We want to give SELECT permission to a security group for only one database. We followed the below steps:
We added the security group as login.
We added the security group as user to the database.
We gave SELECT permission on a schema to the security group.
Now, Security group members are able to use query window for writing queries and switch database using USE Databasename; command. But, still Sql Server Management Studio is not showing the database in the databases node.
The databases node just shows the system database as shown in the image below. What could be the reason for this? Unless, we give sysadmin permission, the security group members are not able to see the database in the databases node. They are using latest version of SSMS i.e., 17.
Have you removed the View Any Database permission from the Public role? If the Public role doesn't have the View Any Database permission an account has to be the owner of the DB to see it.
Related
I have some Azure SQL Database environments where the Activity Directory admin is set to an AAD group.
I need to set up auditing on Azure SQL Database environments so that all activity from the members of that group users is captured. I've got the basic Azure SQL Auditing set up and working but it generates way too much logging.
I think I need to use the PowerShell command Set-AzSqlServerAudit to filter it with the PredicateExpression option, but I cannot find any query that will filter for members of that group. Any similar approach would be acceptable (e.g. checking for any elevated permissions, whether in that group or not) as long as it includes that group.
Is it possible?
I found that I can use the following PredicateExpression to audit any admin activity on the database:
-PredicateExpression "[database_principal_name]= 'dbo'
I used the audit log definition at https://learn.microsoft.com/en-us/azure/azure-sql/database/audit-log-format?view=azuresql to see the list of available fields.
I am attempting to share an SQL view via Azure Data Share. I have set up the data share, created a share to send, and am attempting to add a dataset. I am logged into Azure Portal as me#example.com. I am also connected to the database (an Azure SQL DB) in SSMS as me#example.com. I do the following:
Select "Add datasets"
Select "Azure SQL Database"
Select the resource group
Select the SQL server
I got the the message about setting up permissions (the create user and exec sp_addrolemember db_datareader query), which I did successfully in SSMS. So, next I select the data, which was found successfully, and select "Next". This is where the problem starts.
I am given the options for Tables and Views. However, neither is populated. I can see all the tables and views in SSMS, including the view I created. However, when I select, say, "View" from the 2 options, it finds nothing and says, "No results to show".
This is mystifying. I clearly have access and permissions, yet it won't even populate the list of views. Any suggestions what might be causing this? This is my first Azure Data Share, and I could easily have missed something, but it seems like it should have everything that it needs for this operation.
Here are my assumptions:
It is using my Azure Portal login credentials to authorize access to populate the list.
The fact that I can see the tables and views in the SSMS Object Explorer implies sufficient permission to see the same in Azure Portal.
Since this data share and the database are in the same resource group, no firewall configuration is needed.
We have a SQL Server 2012 instance which is the database for our security system. Now we have a scenario where we want to allow another team our SQL Server to select certain records, ie we created four views for them for their requirements.
But, we don't want to provide or list all our tables to them but only allow these four views to see and query in our system. As I go through many documents it's clear that we can do it through making our SQL Server as a linked server.
What's the best way to do it through a linked server?
Are the views in a specific schema?
Try to grant the users access to that schema, so that they can only read and see meta from it.
https://learn.microsoft.com/en-us/sql/relational-databases/security/metadata-visibility-configuration
we don't want to provide or list all our tables to them but only
allow these four views to see and query in our system.
You don't need linked server to accomplish this.
All you need is to grant SELECT permission on these 4 views.
When you create a user in a database and don't grant any permission to it, it does not see any user table/view at all. And it will be able to see and query only those objects on which you'll grant the permissions
When I connect to my live SQL server database. Despite of giving the database it displays a long list of databases. I have to look up my database among these all databases.
Is there any way so that I can view only my database when connect to the server?
You need to get the VIEW ANY DATABASE permission revoked on the login you are using.
I just tested setting up a new login called bar and running DENY VIEW ANY DATABASE TO bar; but that failed with the message
Cannot grant, deny, or revoke permissions to sa, dbo, entity owner,
information_schema, sys, or yourself.
So you will need to get the sysadmin to do this.
I have a Microsoft SQL server database and a set of users.
Now in my app I want to make some functionality only visible, if the user has entered username and password with certain rights (admin).
Since the databases and the usernames and their rights can change, how do i check what permissions/rights an Microsoft SQL server user has?
You can check current user's right on certain securables using [sys.fn_mypermissions][1] which returns all permission on the securable. You can also check a specific permission with HAS_PERMS_BY_NAME. Eg. you can check for CONTROL SERVER permission which implies an administrator is logged in:
SELECT HAS_PERMS_BY_NAME(null, null, 'CONTROL SERVER');
The simplest way to do this is using the IS_MEMBER('rolename') function, that checks whether the user is in the role/group 'db_owner'. The function will perform a check at database level, and returns 1 (Int32), if the user has the specified role.
If you need to check at server level, you can use the IS_SRVROLEMEMBER function. Both are available since SQL Server 2005.
I'm not entirely certain that I understand your problem definition however assuming I do.....
I would suggest that you create a SQL Server Database Role that you can add the relevant application users to, perhaps via some group membership maintained within the App (or a Windows Domain Group). You can use the group to Role mapping to independently manage user membership, from managing the relevant permissions to securables within the database via the Role.
This way, you just need to check that an application User is a member of the relevant application or windows group, without the need to query the security configuration of SQL Server.