We are currently running an Elastic Pool within azure to host all our databases.
We need to back up these to on-premise as well in case of an emergency, and for it we are trying to use sqlpackage.
Now initially i tried running it with a user which only has the db_backupoperator role, however view definition was also required. However i would not like to give the backup user complete db_securityadmin permissions.
So i've tried giving the backup user only VIEW DEFINITION access by using the following command
GRANT VIEW DEFINITION ON SCHEMA::dbo TO [user]
However i am still getting the error that i do not have View Definition permissions.
I've also tried adding a custom role, however that is not supported within AzureSQL
NOTE: Full rollout to grant access:
CREATE USER backupuser
FOR LOGIN backupuser
WITH DEFAULT_SCHEMA = dbo;
ALTER ROLE db_datareader ADD MEMBER backupuser;
ALTER ROLE db_datawriter ADD MEMBER backupuser;
GRANT VIEW DEFINITION ON SCHEMA::dbo TO backupuser
Related
I am granting permission on some objects to my user in a database, Is there any way to grant permission to user without using database role?
I can easily do it by creating database role, but I do not want to use role.
I assigned some objects to my user by Database User, in Securables tab, it didn't work!
create user [user_test] for login [login_test]
create role role_test authorization user_test
exec sp_addrolemember 'role_test', 'user_test'
grant select on object::dbUser.tbl_05 to role_test
I expected I could grant permission to my user and not to use Database Role.
You have (at least) 2 options here, you can assign the permission straight to your DB user (as mentioned in the comment) or you can grant permission on a certificate, which might give you better control in a production environment.
I have got myself into a little bit of a bind, using SQL Server Management Studio to create a database in Azure SQL. My issue appears to be with assigning roles to users in the database. When I created the database, it prompted me to create a new login, with an associated user, that appeared to have all the rights of a database owner. However, I am now trying to create two additional logins and I realize I am screwed. The login that I created when I made the database isn't the database owner, even though I could do all the DDL / DML necessary to create the full schema under that account. I created an additional login, and I added two users to that login. I now want to add that login to a role (db_datareader, db_denywrite) but I cannot.
It appears that the database owner is a user / login called "dbo" that I did not set up. This is the only user that is added as a database owner, and subsequently is the only one that can edit roles. But I do not know the login credentials for this user!
if I use what I believed to be the administrator account (the one I made) to add a role I get the error:
Cannot alter the role 'db_datareader', because it does not exist or you do not have permission.
How can I fix this? How can I get my original account added as a DB Owner? There has got to be a way, but everything I tried points to the fact that I am not the owner of the resource I created; I'm an outcast in my own country...
Thanks!
We are using DB project to track Db changes and a standard XML file to publish the changes locally, to test server, Production etc. At the moment we are just copy pasting code like below to Grant permissions to new tables we create.
GRANT SELECT
ON [dbo].[OrganisationSite] TO [Company_FullAccess]
AS [dbo];
GO
GRANT UPDATE
ON [dbo].[OrganisationSite] TO [Company_FullAccess]
AS [dbo];
GO
GRANT INSERT
ON [dbo].[OrganisationSite] TO [Company_FullAccess]
AS [dbo];
GO
GRANT DELETE
ON [dbo].[OrganisationSite] TO [Company_FullAccess]
AS [dbo];
GO
This is prone to error as we could forget to grant a specific permission.
Is there any way to create a SQL query, to view the permissions granted for each table in the database? So we can check to see what permissions have been granted.
Also, any advice on making this more robust would be appreciated.
The best idea in this case is to use ROLE, and add members as needed.
From the documentation:
Roles are database-level securables. After you create a role, configure the database-level permissions of the role by using GRANT, DENY, and REVOKE
That will make it easy after you create ROLES as needed, you can just add members on it, no need to check every member permissions.
I am creating some users on SQL server but I am a little confused as to whether I grant "alter any login" or "alter any linked server" to my LOGIN or to the USER account?
As you all know, on SQL server, you create users in this order:
Create LOGIN sysUser1 (in master db)
Create USER myUser1 for LOGIN sysUser1 (in users db)
CREATE SCHEMA myUser1 AUTHORIZATION myUser1
then, run sp_addrolemember for myUser1 as needed
then, do grants
I am confused as to whether I should:
grant alter any login to myUser1
or
grant alter any login to sysUser1
Can anyone clarify? Am I thinking of this incorrectly?
ALTER LOGIN is a server level permission, so you can't grant it to database users. You need to grant it to sysUser1 in your case.
See http://msdn.microsoft.com/en-us/library/ms186717.aspx
Edit: Dito for linked server.
Logins and Linked Servers are both objects that exist at the instance level, as opposed to at the database level, so these permissions both need to be applied to the login, rather than the user.
If you are using SQL Server 2012, then it is possible to create you own Instance level roles, but in 2008 and below, you are rrestricted to the built in server roles.
There is a server role called setupadmin that lets members manage linked servers.
Create a new user/login in sql azure with access to read/insert/update on the database items like tables sp,view etc.
This user will not have the permission to drop table/drop procedures.
Please give me an example.
First connect to the server and switch to the master database. In master create a login and then add a user for that login to the master database.
CREATE LOGIN [MyLogin] WITH password='xxxxxxxxx'
GO
CREATE USER [MyUser] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
Next connect/switch to the database you want the new user for. Create a user in that database
CREATE USER [MyUser] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
EXEC sp_addrolemember 'db_datareader', 'MyUser';
GO
EXEC sp_addrolemember 'db_datawriter', 'MyUser';
GO
GRANT EXECUTE ON SCHEMA :: dbo TO MyUser;
GO
You can also use the Azure User Management console - AUMC to manage the Logins and Users.
It's an open-source project available on CodePlex AUMC.codeplex.com
UPDATE: Since CodePlex has been retired (thanks to #Danny the code was saved), I recreated a repo in GitHub and created a release.
This new version uses .NET 4.8
Project Description
Azure User Management Console - AUMC is a User
Graphic Interface (GUI) that manages the users and logins of an Azure
SQL database. The tool is simply converting your action into T-SQL
commands and executing them on the Azure SQL Database.
A quick simple tool with a user interface!
Enjoy!
please read this article from Microsoft on how to properly create logins, users and assigning access rights in SQL Azure: Managing Databases and Logins
Then, in order to assign or deny specific permissions, review this article from Microsoft as well: Granting Access to a Database Object
And here is the link to specifically deny access to permissions: Deny Object Permissions
Note that you can also apply permissions to schemas. A schema is a container of database objects on which you can assign permissions. So you could easily place all your stored procedures in a single schema that you created to that effect, deny alter/drop permission, and grant execute on the schema directly. This way, all the objects within that schema will inherit the permissions defined. Here is the article for schema permissions: GRANT Schema Permission
Also you can do it manually by assigning proper user roles. Check out article: How to create custom user login for Azure SQL Database
Some Azure sql administration tips can be found here
http://thetechnologychronicle.blogspot.in/2013/11/azure-sql-administration-useful-commands.html
http://thetechnologychronicle.blogspot.in/2013/11/securing-windows-azure-sql-using.html