I have a Azure SQL DB. I need to give a Azure group permissions to do select statements to get data out of this DB, but it's important they can't do anything to mess it up with delete/update etc.
I created a SQL user from a 365 group with
CREATE USER [GroupName] FROM EXTERNAL PROVIDER
, but now these group members have permission to do update/delete commands etc. I only want these group members to be able to do select statements. However...
EXEC sp_addrolemember 'db_datareader', 'GroupName'
ALTER ROLE db_datareader ADD MEMBER [GroupName]
gives the error:
Cannot alter the role 'db_datareader', because it does not exist or you do not have permission.
Why is this? I would assume I need to revoke the current permissions anyway?
I'm assuming you are grating permission to Azure Active Directory Group.
Use the below statements and it should work fine.
EXEC sp_addrolemember 'db_datareader', 'Azure Active Directory Group'
GRANT SELECT ON SCHEMA::<schema_name> TO [Azure Active Directory Group]
Note: Make sure you have required permission on the schema level to grant the required permission. Please see the permissions here.
I wasn't able to figure it out so I just deleted the user and created from scratch.
Related
I have a requirement where I need to revoke users access on a particular schema as we will be purging that schema and its table in future.
Currently, the process followed to create Schema and grant access is like below,
Create Schema
Create DB Role
Create Azure AD Group on azure portal
Create DB User with the same name as AD group
Then, we run EXEC sp_addrolemember command to add DB user to DB role in database.
Finally, we run the Grant command to give permission (Select, Insert etc) on Schema to DB Role.
Now, whenever any new user need access to that schema we simply add him in the Azure AD group and he is able to see and access that schema.
However, when I Revoke the access of user by removing him from Azure AD group he is still able to see that Schema.
As I am not an expert in SQL so I am not sure what am I missing in order to revoke his access.
I also tried Revoke command like below but still the user is able to see the schema.
REVOKE SELECT ON SCHEMA :: Schema_Name TO [DB Role]
Am I missing anything, can anyone please let me know the right steps to revoke user access so that they should not be able to see that schema anymore or should not be able to run any command on that schema not even select command?
Then, in addition to remove it from the AD group, try to deny permissions on the schema:
DENY SELECT,VIEW DEFINITION On SCHEMA::Schema_Name To [user_name]
Is there a way I can grant truncate permission to a user without altering privileges in SQL Server?
The minimum permission required is ALTER on table_name. TRUNCATE TABLE permissions default to the table owner, members of the sysadmin fixed server role, and the db_owner and db_ddladmin fixed database roles, and are not transferable. However, you can incorporate the TRUNCATE TABLE statement within a module, such as a stored procedure, and grant appropriate permissions to the module using the EXECUTE AS clause.
CREATE PROCEDURE dbo.usp_Demo
WITH EXECUTE AS 'CompanyDomain\SqlUser1'
AS
SELECT user_name();
Source
You can go through this official documentation.
Create a test Login and User id then grant it execute permission on the stored procedure Truncate_Table_Loner. This id will be used to perform the truncate.
-- Grant Execute Permission
-- Setup ID on Database with Connect permission
USE master
GO
CREATE LOGIN [test_user_id] WITH PASSWORD = 'JustConnect123';
GO
USE TestSQL
GO
CREATE USER [test_user_id] FOR LOGIN [test_user_id];
GO
-- Grant Permission
GRANT EXECUTE ON dbo.Truncate_Table_Loner TO [test_user_id];
GO
I am trying to create a user who can select all tables within a DB in AzureSQL. but has privileges to Insert,delete, update on his own schema(ODS) within the DB?
Here is the example about create a user who can select all tables within a DB in Azure SQL database (readonly):
--running in master db
USE [master]
GO
CREATE LOGIN [sagarreadonly] WITH PASSWORD='password'
GO
-- running in Azure SQL DB
USE [DataEncryptDemo]
GO
CREATE USER [sagarreadonly] FOR LOGIN [sagarreadonly] WITH DEFAULT_SCHEMA = Marketing;
GO
EXEC sp_addrolemember 'db_datareader', 'sagarreadonly';
GO
For more details about database roles, please see Database-Level Roles.
Since the user is added to the 'db_datareader' role, it's a readonly user and doesn't have the permission to insert, delete, update on his own schema(ODS) within the DB. You can not achieve that and it's contradictory.
Hope this helps.
I am connecting to my SQL studio manager using Power BI (a report writing software). I only want tables appearing listed under a certain schema, and deny permission to access all others, instead of displaying all tables which it currently does.
Usually, when preventing individual users from accessing a schema, I would use the following code:
revoke select on schema::UnwantedSchema to User
grant select on schema::WantedSchema To User
However, now I want it so ALL users and Logins have these permission settings. Not just the individual user. Is there a way I can do this without having to set the permissions for every individual user?
If you wanted to set the privileges to multiple user logins, You need to create a role and assign the role to the ers to that role. The give required permission to the role created.
Following are the sample steps.
--Create a new role
EXEC sp_addrole 'yourRole'
GO
--Assiging role to the user
EXEC sp_addrolemember 'yourRole', 'yourUser';
GO
--Assigning permissions to the Role
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
UPDATE, VIEW DEFINITION ON SCHEMA::YourSchema TO yourRole;
GO
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO yourRole;
GO
I am having trouble granting permissions to users of my database. For instance, I cannot seem to get my user SELECT privileges no matter how many securables and memberships I give it. I started by giving the user select permission database>security>Users>Properties>securables
and giving it db_datareader membership. After this did not work I added the user to all of the memberships and granted him all permissions available in the securables section. After that failed, I gave the user all permissions available in the security>login>properties, I added the login to all server roles accept sysadmin and gave the user ownership of all schemas in the database I want him to access. Still I get this same error below:
The SELECT permission was denied on object 'Patient_Information', database 'Clinical_Data', schema 'dbo'
When I add the login to the role sysadmin, the user that it is mapped to has no problem doing selects, inserts and basically anything else. The weird thing is that when I look into database>properties>Permissions the user does not have any of the permissions that I have granted him in the securables section. Here is the code I use to grant:
USE Clinical_Data; GRANT Select on schema::DBO to lab31
Thanks in advance for any help you can provide.
I usually create a database role and assign the user to the role. Assign the schema privileges to the database roles. A quick example of this using code for a fictitious database is below.
--
-- 1 - GRANTING CORRECT USER ACCESS BY SCHEMA
--
--create test user login
CREATE LOGIN [User1] WITH PASSWORD=N'p#55w0rd'
GO
-- Make sure we are in autos
USE [AUTOS]
GO
--create user in test database
CREATE USER [User1] FOR LOGIN [User1] WITH DEFAULT_SCHEMA=[ACTIVE]
GO
--create role
CREATE ROLE [Auto_User] AUTHORIZATION [dbo]
GO
--apply permissions to schemas
GRANT ALTER ON SCHEMA::[ACTIVE] TO [Auto_User]
GO
GRANT CONTROL ON SCHEMA::[ACTIVE] TO [Auto_User]
GO
GRANT SELECT ON SCHEMA::[ACTIVE] TO [Auto_User]
GO
--ensure role membership is correct
EXEC sp_addrolemember N'Auto_User', N'User1'
GO
If you are more comfortable with SQL Server Management Studio, here is a go. All actions might not be exact but I did check them with SS 2012.
Lets say your login is [bilbo] and the database they want to access is [middle earth].
Is the default database for the server login = [bilbo] the database they are trying to query, [middle earth]?
[SMSS object explorer path]: Server -> security -> logins -> right click + properties
Is the server login mapped to a database user named [bilbo] in the [middle earth] database?
[SMSS object explorer path]: Database name -> security -> users
Make sure the user [bilbo] is not in any deny database roles (db_denydatareader, db_denydatawriter). Any deny actions over ride any grants.
[SMSS object explorer path]: Database name -> security -> roles -> database roles -> select + right click + properties
{You would add your custom database role here.}
Make sure the user [bilbo] has permissions to the schema.
[SMSS object explorer path]: Database name -> security -> schemas -> select + right click + properties
This should give you the layout of the land.
Find the offending revoke or lack of permission and assign it.
Please do not give out all server roles or all database roles! You are just asking for a head ache when the user does something stupid like drop table.