the db you want to affect. Run this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
To modify permissions, do something like this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
I am very new to the database field and I have followed various sources such as Creating new user/login in sql azure
and this
to create and grant new user access to databases, they were all successful during the creation process but as soon as I tried logging in to the database, I get the following error.
Authentication:14678e5d-f8f5-4b1f-bb19-c67effaf2309[Microsoft.SqlServer.MessageText=Login failed for user 'vitra_public_user'. ,Microsoft.SqlServer.MessageSeverity=14,Microsoft.SqlServer.MessageId=18456]
So here is the procedure and details of how I created and granted the user access, can someone spot any mistakes that I have made pls.
creating a new LOGIN under the master database. CREATE LOGIN vitra_public WITH password='<mY_PasSwOrd_hErE>'
go into the specific(e.g. 'vitra-web') database to create user linking to the login. CREATE USER vitra_public_user FOR LOGIN vitra_public
But as I tried logging onto the vitra-web database on Azure, I got the error so if anyone can spot any mistake that I made will be great!
Thanks
Ken