When provisioning a new Azure Active Directory user's access to an Azure SQL Data Warehouse or Database does the user need to be added to the master database in the Azure SQL Server?
This documentation only talks about adding the Azure Active directory user to the specific warehouse database and associating them with a role within that database. I have however found that unless the user is added also added to the master database then they cannot sign on via SSMS.
Here is what I am doing:
CREATE USER [joe#domain.com]
from external provider
WITH DEFAULT_SCHEMA = dbo
EXEC sp_addrolemember 'db_datareader', 'joe#domain.com'
--toggle to master
CREATE USER [joe#domain.com]
from external provider
WITH DEFAULT_SCHEMA = dbo
Does the user always need to be added to master? Is there a better way to configure security so that I do not always have to add the user to master? Am I totally missing something here?
Related
I would like to change the Azure SQL Managed Instance admin (this is not for the Active Directory Admin). I do not see any way to do this directly. I am guessing that if I create another sysadmin user, and then delete the current Managed Instance admin user which is also a sysadmin. This might force the backend to fall back and look for any sysadmin available to fill the vacated Managed Instance admin. I have not tried this because the current Azure SQL Managed Instance is in use. I am afraid the Azure SQL Managed Instance might blow up if it loses its Managed Instance admin.
What will occur if one deletes the Managed Instance admin user?
Connect to the instance name from Azure Data Studio and create a new admin user:
Go to the master db and run the create login script
CREATE LOGIN newusername WITH PASSWORD = 'password123'
Go to your database and run
use databasename
go
Create user [newusername] from login [newusername]
go
exec sp_addrolemember 'db_owner', 'newusername';
Remove your old user admin
I am working on a project and I have access to SQL Server as external user with limited privileges.
When I want to create a login for example with this command, I get permission denied:
CREATE LOGIN [login] WITH PASSWORD=N'test', DEFAULT_DATABASE=[master],
DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF)
However when I try to create a login with this command I can make it and also I have privileges now to enable xp_cmd shell as well:
EXECUTE('EXECUTE(''CREATE LOGIN [test5] WITH PASSWORD=N''''test'''',
DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "hostname\domain"')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [test5]'')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [db_owner] ADD MEMBER [test5]'')
Can someone please explain why is that?
EXECUTE('string sql statement') AT "hostname\domain" == the 'string sql statement' is a pass-through command executed at the linked server "hostname/domain".
Has someone created a loop-back linked server (a linked server that points to the sql instance itself)?
Linked servers have their own security configuration/settings. If the security of the linked server is configured (for any login) to be made under the security context of a privileged login(eg. sa) then exec('') at linkedserver will be executed with way more/elevated permissions (than expected). This is a major security issue/hole.
Check the security of the linked server and change accordingly (and do you really need a loopback linked server?)
I am unable to grant access to a newly restored database using sp_grantdbaccess. I am trying to do this via dynamic sql like below.
DECLARE #grant_access nvarchar(500)
SET #grant_access = 'EXEC ' + #new_db_name + '.dbo.sp_grantdbaccess ''IIS APPPOOL\myApp'''
EXEC sp_executesql #grant_access
I get the below error back trying to run this from a sproc. Any ideas on how I can grant permission for the app to call sp_grantdbaccess etc? I guess I am needing permission to give permission...
Error restore_backup restore_new_configDBThe server principal "IIS
APPPOOL\myApp" is not able to access the database "new_db_name" under
the current security context
Based on the error message it looks like you are trying to grant access to IIS APPPOOL\myApp using the security context IIS APPPOOL\myApp, but IIS APPPOOL\myApp doesn't have the access rights to the db to grant access rights to itself. I think this is akin to me trying to grant myself access to my neighbors house, but I don't have any authority to do so.
Depending on what type of security policies you are working under, I would either run the app pool under an account that has the greater privileges through integrated auth (but this might negate your need to grant privileges), or execute these SQL statements using a local SQL account with the necessary privileges to the database. In these cases, it would be like asking my neighbor (elevated access) to let me (IIS APPPOOL\myApp) in.
If you think it should work because IIS APPPOOL\myApp had access to the DB prior to being backed up, could this be a problem with IIS APPPOOL\myApp being an orphaned user? See http://msdn.microsoft.com/en-us/library/ms175475.aspx But with this case, you still might run into the above scenario trying to fix the orphaned user.
I have create a account and assign server role as public.
the assign user mapping on database mydb as dbo, and for msdb also as dbo.
with User mapping setting on msdb, I checked following role:
DatabaseMailUserRole
db_owner
public
then my app login with this account and try to send out email with database mail profile.
and I got error as:
System.Data.SqlClient.SqlException: The EXECUTE permission was denied on the object 'sp_send_dbmail', database 'msdb', schema 'dbo'.
If I assign server role sysadmin to this account. then it's working fine.
but I don't want to assign sysadmin to this account. how to resolve this issue?
Weird thing is I also try it on testing server. that account even not in DatabaseMailUserRole on msdb, it's working fine.
The only difference on 2 sql sever box is SMTP authentication setting:
On testing box, is set as "Basic Authentication"
On production box, is set as "Windows Authentication using Database Engine service credentials"
Hi Bridge. Thanks. run EXEC msdb.dbo.sysmail_help_principalprofile_sp and got following on production:
principal_id principal_name profile_id profile_name is_default
11 guest 1 sqlservice 0
12 mydomainaccount 1 sqlservice 0
On staging, no result.
To send Database mail, users must be a user in the msdb database and a member of the DatabaseMailUserRole database role in the msdb database. To add msdb users or groups to this role use SQL Server Management Studio or execute the following statement for the user or role that needs to send Database Mail.
EXEC msdb.dbo.sp_addrolemember #rolename = 'DatabaseMailUserRole'
,#membername = '<user or role name>';
GO
Source: http://technet.microsoft.com/en-us/library/ms188719%28v=sql.100%29.aspx
I need to script a specific SQL Login, with it's associated User Mappings and role memberships. Is this possible? If so, someone please point me in the right direction.
Thanks!
Script the logon in SSMS
Script the user in SSMS
Script the role in SSMS
Do the sp_addrolemember manually
It's just as quick
Or modify this. Which is just as quick as using SSMS...
USE master
GO
CREATE LOGIN SomeLogin --FROM WINDOWS?
GRANT CONNECT SQL TO SomeLogin
GO
USE MYDB
GO
CREATE USER SomeUser FOR LOGIN SomeLogin
GRANT CONNECT TO SomeUser
GO
CREATE ROLE SomeRole AUTHORIZATION [dbo]
GO
EXEC sp_addrolemember 'SomeRole', 'SomeUser'
GO
OR... Use the Azure User Management console - AUMC to manage the Logins and Users.
It's a open source project available on codeplex AUMC.codeplex.com
Project Description
Azure User Management Console - AUMC is a User
Graphic Interface (GUI) that manages the users and logins of an Azure
SQL database. The tool is simply converting your action into T-SQL
commands and execute them on the Azure SQL Database.
A quick simple tool with a user interface! Don
Enjoy!