When I execute ALTER ROLE db_owner ADD MEMBER A it gives out following error.
Msg 15151, Level 16, State 1, Line 4
Cannot alter the role 'A', because it does not exist or you do not have permission.
Here ALTER ROLE it mentions that;
Limitations and restrictions
You cannot change the name of a fixed database role.
But I can't find any relationship to this with the error. What I'm trying to do is adding a member not changing the fixed role name.
Any support in resolving this matter is highly appreciated
I think that you are missing a step. You have a login, but you are not adding the login as a user to the database. All the steps below are what you need. The CREATE USER step (a database level call) seems to be missing from your work.
I don't think you need the CREATE LOGIN, I just wanted to include that so one could see all it takes to do this.
USE [master]
GO
CREATE LOGIN [A] WITH PASSWORD=N'<password>', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
USE [YourDatabase]
GO
CREATE USER [A] FOR LOGIN [A]
GO
ALTER ROLE db_owner ADD MEMBER [A]
GO
Change YourDatabase to the proper value before you try this.
First you drop existing user role then use below command:
USE Databasename
GO
-- create new role for your s to belong to
CREATE ROLE s
GO
-- add s Role to db_owner
EXEC sys.sp_addrolemember
#rolename = N'db_owner',
#membername = N's';
GO
GO
Related
Is there a way I can grant truncate permission to a user without altering privileges in SQL Server?
The minimum permission required is ALTER on table_name. TRUNCATE TABLE permissions default to the table owner, members of the sysadmin fixed server role, and the db_owner and db_ddladmin fixed database roles, and are not transferable. However, you can incorporate the TRUNCATE TABLE statement within a module, such as a stored procedure, and grant appropriate permissions to the module using the EXECUTE AS clause.
CREATE PROCEDURE dbo.usp_Demo
WITH EXECUTE AS 'CompanyDomain\SqlUser1'
AS
SELECT user_name();
Source
You can go through this official documentation.
Create a test Login and User id then grant it execute permission on the stored procedure Truncate_Table_Loner. This id will be used to perform the truncate.
-- Grant Execute Permission
-- Setup ID on Database with Connect permission
USE master
GO
CREATE LOGIN [test_user_id] WITH PASSWORD = 'JustConnect123';
GO
USE TestSQL
GO
CREATE USER [test_user_id] FOR LOGIN [test_user_id];
GO
-- Grant Permission
GRANT EXECUTE ON dbo.Truncate_Table_Loner TO [test_user_id];
GO
I hope you can help me with this.
We have an application that we need to restrict access to. The application will be using login TestApp.
I've been testing this using SQL Server Management Studio v 17.9.1 and we are using SQL Server 2016.
This Login will have access to all tables, stored procedures, views, functions and triggers within its own schema Test in the tatabase: Testing, and only to certain tables from dbo schema that we specify in the permissions of the TestAPP user.
I've used the following script to achieve that.
The problem we are having is that the Login can access all system views and stored procedures and we don't want this level of access (attached pictures enter image description here) enter image description here
This login shouldn't be able to do those under schema TEST.
Create, drop, alter tables from Test schema
Create, alter, drop views from Test schema
Create, alter, drop stored procedures from Test schema
We are trying to use Roles so that we don't have to specify each and every sys object that we want to deny access to.
I've created the Role [db_TestExecutor] and attached the role to the user. and then gave specific permissions for the dbo tables but still they can see all sys objects.
Used SQL code below:
USE [Testing]
GO
CREATE SCHEMA [Test] AUTHORIZATION [dbo]
GO
CREATE ROLE [db_TestExecutor]
GO
GRANT EXECUTE ON SCHEMA::Test TO [db_TestExecutor]
GO
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::Test TO [db_TestExecutor]
USE [mASTER]
GO
IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE [name] = 'TestApp')
BEGIN
CREATE LOGIN TestApp WITH PASSWORD=N'Password123', DEFAULT_DATABASE=[tempdb], DEFAULT_LANGUAGE=[British], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
END
USE [Testing]
GO
CREATE USER [TestApp] FOR LOGIN [TestApp]
GO
ALTER ROLE [db_TestExecutor] ADD MEMBER [TestApp]
GO
GRANT INSERT ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT SELECT ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT UPDATE ON [dbo].[tblOrders] TO [TestApp]
GO
GRANT SELECT ON [dbo].[test] TO [TestApp]
I expect the TestApp login to be able to see only objects from Test schema and only certain dbo tables.
Please see below the desired result:
Thank you very much for your help!
In Visual Studio 2017, I have a SQL Server Project with a simple database using SQL Authentication.
I am trying to publish a new table. The publish script, however, is trying to drop and recreate the user I am using to publish the database.
GO
PRINT N'Dropping [adf]...';
GO
DROP USER [adf];
GO
PRINT N'Creating [adf]...';
GO
CREATE USER [adf] WITHOUT LOGIN;
GO
REVOKE CONNECT TO [adf];
GO
PRINT N'Creating <unnamed>...';
GO
EXECUTE sp_addrolemember #rolename = N'db_owner', #membername = N'adf';
CREATE TABLE ....
I read the View Preview:
** Highlights
Tables that will be rebuilt
None
Clustered indexes that will be dropped
None
Clustered indexes that will be created
None
Possible data issues
None
** User actions
Drop
[adf] (User)
Create
[adf] (User)
[staging].[square_transactions] (Table)
** Supporting actions
Create
Role Membership: <unnamed> (Role Membership)
Your permissions to see all objects in the server or database could not be verified. The original error was:
The SELECT permission has not been granted on 'sys.sql_logins' for the 'master' database. You must be a member of the 'loginmanager' role to access this system view.
Reverse Engineer will continue the import process, and logins will not be imported.
The reverse engineering operation will attempt to continue anyway, but the resulting model might be incomplete, malformed, or incorrect.
I added the loginmanager role to the login [adf] wondering if this would fix the dropping and creating of the [adf] user. It did not.
Finally, I published using the server admin account. It still drops and creates the user, but was at least able to run.
How can I resolve this issue? I was thinking I should not use the server level admin account to do database development in SSDT/VS.
You need to add Adf as login to master database also. You just need to create that login on master once. Please try the following:
---- On server level
CREATE LOGIN adf
WITH PASSWORD = 'ThisIsAStrongPassword!'
GO
---- Create user on Master database Level
CREATE USER adf
FOR LOGIN adf
WITH DEFAULT_SCHEMA = dbo
GO
exec sp_addRoleMember 'dbmanager', 'adf';
exec sp_addRoleMember 'loginmanager', 'adf'
---- Create user on your user database
CREATE USER adf
FOR LOGIN adf
WITH DEFAULT_SCHEMA = dbo
GO
exec sp_addRoleMember 'db_owner', 'adf';
ALTER TABLE [dbo].[Client] ADD [Awesomness] [nvarchar](max)
ALTER TABLE [dbo].[Client] DROP COLUMN [Awesomness]
The second command I don't want to be successful, I don't want any DROP COLUMN to succeed. So I created a user for my database, just wondering how I can deny this user the permission to DROP COLUMN. I set up a trigger but that doesn't seem to take care of DROP COLUMN. Is there anyway I could restrict this?
CREATE TRIGGER [TR_DB_NO_DROPPING_OBJECTS_2]
on DATABASE
FOR
DROP_PROCEDURE,DROP_FUNCTION,DROP_VIEW,DROP_TABLE, DROP_DEFAULT,DROP_EXTENDED_PROPERTY
AS
BEGIN
IF --only two accounts allowed to drop stuff
suser_name() NOT IN('test' )
BEGIN
--raise an error, which goes to the error log
RAISERROR('Unauthorized use of drop object from inpermissible host.', 16, 1)
--prevent the drop
ROLLBACK
END
--if it got to here, it was the "right" user from the "right" machine (i hope)
END
The roles I've assigned my user.
use Hasan
go
EXEC sp_addrolemember N'db_datareader', N'TestUser'
go
use Hasan
go
EXEC sp_addrolemember N'db_datawriter', N'TestUser'
go
use Hasan
GO
GRANT EXECUTE TO [TestUser]
GO
use Hasan
GO
GRANT INSERT TO [TestUser]
GO
use Hasan
GO
GRANT SELECT TO [TestUser]
GO
use Hasan
GRANT ALTER TO [TestUser]
GO
use Hasan
GO
GRANT UPDATE TO [TestUser]
GO
use Hasan
GO
GRANT DELETE TO [TestUser]
GO
That would be an Alter_Table DDL event. See if that works for you.
Also, I am not sure if you have looked into roles. Granting dbwriter and dbreader allows CRUD operations but no changes to DDL.
https://msdn.microsoft.com/en-us/library/ms189121.aspx
EDIT:
This example does not check for a user but it works on my test table:
CREATE TRIGGER testtrig
ON Database
FOR alter_table
AS
Declare #Msg nvarchar(max) = (SELECT EVENTDATA().value('(/EVENT_INSTANCE/TSQLCommand/CommandText)[1]','nvarchar(max)'))
If #Msg Like '%Drop Column ColumnA%'
Rollback
GO
There is probably a better way than parsing the message text like in my example, this was just a quick test.
Also remember this is just a safety to let the user know they should not drop this column. If they have DDL rights they can disable or delete the trigger.
I have a Database say TestDatabase.I have already added an user under
NTAuthority\SYSTEM(Role) Db_owner.
Again i wish to add another user to the same Database under NTAuthority\System with
different role.
I received the following error :
The login already has an accoind under different username.
SQL Server Error :15063
How can i add different users to the same database with different role.
I would appreciate if i receive elobarate explanation.
You can't. You add the same user to multiple roles.
db_owner already has all rights anyway withing the database so any other permissions are superfluous.
CREATE USER [NTAuthority\SYSTEM] FROM LOGIN [NTAuthority\SYSTEM];
EXEC sp_addrolemember 'db_owner', 'NTAuthority\SYSTEM'
-- ...and fails
CREATE USER [bob] FROM LOGIN [NTAuthority\SYSTEM];
--Normally, for one user in multiple roles
EXEC sp_addrolemember 'DoStuff', 'NTAuthority\SYSTEM'
EXEC sp_addrolemember 'DoSpecialStuff', 'NTAuthority\SYSTEM'
--... and for another user
EXEC sp_addrolemember 'DoStuff', 'AnotherUser'
--... and for yet another user
EXEC sp_addrolemember 'DoLimitedStuff', 'TheThirdUser'
Edit:
Look at the MS documentation: Database-Level Roles and the parent Identity and Access Control topic
if is db_owner there is no point in adding him to any other role.
to add an existing user to a new role you run sp_roleaddmember