I have a terraform code that deploys Azure SQL database with server admin credentials. But I would like to create a separate user and login on the Database with dbo permissions. Could someone please help with terraform code for this?
Maybe you can reference this blog: How to create database user and assign role to it with terraform:
I've started working on a Terraform provider that will do this over at https://github.com/jayway/terraform-provider-mssql. It's still very early work, but I've managed to make it provision logins and users for those logins in a local SQL Server instance (that was already running, so I haven't tested it at all in conjunction with e.g. the AzureRM provider). Testing and contributions are very welcome (but don't use it for production scenarios just yet)!
User sumit salunke accepted(marked) it as answer, I think it should works.
Hope this helps.
Related
I would like to change the Azure SQL Managed Instance admin (this is not for the Active Directory Admin). I do not see any way to do this directly. I am guessing that if I create another sysadmin user, and then delete the current Managed Instance admin user which is also a sysadmin. This might force the backend to fall back and look for any sysadmin available to fill the vacated Managed Instance admin. I have not tried this because the current Azure SQL Managed Instance is in use. I am afraid the Azure SQL Managed Instance might blow up if it loses its Managed Instance admin.
What will occur if one deletes the Managed Instance admin user?
Connect to the instance name from Azure Data Studio and create a new admin user:
Go to the master db and run the create login script
CREATE LOGIN newusername WITH PASSWORD = 'password123'
Go to your database and run
use databasename
go
Create user [newusername] from login [newusername]
go
exec sp_addrolemember 'db_owner', 'newusername';
Remove your old user admin
I am trying add a photo in the SQL Management Studio 2018. But it tells to use bulk load statement. On the Stackoverflow I saw some steps that may help me. It was recommended to go to the login->security->properties and activate 'bulkadmin'. This operation failed saying that it is not enough permission.
If you are trying to grant the bulkadmin Server Role to a Login, the login you are using to make this change will need to either have CONTROL permissions on the Login, or the ALTER ANY LOGIN permission on the SQL Server itself.
The easiest solution if possible would be for your own Login to be granted the sysadmin Server Role by another Login with the necessary permissions to do this.
More information about Server-Level Roles from Microsoft here.
I have been able to set up an active directory login for my Azure database.
Now I want to add additional active directory logins and set their permissions
I understand that I need to use Management Studio to do this and have installed SSMS v17.8.1
I have been studying docs but I can't find the instructions
[Update]
After reading Conor's answer I was able to create the user
CREATE USER [jobuser#mydomain] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA=[dbo]
However if I try to login using MSSMS with Active Directory - Password authentication I get
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' (MIcrosoft SQL Server, Error 18456)
[Update]
In the Connection Properties Tab
I had to overtype with the database name
That particular page only shows an example using a SQL login/user, so I can understand why you are confused.
Please read through this page:
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-2017
Specifically, you want to create a user using the AS EXTERNAL PROVIDER example. This tells SQL Azure (and SQL DW) to use Azure Active Directory instead of creating a SQL user. Please note that this does not (as of today) work in SQL Server. (SQL Server supports integrated authentication against a local Active Directory, but it just does not currently support the Azure Active Directory service).
Also, there is no specific requirement that you use SSMS to do this step. You can do it within SSMS, SQL Operation Studio, through one of the SQL client drivers in a program you write (or some third party program that can invoke SQL over them), sqlcmd, etc. You don't even need to have the latest SSMS to make things work (though it is recommend to get the best experience against SQL Azure including syntax highlighting).
Please give that a try and see if it gets you unblocked.
Best of Luck!
I am unable to grant access to a newly restored database using sp_grantdbaccess. I am trying to do this via dynamic sql like below.
DECLARE #grant_access nvarchar(500)
SET #grant_access = 'EXEC ' + #new_db_name + '.dbo.sp_grantdbaccess ''IIS APPPOOL\myApp'''
EXEC sp_executesql #grant_access
I get the below error back trying to run this from a sproc. Any ideas on how I can grant permission for the app to call sp_grantdbaccess etc? I guess I am needing permission to give permission...
Error restore_backup restore_new_configDBThe server principal "IIS
APPPOOL\myApp" is not able to access the database "new_db_name" under
the current security context
Based on the error message it looks like you are trying to grant access to IIS APPPOOL\myApp using the security context IIS APPPOOL\myApp, but IIS APPPOOL\myApp doesn't have the access rights to the db to grant access rights to itself. I think this is akin to me trying to grant myself access to my neighbors house, but I don't have any authority to do so.
Depending on what type of security policies you are working under, I would either run the app pool under an account that has the greater privileges through integrated auth (but this might negate your need to grant privileges), or execute these SQL statements using a local SQL account with the necessary privileges to the database. In these cases, it would be like asking my neighbor (elevated access) to let me (IIS APPPOOL\myApp) in.
If you think it should work because IIS APPPOOL\myApp had access to the DB prior to being backed up, could this be a problem with IIS APPPOOL\myApp being an orphaned user? See http://msdn.microsoft.com/en-us/library/ms175475.aspx But with this case, you still might run into the above scenario trying to fix the orphaned user.
Oh yes, the famous error:
Cannot open database "MYDBNAME" requested by the login. The login failed. Login failed for user 'USERNAME'.
Let me explain my situation:
I have a database server, which has a SA account and my user account. The user has the correct mappings to my database (dbowner).
I can open the database with this user, using SQL Management Studio 2008 R2, both on the SQL server itself (using localhost), and on my frontend server.
However, when I run my application, I get the login failed error.
Strange thing is I have a test application and a production application on our frontend server. The test application has test databases on the same database server, and there are no login problems here. The only difference between the two, are the prefix which differs from "TEST" to "PROD". The test application works, the production however, doesn't. The user mappings and seem it should work on both.
Any ideas?
EDIT:
Our connectionstring:
<add key="umbracoDbDSN" value="Server=Websqlsrv01;Database=PROD_Databasename;User ID=umbraco_user;Password=password;Trusted_Connection=False" />
Sql server has a dichotomy login/user
they are 2 different entity:
http://www.akadia.com/services/sqlsrv_logins_and_users.html
maybe your sql login is not associated with an user for database PROD_Databasename but only for TEST_Databasename
another cause could be the user default database or eventually different database schemas
you can easily check if one of those is the problem simply creating a new user for PROD_Databasename and using it in connectionstring.
another way is to execute
exec sp_helpuser
in both databases (PROD and TEST) and see if the username "umbraco_user" is listed.
Anyway it is not a good practice to use same login for 2 different users:
https://dba.stackexchange.com/questions/16374/is-there-any-benefit-to-having-one-sql-server-login-for-multiple-users
Sometimes you need to use servername\instancename in your connection string if you've setup something other than a default instance. Use this link to find your instance name. Give that a try!
right click on you application and run as admin. This should work!