I am trying to run following script to create credential for azure blob storage on azure Master database with database admin account, but its giving me an error 'User does not have permission to perform this action'.
Script :
'
USE master
CREATE DATABASE SCOPED CREDENTIAL 'XYZ'
WITH IDENTITY='SHARED ACCESS SIGNATURE',
SECRET = 'shared access signature of blob storage'
GO '
Any idea?
Thanks in advance
You should create the database scoped user on your user Database.
There are restrictions on 'master' in Azure SQL Database, even for DBA.
Related
i'm using Azure SQL. In Azure Portal, i was create 1 Azure SQL Server (with username login user01) and 2 Azure SQL Database (ExDatabase1 and ExDatabase2) inside it.
In Microsoft SQL server management studio tool, i'm login success with user user01. i'm using transparent data encryption (TDE) and try create Database Master Key for master database with command bellow:
USE master;
Go
CREATE MASTER KEY ENCRYPTION by PASSWORD = 'Strongp#ssw0rd';
Go
But, i received error:
Msg 15247, Level 16, State 1, Line 3
User does not have permission to perform this action.
So, what is permission for this current user (this is owner database)? and how to do that?. thanks!
USE statement is not supported to switch between databases. Use a new connection to connect to a different database on Azure SQL Database.
To create a master key in Azure SQL just run the following statement on the Azure SQL Database context not on the master database.
CREATE MASTER KEY
GO
For a full example please read this article.
Another example can be found here.
CREATE MASTER KEY ENCRYPTION BY PASSWORD='MyPassw0rdIsComplex.'
GO
I want to refresh my tables in the same database with my queries using with Elastic Job Agent. I need to create credential first to connect database. How can I arrange the credentials in this case? Every documentation they have either 2 database or 2 server.
I found 2 sources but I couldn't understand the concept. Can you please explain it to me in a clear way?
Source 1 : Microsoft document
--Connect to the new job database specified when creating the Elastic Job agent
-- Create a database master key if one does not already exist, using your own password.
CREATE MASTER KEY ENCRYPTION BY PASSWORD='<EnterStrongPasswordHere>';
-- Create two database scoped credentials.
-- The credential to connect to the Azure SQL logical server, to execute jobs
CREATE DATABASE SCOPED CREDENTIAL job_credential WITH IDENTITY = 'job_credential',
SECRET = '<EnterStrongPasswordHere>';
GO
-- The credential to connect to the Azure SQL logical server, to refresh the database metadata in server
CREATE DATABASE SCOPED CREDENTIAL refresh_credential WITH IDENTITY = 'refresh_credential',
SECRET = '<EnterStrongPasswordHere>';
GO
Source 2: link
--In the master database
CREATE LOGIN mastercredential WITH PASSWORD='YourPassword1';
CREATE LOGIN jobcredential WITH PASSWORD='YourPassword2';
CREATE USER mastercredential FROM LOGIN mastercredential;
--In the job database
CREATE USER mastercredential FROM LOGIN mastercredential;
--In the target database
CREATE USER jobcredential FROM LOGIN jobcredential;
-- In the job database
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'YourPassword3';
CREATE DATABASE SCOPED CREDENTIAL mastercredential
WITH IDENTITY = 'mastercredential',
SECRET = 'YourPassword1';
CREATE DATABASE SCOPED CREDENTIAL jobcredential
WITH IDENTITY = 'jobcredential',
SECRET = 'YourPassword2';
Can i create a Custom role or edit existing role in Azure Synapse, where
i can provide only SELECT query access using Built-in serverless Pool and
Pipelines access should be restricted
Ideally i'm looking for a role who can only read SQL & Lake data, query it using different technologies (SQL, Spark) and should not have access to anything else
You can actually create the External Table on the required using the Database Scoped Credential and first GRANT REFERENCES and then SELECT permission to the External Table for SQL user. Follow the below steps:
CREATE DATABASE SCOPED CREDENTIAL SampleIdentity
WITH IDENTITY = 'Managed Identity'
GO
CREATE EXTERNAL DATA SOURCE [DataLakeStorage] WITH (LOCATION = N'https://theorders.dfs.core.windows.net/', CREDENTIAL = SampleIdentity)
GO
Caller must have one of the following permissions to execute OPENROWSET function:
One of the permissions to execute OPENROWSET:
ADMINISTER BULK OPERATIONS enables login to execute OPENROWSET function.
ADMINISTER DATABASE BULK OPERATIONS enables database scoped user to execute OPENROWSET function.
REFERENCES DATABASE SCOPED CREDENTIAL to the credential that is referenced in EXTERNAL DATA SOURCE.
GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::[SampleIdentity] TO [SQLUser];
GO
CREATE EXTERNAL TABLE [dbo].[DimProductexternal]
( ProductKey int, ProductLabel nvarchar, ProductName nvarchar )
WITH
(
LOCATION='/DimProduct/year=*/month=*' ,
DATA_SOURCE = AzureDataLakeStore ,
FILE_FORMAT = TextFileFormat
) ;
You can now Grant SELECT permission to the user for external table.
GRANT SELECT ON [dbo].[DimProductexternal] TO [SQLUser]
GO
To restrict the access to the resource in Synapse, you can assign ROLE BASED ACEESS CONTROL (RBAC)
To restrict run/cancel pipelines access in Synapse workspace you can assign Synapse Monitoring Operator role using the RBAC in synapse. Refer Synapse RBAC roles and the actions they permit for more details.
I try to created Row-Level-Security in a Azure Synapse ondemand database. The data is stored in Azure Datalake Storage Gen 2. The script is working fine, but members of the restricted user group can still run the OPENROWSET command manually and see al the data. Does somebody knows what part I'am missing?
CREATE DATABASE SCOPED CREDENTIAL WorkspaceIdentity
WITH IDENTITY = 'Managed Identity'
GO
CREATE EXTERNAL DATA SOURCE [DataLakeStorage] WITH (LOCATION = N'https://theorders.dfs.core.windows.net/', CREDENTIAL = WorkspaceIdentity )
GO
GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::[WorkspaceIdentity] TO [MyTestGroup];
GO
CREATE VIEW [model].[my_orders] as
SELECT * FROM
OPENROWSET(BULK 'dimorders/*.parquet',
DATA_SOURCE = 'DataLakeStorage', FORMAT = 'parquet') as rows
WHERE [UserName] = suser_name()
GO
GRANT SELECT ON [model].[my_orders] TO [MyTestGroup]
GO
The example script for receiving all the data, without restriction
SELECT * FROM
OPENROWSET(BULK 'dimorders/*.parquet',
DATA_SOURCE = 'DataLakeStorage', FORMAT = 'parquet') as rows
I would suggest you follow below steps which shows how to give a user permission to access a particular database.
Note - The steps below need to be run for each SQL pool to grant user
access to all SQL databases except in section Workspace-scoped
permission where you can assign a user a sysadmin role at the
workspace level.
Set up security groups
Prepare your ADLS Gen2 storage account
Create and configure your Azure Synapse Workspace
Grant the workspace MSI access to the default storage container
Grant Synapse administrators the Azure Contributor role on the workspace
Assign SQL Active Directory Admin role
Grant access to SQL pools
Add users to security groups
Network security
Refer - https://learn.microsoft.com/en-us/azure/synapse-analytics/security/how-to-set-up-access-control#supporting-more-advanced-scenarios
I am trying to create a contained user for just one database in Azure SQL Server,
I have tried using the sp_configure keyword, it says it is not available in the version of the SQL Server I am using.
Also, I used the Alter database statement, I got the error below:
ALTER DATABASE statement failed; this functionality is not available
in the current edition of SQL Server.
Please, how can I solve this problem???
You do not need to run the ALTER DATABASE ... SET CONTAINMENT command on Azure SQL DBs to accept contained users - it is already enabled by default. You simply need to create the user with just a login and password. A simple example of a contained user with password:
CREATE USER yourUser WITH PASSWORD = 'yourPassword';
See the official documentation for more examples:
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-ver15#e-creating-a-contained-database-user-with-password
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-ver15#f-creating-a-contained-database-user-for-a-domain-login
sp_configure is not supported in Azure SQL database, even use the Alter database:
In Azure SQL database, login is used to login the Azure SQL server, user is to connect to the database. User is database level, and login is server level.
Create login in master DB(( Login must be created in master DB)):
CREATE LOGIN AbolrousHazem
WITH PASSWORD = '340$Uuxwp7Mcxo7Khy';
Then we can create user in user DB( create the database contained user in user DB):
CREATE USER AbolrousHazem FOR LOGIN AbolrousHazem;
GO
For more details, please ref: https://learn.microsoft.com/en-us/azure/azure-sql/database/logins-create-manage