I am trying to set the firewall rule for specific user account in my Azure SQL database. Currently I have two login accounts, “admin” and “user”. I want to open up the access to allow all “user” IP addresses to be able to access the database. Right now my firewall settings are blocking anyone trying to access the “user” account without having their IP address whitelisted. I’m unclear how to assign a firewall rule to a specific database login.
First make sure while creating the SQL Server in Azure, select Yes for Allow Azure services and resources to access this server in Networking settings.
Open the Azure SQL Server in SQL Server Management Studio.
Switch to the "master" database from the database selection box.
Create the Server Login by executing below statements.
CREATE LOGIN testLogin1
WITH PASSWORD = '<Strong_Password_Goes_Here>';
Now select the database for which you want to create the user. In another Query window, run the below statements to create the user.
CREATE USER [testLogin1]
FROM LOGIN [testLogin1]
WITH DEFAULT_SCHEMA=dbo;
At last give the db_owner permission to the new user.
ALTER ROLE db_owner ADD MEMBER [testLogin1];
Now just go to your Azure Database Query editor, and login with new user and password. It will login.
Related
I'm looking at using SQL LocalDB as the client side database which will replace the current SQL CE 3.5 database inside an in-house application developed in .net 4.
I've come across a problem that I'm not sure how to get around and that's with security setup of the LocalDB instance.
If I setup a script inside .net to create a private LocalDB instance, e.g. (localdb)\T1, then create a new database inside that instance plus add a SQL user account + password (non domain account), how do I stop the local windows users (like my own AD account) with admin level privileges from accessing the 'T1' instance + database using SSMS?
I could see a scenario playing out where we deploy the application, then we have some IT savvy user who goes snooping around and decides to install SSMS and connect to (localdb)\T1 with their windows account, which would give him/her full access to the database, which is exactly what I'm trying to stop from happening.
Some of our staff work remotely with no connection to a domain so we give them local admin rights to their pc so they can install software, so even if I could block their assigned windows login name, there would be nothing stopping them from setting up a new local admin account and logging in with that, opening SSMS then accessing the database.
Any pointers on this would be greatly appreciated!
In fact, it shouldn't be so hard. Install SQL Server on client machine using local admin account. To make you life easier, use Mixed Authentication.
After you have your instance installed, local admin account should have sysadmin server role assigned (that's normal security settings). Now, use the following:
Create new SQL Server user and assign sysadmin server role to that account. Close SSMS and log-in using new credentials. Or simply use sa account (not so good practice but in this case it's OK).
Go to "Security - Logins" and remove sysadmin role from local admin. Also, check in user mappings and take all rights "away" from local admin.
As a test, try to log-in as local admin, I guess you won't be able to log-in into server because there is no "home" database for that user. But even if you can log-in, it has only "public" role.
It's up to you to install your database and secure it - assign permission to user of your choice.
Regarding you fear that local admin can install MSSQL again: he/she can install it, but it would be another instance. That instance knows nothing about users in your instance so you should be safe.
You can also consider usage of application roles in SQL server.
When creating a SQL Azure server, we get one 'superuser' that has full access to all databases. We would like to create more of these users, but not quite sure how.
We have looked at the following article:
http://msdn.microsoft.com/en-us/library/azure/ee336235.aspx
It allows us creating new logins via:
-- first, connect to the master database
CREATE LOGIN login1 WITH password='<ProvidePassword>';
Then we can add the 'dbmanager' and 'loginmanager' roles:
-- first, connect to the master database
CREATE LOGIN login1 WITH password='<ProvidePassword>';
CREATE USER login1User FROM LOGIN login1;
EXEC sp_addrolemember 'dbmanager', 'login1User';
EXEC sp_addrolemember 'loginmanager', 'login1User';
The new user can now connect to our SQL Azure server and see all the databases. However, the user is then unable to connect to individual databases. A workaround is to create a user mapped to a new login in each database and grant that user db_owner rights, but that is cumbersome and requires maintenance.
Is there an easy way of creating another sysadmin user in SQL Azure?
There is only 1 server admin account allowed for Azure SQL Databases. However, you can add an Azure Active Directory (AAD) group as the Active Directory admin, enabling multiple AAD users to be server admins. More details here about using AAD on Azure SQL Database.
My SQL 2008 R2 Server is configured for Windows authentication, but only my domain administrator account is granted access to connect to the object explorer.
I need to grant my non-administrator domain-user access as well, so I can log in from my local workstation.
Connect to the object explorer. Navigate down to the server > Security > Logins. Right click and select new login (or add login). In the new window put your domain account (or group) and grant it what ever rights you want it to have. If this is just your personal SQL instance on your workstation then just make your account a sysadmin.
I have a user Sql Authentication account that has remote access to my database server. The user has a default database, and is only able to access or modify that DB. So far so good. However, I'd like to prevent the user from viewing the other databases that he doesn't have access to anyway.
Inside server permissions, I can deny the user the ability to "View Any Database", but then he can't see even the one database he's allowed to modify. He can still execute SQL against it, but he has no gui access through sql mgmt studio.
Is there a way to set this up properly?
Thanks.
You can allow view in SSMS if your remote login owns the database.. which is different to db_owner
Try setting Server Role to Public and Database Role to db_owner.
I am a developer-having-to-play-admin and wish to connect to a remote sql server from my development machine using a sql server user ("op_web").
When I try to connect from vs2008 Server Explorer, I can connect to the server, but no databases are listed. If I connect using the server admin user, all databases are listed as expected.
The server is a relatively fresh install made by me.
I have
allowed for remote connections in sql server.
created the login op_web at server level
created a user at database level and assigned to login with same name
assigned roles to the user to allow for reading and writing - I have assigned no schemas and default schema for the user is dbo.
If I log on (locally at server) using sqlserver management studio/sqlserver authentication and the created login, I can display and alter table data as I would expect.
Remote access gives me no choice of databases.
Any pointers to what I might have missed?
You have to give your users rights on the database.