In SQL Azure, The roles of the users created in the main database are not replicated or copied to the geo database and generate error 916
enter image description here
Can you help me?
Could you please help me with a solution to this error, so that the user hosted in the GEO database can access his database with his role assigned in the main database.
The roles of the users created in the main database are not replicated or copied to the geo database.
To create and access users from primary data base to replicated database follow below steps.
First follow below steps on the master database of the Primary server:
Create a new login with login name and password and also create a corresponding user and assign it to the dbmanager role (or any other role as per your requirement).
CREATE LOGIN [Login_name] WITH PASSWORD = 'secure-password'
CREATE USER [User_name] FOR LOGIN [Login_name]
ALTER ROLE dbmanager ADD MEMBER [User_name]
Obtain the login's SID so that it may be recreated. only applies to logins using SQL Server authentication. note it down for later use using the command below:
SELECT sid FROM sys.sql_logins WHERE name = '[User_name]'
Now follow below steps on the source database of the Primary server:
Create user for the same login as master database and add the user to the db_datareader role:
CREATE USER [User_name] FOR LOGIN [Login_name]
ALTER ROLE db_datareader add MEMBER [User_name]
Now, create login on the master database of the Secondary server:
Using the same username, password, and SID from the user in the primary master database, create the same login as on the primary server:
CREATE LOGIN [Login_Name] with password = 'secure-password', sid=0x010600000000006400000000000000003C5857161B989940886580923D14E710
Output
Related
I do have admin permission for a certain Azure SQL Server. So using my admin login I created a database user against a specific Azure SQL database in the following manner:-
CREATE USER myuser WITH PASSWORD = '<pwd>'
ALTER ROLE [db_datareader] ADD MEMBER [myuser]
After this I successfully logged into the database using this new credential for myuser. I discovered that while I can query data from most of the tables , there are certain tables for which I can't select any data. I can see the table name in SSMS , also no error for SELECT queries against those tables I receive , the only issue is that SELECT doesn't return any data ( 0 rows ) for those tables. If I fire SELECT using my admin credentials , I can very much see the result.
I tried to reproduce the same issue using the same commands which you have shared.
FYI, as a part of repro, I created an Azure SQL Server and then SQL database in the same server. I added three sample tables to match the scenario as you mentioned. Then I created user and grant db_datareader role with the same commands as you mentioned. It worked fine for me. I’m able to read the data of all the table in that specific database.
I suggest you consider How to Create Login, User & Assign Permissions in SQL Server and Overview of db_datareader role.
Alternatively, you can grant select permission to those tables which you are unable to read using below command:
GRANT SELECT ON <tablename> TO <user>;
There are some tables in DB1. I created Login MyLogin in Master DB without creating user for this(or I created but deleted). But now, at least I checked that there is no user with same SID with MyLogin. Why I still can have privilege to search the tables?
select * from sys.sysusers; -- Check in DB1
select * from sys.sql_logins; -- Check in Master DB
Before we create login, we need to check if the login has exist.
Demo code:
DROP LOGIN TestLogin;
GO
CREATE LOGIN TestLogin
WITH PASSWORD = 'SuperSecret52&&', SID = 0x241C11948AEEB749B0D22646DB1A19F2;
SELECT * FROM sys.sql_logins WHERE name = 'TestLogin';
GO
Reference:CREATE LOGIN (Transact-SQL).
After creating a login, the login can connect to SQL Database but only has the permissions granted to the public role.
But when you performed ALTER AUTHORIZATION ON DATABASE ::[DB1] TO [MyLogin],then ALTER AUTHORIZATION ON DATABASE ::[DB1] TO [ServerAdmin]. It means that change the owner of a SQL Database to MyLogin.
Please see:ALTER AUTHORIZATION for databases.
I think that's why you still can have privilege to search the tables.
Hope this helps.
I'm using AWS RDS MsSql express V13.
I'm trying to create a schema, user and role using the root user I created during the RDS setup but can't. I'm using SQL client.
for example:
use [master]
CREATE USER [my_user] FOR LOGIN [my_login] WITH DEFAULT_SCHEMA=[dbo]
returns: "User does not have permission to perform this action."
AWS RDS restricts permissions on the master database, so you can't create schemas, roles, users, or logins there.
You need to create a second database, which will then allow you to create schemas, users, and roles as expected.
-- use the master database to create your new database:
USE master;
CREATE DATABASE db_test;
-- then, use your new database to create your schema, login, and user:
USE db_test;
CREATE SCHEMA yourschema;
CREATE LOGIN [youruser] WITH PASSWORD = '<PASSWORD>';
CREATE USER [youruser] FOR LOGIN [youruser] WITH DEFAULT_SCHEMA = [yourschema];
I need to create an SQL User: and came across this script:
CREATE USER [Username] FOR LOGIN [Domain\Username]
EXEC sp_addrolemember N'DatabaseRole', N'Username'
at this link:
Creating a user, mapping to a database and assigning roles to that database using SQL scripts
Can someone explain this script to me:
what is [Domain\Username]?
[Username] = The userName I want,
what is sp_addrolemember?
What is N'DatabaseRole',?
What shall I put as N'Username'? The username same as [Username]?
1: [Domain\Username] is for the windows Active Directory-user for that domain.
Example: Say you have an AD/Domain/Computer called StackOverFlow, that would be the Domain, and then your username is Awan, that makes it StackOverFlow\Awan
2: Correct, this is the username you want you just insert your username there (within the brackets)
Example [Awan]
3: sp_addrolemember is a function that adds the user with a specific role. (dbo and such)
4: N'DatabaseRole' is a numeric text where you write in what role your user is supposed to have. An example is db_owner, which makes the user able to create tables, delete tables, alter tables, and so on.
5: Exactly, you just put for example N'Awan' instead of N'Username'
Otherwise you can create a user from SSMS ( http://msdn.microsoft.com/en-us/library/aa337562.aspx )
As you are using WINDOWS server you can only create user for users who have access on windows server.
SERVERNAME\USERNAME E.g. TEMP_SERVER\Ashutosh
Uknow this
This Sp is basically sets roles for a user.
4&5. http://msdn.microsoft.com/en-us/library/ms187750.aspx
Below is a way to do it in GUI
http://msdn.microsoft.com/en-us/library/aa337562.aspx
Regards
Ashutosh Arya
[Domain\Username] is a format of windows authentication logon name; you use it to log on to things, one of them is SQL Server
[Username] = The userName I want - I hope so, it should exist on your domain, or if Domain is computer name, then it has to exist on your computer
sp_addrolemember is a stored procedure that assigns a role to your user; roles can be e.g. database level roles like db_owner, db_datareader, db_datawriter...
Look at 3.
If I have user MyUser on MyComputer, I would put MyComputer\MyUser; If I have user MyUser on MyDomain, I would put MyDomain\MyUser
What role should I give a sql login if I need the login to be able to create a database, and create additional logins and add users based on those logins to the database i created? This is sql 2005.
There is no fixed database role that includes these permissions. You'll have to create a role and assign the permissions individually.
CREATE ROLE db_creator
GRANT CREATE DATABASE TO db_creator
GRANT ALTER ANY LOGIN TO db_creator
GRANT ALTER ANY USER TO db_creator