I would like to change the Azure SQL Managed Instance admin (this is not for the Active Directory Admin). I do not see any way to do this directly. I am guessing that if I create another sysadmin user, and then delete the current Managed Instance admin user which is also a sysadmin. This might force the backend to fall back and look for any sysadmin available to fill the vacated Managed Instance admin. I have not tried this because the current Azure SQL Managed Instance is in use. I am afraid the Azure SQL Managed Instance might blow up if it loses its Managed Instance admin.
What will occur if one deletes the Managed Instance admin user?
Connect to the instance name from Azure Data Studio and create a new admin user:
Go to the master db and run the create login script
CREATE LOGIN newusername WITH PASSWORD = 'password123'
Go to your database and run
use databasename
go
Create user [newusername] from login [newusername]
go
exec sp_addrolemember 'db_owner', 'newusername';
Remove your old user admin
Related
When provisioning a new Azure Active Directory user's access to an Azure SQL Data Warehouse or Database does the user need to be added to the master database in the Azure SQL Server?
This documentation only talks about adding the Azure Active directory user to the specific warehouse database and associating them with a role within that database. I have however found that unless the user is added also added to the master database then they cannot sign on via SSMS.
Here is what I am doing:
CREATE USER [joe#domain.com]
from external provider
WITH DEFAULT_SCHEMA = dbo
EXEC sp_addrolemember 'db_datareader', 'joe#domain.com'
--toggle to master
CREATE USER [joe#domain.com]
from external provider
WITH DEFAULT_SCHEMA = dbo
Does the user always need to be added to master? Is there a better way to configure security so that I do not always have to add the user to master? Am I totally missing something here?
I have a terraform code that deploys Azure SQL database with server admin credentials. But I would like to create a separate user and login on the Database with dbo permissions. Could someone please help with terraform code for this?
Maybe you can reference this blog: How to create database user and assign role to it with terraform:
I've started working on a Terraform provider that will do this over at https://github.com/jayway/terraform-provider-mssql. It's still very early work, but I've managed to make it provision logins and users for those logins in a local SQL Server instance (that was already running, so I haven't tested it at all in conjunction with e.g. the AzureRM provider). Testing and contributions are very welcome (but don't use it for production scenarios just yet)!
User sumit salunke accepted(marked) it as answer, I think it should works.
Hope this helps.
I am working on a project and I have access to SQL Server as external user with limited privileges.
When I want to create a login for example with this command, I get permission denied:
CREATE LOGIN [login] WITH PASSWORD=N'test', DEFAULT_DATABASE=[master],
DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF)
However when I try to create a login with this command I can make it and also I have privileges now to enable xp_cmd shell as well:
EXECUTE('EXECUTE(''CREATE LOGIN [test5] WITH PASSWORD=N''''test'''',
DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "hostname\domain"')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [test5]'')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [db_owner] ADD MEMBER [test5]'')
Can someone please explain why is that?
EXECUTE('string sql statement') AT "hostname\domain" == the 'string sql statement' is a pass-through command executed at the linked server "hostname/domain".
Has someone created a loop-back linked server (a linked server that points to the sql instance itself)?
Linked servers have their own security configuration/settings. If the security of the linked server is configured (for any login) to be made under the security context of a privileged login(eg. sa) then exec('') at linkedserver will be executed with way more/elevated permissions (than expected). This is a major security issue/hole.
Check the security of the linked server and change accordingly (and do you really need a loopback linked server?)
I am unable to grant access to a newly restored database using sp_grantdbaccess. I am trying to do this via dynamic sql like below.
DECLARE #grant_access nvarchar(500)
SET #grant_access = 'EXEC ' + #new_db_name + '.dbo.sp_grantdbaccess ''IIS APPPOOL\myApp'''
EXEC sp_executesql #grant_access
I get the below error back trying to run this from a sproc. Any ideas on how I can grant permission for the app to call sp_grantdbaccess etc? I guess I am needing permission to give permission...
Error restore_backup restore_new_configDBThe server principal "IIS
APPPOOL\myApp" is not able to access the database "new_db_name" under
the current security context
Based on the error message it looks like you are trying to grant access to IIS APPPOOL\myApp using the security context IIS APPPOOL\myApp, but IIS APPPOOL\myApp doesn't have the access rights to the db to grant access rights to itself. I think this is akin to me trying to grant myself access to my neighbors house, but I don't have any authority to do so.
Depending on what type of security policies you are working under, I would either run the app pool under an account that has the greater privileges through integrated auth (but this might negate your need to grant privileges), or execute these SQL statements using a local SQL account with the necessary privileges to the database. In these cases, it would be like asking my neighbor (elevated access) to let me (IIS APPPOOL\myApp) in.
If you think it should work because IIS APPPOOL\myApp had access to the DB prior to being backed up, could this be a problem with IIS APPPOOL\myApp being an orphaned user? See http://msdn.microsoft.com/en-us/library/ms175475.aspx But with this case, you still might run into the above scenario trying to fix the orphaned user.
I need to script a specific SQL Login, with it's associated User Mappings and role memberships. Is this possible? If so, someone please point me in the right direction.
Thanks!
Script the logon in SSMS
Script the user in SSMS
Script the role in SSMS
Do the sp_addrolemember manually
It's just as quick
Or modify this. Which is just as quick as using SSMS...
USE master
GO
CREATE LOGIN SomeLogin --FROM WINDOWS?
GRANT CONNECT SQL TO SomeLogin
GO
USE MYDB
GO
CREATE USER SomeUser FOR LOGIN SomeLogin
GRANT CONNECT TO SomeUser
GO
CREATE ROLE SomeRole AUTHORIZATION [dbo]
GO
EXEC sp_addrolemember 'SomeRole', 'SomeUser'
GO
OR... Use the Azure User Management console - AUMC to manage the Logins and Users.
It's a open source project available on codeplex AUMC.codeplex.com
Project Description
Azure User Management Console - AUMC is a User
Graphic Interface (GUI) that manages the users and logins of an Azure
SQL database. The tool is simply converting your action into T-SQL
commands and execute them on the Azure SQL Database.
A quick simple tool with a user interface! Don
Enjoy!