I have got myself into a little bit of a bind, using SQL Server Management Studio to create a database in Azure SQL. My issue appears to be with assigning roles to users in the database. When I created the database, it prompted me to create a new login, with an associated user, that appeared to have all the rights of a database owner. However, I am now trying to create two additional logins and I realize I am screwed. The login that I created when I made the database isn't the database owner, even though I could do all the DDL / DML necessary to create the full schema under that account. I created an additional login, and I added two users to that login. I now want to add that login to a role (db_datareader, db_denywrite) but I cannot.
It appears that the database owner is a user / login called "dbo" that I did not set up. This is the only user that is added as a database owner, and subsequently is the only one that can edit roles. But I do not know the login credentials for this user!
if I use what I believed to be the administrator account (the one I made) to add a role I get the error:
Cannot alter the role 'db_datareader', because it does not exist or you do not have permission.
How can I fix this? How can I get my original account added as a DB Owner? There has got to be a way, but everything I tried points to the fact that I am not the owner of the resource I created; I'm an outcast in my own country...
Thanks!
Related
Disclosure: I am not an IT professional and I am certainly not a DBA.
That said, I can usually find my way around. I am following some instructions from a third party vendor to create a login, two databases, a user in each and ultimately a DSN to each.
Here are the steps:
Create a login (let's call it Test) with SQL Server Authentication and assign it a Public server role
Create two databases, both owned by the login we created (Test)
In each database, create a user with User Name and Login Name both set to Test and the default schema as dbo. Assign each user db_owner in Owned Schemas and Membership
Create a DSN to each database
If I follow these instructions, when I attempt to create the users I get an error: The login already has an account under a different user name. (Microsoft SQL Server, Error: 15063)
If I try creating a user with a different User Name (login name still Test), I get the same error.
If I try creating a user with a different Login Name, I get a different error: 'Test1' is not a valid login or you do not have permission. (Microsoft SQL Server, Error: 15007)
If I try skipping the users entirely and creating the DSN with the original Login, I get an error that login failed for user Test.
I have tried completely removing and re-installing SQL Server in case there was some duplicate name stored somewhere, but it didn't help.
So, I am not sure what else I can try. Clearly I am missing something, but I have no idea what.
If the Login owns the database, it's mapped to the user dbo (which stands for "database owner") so you can't create another user for that login.
Normal practice is to have the databases owned by SA or your Windows Login, then you can create the user for the SQL Login and assign whatever permissions you need.
When I scan my database, it shows one of the result like VA1143 'dbo' user should not be used for normal service operation in A Vulnerability Assessment scan
They have suggested to "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions."
I have browse regarding the same to all form but cannot get the correct suggestion yet. Could you please suggested your idea or where i have to create the user and grand the permission. Since we have only one schema structure in our DB.
About "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions.", the first thing you should know is the Database-Level Roles.
Create users with low privileges means that the use does not have the alter database permission.
When we create the user for the database, we need to grant the roles to it to control it's permission to the database.
For example, bellow the the code which create a read-only user for SQL database:
--Create login in master DB
USE master
CREATE LOGIN reader WITH PASSWORD = '<enterStrongPasswordHere>';
--create user in user DB
USE Mydatabase
CREATE USER reader FOR LOGIN reader;
GO
--set the user reader as readonly user
EXEC sp_addrolemember 'db_datareader', 'reader';
For more details, please reference:
Authorizing database access to authenticated users to SQL Database
and Azure Synapse Analytics using logins and user accounts
Hope this helps.
When designing and building databases, one the principal mechanisms for security must be the "least privilege principal". This means that you only give permissions that are absolutely necessary. No application should need to be the database owner in order to operate. This role should be highly restricted to only administration types. Instead, you create a more limited role for the application. It can include access to every single table, all the procedures, but it won't be able to do things like, for example, drop the database.
This is step one to a defense in depth of your system in order to properly and appropriately secure it. It helps with all levels of security issues from simple access to SQL Injection. That's why it's included as part of the vulnerability assessment. It's a real vulnerability.
Yes resolved the issue after creating the least privilege role and assigned to the user. But its leading to different below vulnerable issue's for the newly added user with least privilege role. Any lead will be helpful on this
1.VA2130 Track all users with access to the database
2. VA2109 - Minimal set of principals should be members of fixed low impact database roles
Users are created with dbcreator and public role. They can create and delete their own databases.
How do I give them the ability to grant permission to their database to other users? Currently they can only see public and guest object.
You don't need to make someone a sysadmin. The minimum required permissions are described on this page.
In SQL Server, requires ALTER ANY LOGIN permission on the server or
membership in the securityadmin fixed server role.
These permissions still give a user a lot of power. They are able to delete other sysadmin logins.
Perhaps partial contained databases can be a solution for you.
A database user in a regular database needs to be mapped to a login on server level. Managing these server level logins requires a lot of permissions.
Database users within a partially contained database can exists without a login. These users can only login to that specific database. No server level permissions are required to manage these users.
I'm trying to change the owner of a database using the alter authorization statement.
Statement:
ALTER AUTHORIZATION ON DATABASE::spentlytestlocal TO renspently
Error:
Cannot find the principal 'username', because it does not exist or you do not have permission
I'm sure I assigned the user permission to take ownership, but any help and direction is greatly appreciated.
For this to work, two things must be true, per Books Online:
Server objects (such as databases) must be owned by a server principal
(a login).
This means the account you want to give ownership must have a login on the server (not just a user in the database -- it is possible to have users without logins if you restore from a backup).
And second,
Requires TAKE OWNERSHIP permission on the entity. If the new owner is
not the user that is executing this statement, also requires either,
1) IMPERSONATE permission on the new owner if it is a user or login;
or 2) if the new owner is a role, membership in the role, or ALTER
permission on the role; or 3) if the new owner is an application role,
ALTER permission on the application role.
Which means, in practice, that you need to be a sysadmin. One common instance of where you're not a sysadmin is if SQL Express has been configured to have local admins as sysadmins, but you don't start Management Studio with elevated permissions.
I am creating some users on SQL server but I am a little confused as to whether I grant "alter any login" or "alter any linked server" to my LOGIN or to the USER account?
As you all know, on SQL server, you create users in this order:
Create LOGIN sysUser1 (in master db)
Create USER myUser1 for LOGIN sysUser1 (in users db)
CREATE SCHEMA myUser1 AUTHORIZATION myUser1
then, run sp_addrolemember for myUser1 as needed
then, do grants
I am confused as to whether I should:
grant alter any login to myUser1
or
grant alter any login to sysUser1
Can anyone clarify? Am I thinking of this incorrectly?
ALTER LOGIN is a server level permission, so you can't grant it to database users. You need to grant it to sysUser1 in your case.
See http://msdn.microsoft.com/en-us/library/ms186717.aspx
Edit: Dito for linked server.
Logins and Linked Servers are both objects that exist at the instance level, as opposed to at the database level, so these permissions both need to be applied to the login, rather than the user.
If you are using SQL Server 2012, then it is possible to create you own Instance level roles, but in 2008 and below, you are rrestricted to the built in server roles.
There is a server role called setupadmin that lets members manage linked servers.