I'm logged in with the user that is marked in the Azure portal as being the server admin.
I need to grant control database to a given user so that the sys.fn_get_audit_file can be executed.
But even with the admin user I'm getting the error
Msg 262, Level 14, State 1, Line 1
CONTROL permission denied in database 'master'.
Msg 297, Level 16, State 1, Line 1
The user does not have permission to perform this action.
Any suggestions
First make sure you are using correct authentication. E.g. Windows, Azure etc.
Also be sure you have permission to create database
Run below query on you database
ALTER SERVER ROLE sysadmin ADD MEMBER your-user;
GO
Refer this link for more information.
Related
I have a sql azure database which is geo-replicated. Now I want to create a user with login and grant him a permission to read data from some table in the readonly replica.
But it seems like it's not possible.
When I'm trying to create a user for login I get a error message about readonly database:
CREATE USER [user_name] FOR LOGIN [login_name]
Failed to update database "test-master" because the database is
read-only.
When I'm trying to make a database read-write it tells me that it's not possible because of geo-replication:
ALTER DATABASE [test-master] SET READ_WRITE
ODBC error: State: 42000: Error: 1468 Message:'[Microsoft][ODBC Driver 17 for SQL
Server][SQL Server]The operation cannot be performed on database
"test-master" because it is involved in a database mirroring session
or an availability group. Some operations are not allowed on a
database that is participating in a database mirroring session or in
an availability group.'. Msg 5069, Level 16, State 3, Line 5 ALTER
DATABASE statement failed.
So is it possible at all?
UPDATE:
It's seems like login info is not replicated.
Script User as CREATE TO in Master db:
CREATE USER [user_name] FOR LOGIN [login_name] WITH DEFAULT_SCHEMA=[dbo]
Script User as CREATE TO in Replica db:
CREATE USER [user_name] WITH DEFAULT_SCHEMA=[dbo]
Does it mean that it's not possible to add a new login to the replica db?
I found a solution here: https://blogs.msdn.microsoft.com/azuresqldbsupport/2018/05/21/tips-tricks-what-you-need-to-do-to-creat-sql-login-to-authenticate-to-azure-sql-dbs-members-in-auto-failover-group/
It's possible to use Forced Failover feature which swap databases and hence make my replica writable so I can create a user and grant permissions(of course during this change previous master db becomes readonly).
I created a user in database A, this user is a role account, something like 'DIR\XXXX' which i used this role account to control who can access to database A. Now my question is how can get a list of members that assigned to this role account ? I tried by below method but failed
EXEC xp_logininfo 'DIR\Management_Accountant_Group', 'members'
Here the error message
Msg 15404, Level 16, State 4, Procedure xp_logininfo, Line 43
Could not obtain information about Windows NT group/user 'DIR\Management_Accountant_Group', error code 0x6ba.
When I run to alter the procedure, I get an error:
Msg 18487, Level 14, State 1, Line 1
Login failed for user 'tester'. Reason: The password of the account has expired.
However when I check under Security -> Logins, I can't find a user with this name.
I also tried removing the expiration with the following command:
ALTER LOGIN tester
WITH DEFAULT_DATABASE = [master],
DEFAULT_LANGUAGE = [us_english],
CHECK_EXPIRATION = OFF
The system says that the user does not exist or I don't have permission (I'm sysadmin)
Msg 15151, Level 16, State 1, Line 1
Cannot alter the login 'tester', because it does not exist or you do not have permission.
Per my comment...
Please verify that the stored procedure is not utilising a linked server which may contain/use the credentials indicated.
Stored procedures validate connections/credentials on recompile.
I need to permission a user to a database right after a database restore.
I tried this:
Use [master]
go
restore database DBTest
from disk='E:\userTemp\DBTest1.bak'
WITH MOVE 'DBTest' TO 'E:\SQLData\DBTest1.mdf',
MOVE 'DBTest_log' TO 'F:\SQLData\DBTest1.ldf',
replace, recovery, stats=5, maxtransfersize=1048576
Print '---------------------------RESTORE COMPLETED ---------------------------'
-- Create the user.
CREATE USER [user_indi] FOR LOGIN [user_indi]
GO
USE [DBTest]
GO
EXEC sp_addrolemember N'db_owner', N'user_indi'
GO
When I do this, I get the following error:
Msg 15023, Level 16, State 1, Line 22
User, group, or role 'user_indi' already exists in the current database.
Msg 15410, Level 11, State 1, Procedure sp_addrolemember, Line 75
User or role 'user_indi' does not exist in this database.
So, what added the command to remove the user in the middle. Now it looks like this.
Use [master]
go
restore database DBTest
from disk='E:\userTemp\DBTest1.bak'
WITH MOVE 'DBTest' TO 'E:\SQLData\DBTest1.mdf',
MOVE 'DBTest_log' TO 'F:\SQLData\DBTest1.ldf',
replace, recovery, stats=5, maxtransfersize=1048576
Print '---------------------------RESTORE COMPLETED ---------------------------'
-- Remove the user
USE [DBTest]
GO
DROP USER [user_indi]
GO
-- Create the user.
CREATE USER [user_indi] FOR LOGIN [user_indi]
GO
USE [DBTest]
GO
EXEC sp_addrolemember N'db_owner', N'user_indi'
GO
Now, I get the error:
Msg 15151, Level 16, State 1, Line 2
Cannot drop the user 'user_indi', because it does not exist or you do not have permission.
I can't allow errors as I need to schedule this restore and permission job. Why am I getting this error and how can I workaround it?
RM
Your USE [DBTest] statements are in two different places.
In the first one, you're attempting to create the user in MASTER. In the second one, you're creating it in DBTest.
I am needing to update the password of one of the users in the database security folder in SQL Server 2012. Unfortunately, we do not have a DBA in-house and consequently needing some help. I've been told that I have sysadmin privileges on this SQL Server but I cannot find WHERE to update a user's password in the database. When I googled this, msdn show me how to update a login in the SQL Server 2012 box but this user is NOT listed under the Security\Logins folder in this server but this user is only under the database\Security\Users folder.
I had tried the ALTER LOGIN username WITH PASSWORD = 'password'; command but I only got this error:
Msg 15151, Level 16, State 1, Line 2
Cannot alter the login 'ATM', because it does not exist or you do not have permission.
Any help/direction would be appreciated. Thanks.
This is the difference between logins and users and how they relate to each other:
Logins - Instance level principals that allow an entity to connect to the SQL Server instance. They do not, by their nature, grant any access to databases on the instance. The exception to this is a login with sysadmin rights can use a database because they are sysadmin, but because of sysadmin level permissions.
Users - Database level principals that allow an entity to connect to a SQL Server database. Users are associated with logins via SIDs, creating a relationship between the two and allowing a login to connect to the instance and then use the associated user to connect to the database.
What commonly happens with SQL authenticated logins and database users on a restore is that the SIDS will be out of sync or a login will not exist for a user in the database, thus breaking the relationship. This relationship must be repaired before you can connect to the database using that login, because in the eyes of SQL Server those principals are no longer connected. If the login doesn't exist, you will have to first create it in order to associate it with the user:
--Windows login (Active Directory pass through)
CREATE LOGIN [DOMAIN\foo] FROM WINDOWS;
--SQL Authenticated
CREATE LOGIN [foo] WITH PASSWORD='5+r0ngP#55w0rd';
Once the login exists, associate it with the user:
ALTER USER [foo] WITH LOGIN=[foo]
You can use the following query in the context of your database to check for orphans:
select
dp.name [user_name]
,dp.type_desc [user_type]
,isnull(sp.name,'Orhphaned!') [login_name]
,sp.type_desc [login_type]
from
sys.database_principals dp
left join sys.server_principals sp on (dp.sid = sp.sid)
where
dp.type in ('S','U','G')
and dp.principal_id >4
order by sp.name