I'm attempting to create 4 different roles in Azure SQL database. The 4 role names are READ_ONLY_ACCESS, READ_UPDATE_ACCESS, READ_WRITE_UPDATE_ACCESS, FULL_ACCESS.
-READ_ACCESS - Grant Select
-READ_UPDATE_ACCESS - Grant Select, Update
-READ_WRITE_UPDATE_ACCESS - Grant select, Update, Insert
-FULL_ACCESS - Grant Select, Update, Insert, Delete
My goal is to create these 4 roles with these permissions, and then be able to create a user assigned to one of these roles. Example below of what I want to do after creating these roles:
CREATE USER username WITH PASSWORD = 'password';
ALTER ROLE READ_ACCESS ADD MEMBER username;
I've found a few sites that help with this, but I'm unclear as to whether or not I need to declare whether to deny access to certain permissions as well as declaring the granted access.
First create roles.
create role ApplicationUsers_ReadAccss;
grant select on schema::dbo to ApplicationUsers_ReadAccss;
create role ApplicationUsers_ReadUpdateAccss;
grant select, update on schema::dbo to ApplicationUsers_ReadUpdateAccss;
create role ApplicationUsers_ReadWriteUpdateAccss;
grant select, insert, update on schema::dbo to ApplicationUsers_ReadWriteUpdateAccss;
create role ApplicationUsers_FullAccess;
grant select, insert, update, delete, execute on schema::dbo to ApplicationUsers_FullAccess;
After that create logins and add them to one of the roles.
--create a server-level Login
create login AppUser with Password ='asdfAds01980(*)(*)(#&$)##';
--add a user mapped to that login in each database
create user AppUser for login AppUser;
alter role ApplicationUsers_FullAccess add member AppUser;
Related
I have a user db_owner who is owner to my database called 'Sales'.
Now i have to create two groups(sales_ro and sales_riu) and then i will add users to this groups.
sales_ro group should inherit(from db_owner) read access on tables and execute on functions in Sales db
sales_riu group should inherit(from db_owner) insert and update access on tables and execute on functions in Sales db.
can we create such two groups in Postgres ?
You don't need to create groups to achieve this. You can just create Roles and assign them to the users you want. For example:
CREATE ROLE sales_ro;
CREATE ROLE sales_riu;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO sales_ro;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT,INSERT,UPDATE ON TABLES TO sales_riu;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO sales_riu;
After that just grant role to expected users:
GRANT sales_ro TO your_user_1;
GRANT sales_riu TO your_user_2;
Please refer link 1 and link 2 to know more about ALTER DEFAULT PRIVILEGES and CREATE ROLE respectively.
Quoting below points from above links:
CREATE ROLE adds a new role to a PostgreSQL database cluster. A role
is an entity that can own database objects and have database
privileges; a role can be considered a “user”, a “group”, or both
depending on how it is used.
A role having the LOGIN attribute can be thought of as a user. Roles
without this attribute are useful for managing database privileges
I cannot stop the login id from dropping or modifying the other user from the database.
I have created one role using the code below:
CREATE ROLE super_users;
GRANT Select, Alter, Update, Execute, Insert, Delete, Create View, Create Table
ON database::[sampledb] TO super_users;
REVOKE CONTROL ON database::[sampledb] TO super_users;
--Created user for login
CREATE USER user_1 for login user_1;
--giving role to particular use
EXEC sp_addrolemember 'super_users', 'user_1 '
Despite doing all of this, the user of this login can delete or drop the other users and login?
Can anyone please help on how to prevent the login id's from doing the above or what am I doing wrong?
As we know, we can use the following script to create a DB role and create corresponding permissions.
CREATE ROLE super_users;
GRANT Select, Alter, Update, Execute, Insert, Delete, Create View, Create Table
ON database::[sampledb] TO super_users;
--Created user for login
CREATE USER user_1 for login user_1;
--giving role to particular use
EXEC sp_addrolemember 'super_users', 'user_1 '
But after that we realized user_1 has the permission to drop other users of the [sampledb]. When we run REVOKE CONTROL ON database::[sampledb] to super_users but not work, user_1 still has the permission . The official documentation's explanation of REVOKE CONTROL is very general. But it doesn't work for CREATE,ALTER,Drop other DB Users.
So we need to use the following script to further restrict the permissions of the 'super_users' role.
DENY ALTER ANY USER,ALTER ANY ROLE,CREATE ROLE to super_users
After that, 'user_1 ' of the 'super_users' can't CREATE,ALTER,Drop other DB Users
I have a client with a head-office, and various field offices.
I would like to grant a couple of head office people, who are SQL Azure contained users, the permission be become an "admin-lite". Specifically, I want them to be able to be able to create users, and make them in/active (with GRANT or REVOKE CONNECT).
I'd also like them to be able to assign other people to this same "admin-lite" role - they can then nominate one person in each branch who can create and manage their own users (there's quite a high turnover of staff).
The way I've made the first of the Head Office "admin-lites" is by making them a member of these two roles:
db_accessadmin - so they can create new users and issue GRANT or REVOKE CONNECT statements
db_securityadmin - so they can assign the new user to the appropriate role
Incidentally, they only need to be able to assign standard users to is a custom role, not a built-in role.
However, I've been able to make the first of these Head Office "admin-lites" because I'm a member of db_owners. As mentioned, I'd like them to be able to the same for their field offices - but I don't want to make the Head Office admin a member of db_owners, because this also gives them permission to make anyone else a db_owner too.
So, the question is, can I create a custom role with the permission to add people to db_accessadmin and db_securityadmin without them being a db_owner? Can I create a custom role with the same permissions as db_accessadmin and db_security admin that makes this easier, perhaps?
Thanks
If I am not wrong, you want to create a role which mimics the same functionality as db_accessadmin + db_securityadmin combined, but at the same time you do not want the members to be a member of db_owner.
Here is a role called FieldOfficeAdmin that does the same.
CREATE ROLE FieldOfficeAdmin
/* db_accessadmin permissions */
GRANT CONNECT to FieldOfficeAdmin ;
GRANT ALTER ANY USER to FieldOfficeAdmin ;
/* db_securityadmin permissions */
GRANT CREATE SCHEMA to FieldOfficeAdmin ;
GRANT ALTER ANY ROLE to FieldOfficeAdmin ;
GRANT CREATE ROLE to FieldOfficeAdmin ;
GRANT ALTER ANY APPLICATION ROLE to FieldOfficeAdmin ;
GRANT VIEW DEFINITION to FieldOfficeAdmin ;
Add any user(s) to this role, they will further be able to create more users and add them as members to the same role
CREATE USER fieldofficeadmin1 WITH PASSWORD = 'enterStrongPassword#1234';
GO
ALTER ROLE FieldOfficeAdmin ADD MEMBER fieldofficeadmin1
When you login as fieldofficeadmin1, you will be able to create more users and add them to the role
CREATE USER fieldofficeadmin2 WITH PASSWORD = 'enterStrongPassword#1234';
GO
ALTER ROLE FieldOfficeAdmin ADD MEMBER fieldofficeadmin2
But when you login as fieldofficeadmin1 and try to add a member to db_owner
ALTER ROLE db_owner ADD MEMBER FieldOfficeAdmin2
It should fail with the below error
Failed to execute query. Error: Cannot add the principal 'FieldOfficeAdmin2', because it does not exist or you do not have permission.
Please let me know if you have any further questions or if I interpreted your requirement incorrectly.
Using PostgreSQL and would like to have only admins have the ability to create new users. While allowing some non-admin users read-write access to our tables.
I cannot find a way to get this done. I have a role called webuser to which I gave:
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO webuser;
But now webuser has access to call CREATE USER and GRANT ROLE also. How can I remove access from webuser to do user-management operations while allowing SELECT, INSERT, UPDATE, DELETE on our database tables?
A user can only create other users if it has the createrole property: this property is not assigned by default when creating a user.
Doc. says:
CREATEROLE NOCREATEROLE
These clauses determine whether a role will be permitted to create new roles (that is, execute CREATE ROLE). A role with CREATEROLE
privilege can also alter and drop other roles. If not specified,
NOCREATEROLE is the default.
Either the user has been created with createrole or a superuser has run: alter user webuser createrole.
To revoke that privilege run alter user webuser nocreaterole
NB:
CREATE USER is now an alias for CREATE ROLE. The only difference is
that when the command is spelled CREATE USER, LOGIN is assumed by
default, whereas NOLOGIN is assumed when the command is spelled CREATE
ROLE.
What role should I give a sql login if I need the login to be able to create a database, and create additional logins and add users based on those logins to the database i created? This is sql 2005.
There is no fixed database role that includes these permissions. You'll have to create a role and assign the permissions individually.
CREATE ROLE db_creator
GRANT CREATE DATABASE TO db_creator
GRANT ALTER ANY LOGIN TO db_creator
GRANT ALTER ANY USER TO db_creator