I'm probably not phrasing that correctly. I have been asked to find a way to create a group in Azure; grant that group dbreader and dbwriter rights to SQL server, then create users in that group and assign non-Azure applications to those users. I am sure I'm not phrasing some of this correctly. The idea is that applications in the field should have access to the Azure-based Sql Server but only reading and writing to the DB.
RON
from your question it is not very clear if you are asking about SQL Server on the plain VM or SQL Server as a service (SQL Azure). If SQL Server on the VM, then it should be the same as locally.
If SQL Azure, you can try to add your user to the db_dbdatareader/writer role using Visual Studio or SSMS.
Or use the SQL syntax, something like this one:
CREATE ROLE MyDatabaseReaderRole AUTHORIZATION [dbo]
GRANT
ALTER,
CONTROL,
DELETE,
EXECUTE,
INSERT,
REFERENCES,
SELECT,
TAKE OWNERSHIP,
UPDATE,
VIEW DEFINITION
ON SCHEMA::dbo
TO MyDatabaseReaderRole
GO
-- Add an existing user to the new role created
EXEC sp_addrolemember 'MyDatabaseReaderRole', 'SomeUser'
GO
Related
I'm trying to figure it out using SQL script, but I need also do it in SQL Server Management Studio.
I can grant permission to create tables with this script, but only for specified users.
GRANT CREATE TABLE TO user_name;
GO
In my SQL Server 2012 I have created a server role. I would like the server role can alter just one database one the server because I have many database on the server. How can I grant access for alter data in one database on the server?
Thank you in advance,
Nico.
Presumably you have just added the login to the server. Unless you have given the login sysadmin (I presume you have not), you will need to individually set the security per database ie. map the user to the database, e.g.
USE [Database]
GO
CREATE USER [User] FOR LOGIN [User] WITH DEFAULT_SCHEMA=[dbo]
GO
You will need to add the user to Security/Users in the actual database folder. If you want them to read/write data into/from existing tables, give them db_datareader and db_datawriter by right clicking and going to Properties -> Membership. If you want them to be able to create/drop objects in the database e.g. tables, they also need db_owner. They only have the rights for that db.
In addition of what TJB said, please document on : https://msdn.microsoft.com/ro-ro/library/ms178569.aspx
The Point: I want to be able to create a directory on the filesystem through a non-sysadmin SQL user.
I'm creating a web front-end for a deployment script which creates new databases from a specified template database.
Essentially I'm backing up said template database and then restoring this as a brand new database with a different name.
Our DB server has our client databases stored in sub-folders within our database store. If I were to use the default settings it would look something like:
D:\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\[ClientRef]\[ClientRef].mdf
D:\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\[ClientRef]\[ClientRef].ldf
I only have SQL access to the database server (via a programming language, hosted on a separate box) so I can't execute anything other than SQL.
My database user is extremely limited, however I would like to somehow grant this user to access/execute master.dbo.xp_create_subdir only. Is this possible at all?
I'm loathe to give our local DB user sys-admin rights, it has a limited user for a reason.
DB Server is Microsoft SQL Server 2008 R2.
Cheers, any help will be appreciated.
One possible solution is to write your own sproc that internally uses master.dbo.xp_create_subdir.
Create the sproc while logged in as an account that's a member of the sysadmin role and use "WITH EXECUTE AS SELF". Then grant permissions to that other account to execute this sproc. The database catalog where you create this wrapper-sproc must be marked as "trustworthy" or you'll still get the: User must be a member of 'sysadmin' server role. error.
E.g.
CREATE PROCEDURE [dbo].[sprocAssureDirectory] #directoryFullPath varchar(4000)
WITH EXECUTE AS SELF
AS
BEGIN
EXEC master.dbo.xp_create_subdir #directoryFullPath;
END
Just make sure you add any needed assertions/checks to your sproc that make sense for your application (e.g. the path can only be of a pattern that you expect).
Belated Update: Added the critical mention of marking the catalog as trustworthy.
You could give access for the user to use that stored proc explicitly. It is gonna be something like:
GRANT EXECUTE ON OBJECT::master.dbo.xp_create_subdir
TO <SQL USER>;
It sounds like that user is limited for a reason though and getting the extra permissions to run something like that can get a little push back from whoever is managing the DB. So be careful when dealing with getting the elevated privledges.
What permissions should be granted to the remote user to do anything with the database "123" in SQL Server 2005 Express using SQL Server Management Studio Express such that the remote user cannot do anything to any other database?
I would also like that the remote user cannot see the other databases.
That is "123" is for the user login using SQL authentication method.
The is private.
I am using SQL Server Management Studio Express 2005 of both the web and the database server.
Webserver is connecting to database server.
"A answerer by nick Thomas asked what is meant by anything but later deleted his answer so here is what anything a user can do means for other answerers".
""Do anything means: create tables, delete tables, edit/update tables, insert, extract, and all related to functions on tables.
But no the user cannot drop THE DATABASE. The database drop should be restricted.
Insert, update, and delete on table.
Table create, alter, and drop.
Table copy, database backups.
""
Have a look at this closely related (identical?) question.
At the bottom of most of our stored procedures we have a grant similar to
GRANT EXECUTE ON [dbo].[uspFOO] TO [DOMAIN\SQLServerUsers]
Luckily for me, our domain is changing and we now need to go through and change the permissions. Does anyone know of an easy way to do this using the DB metadata so I can pull out all the places where [DOMAIN\SQLServerUsers] is given permission to run and substitute it with [DOMAIN2\SQLServerUsers]?
Thanks.
For those asking, this is on SQL Server 2005.
What version of SQL Server are you on??
In 2005 and up, you could
create a new database role "db_executor" and do
GRANT EXECUTE TO db_executor
grant that database role to all necessary users
This will create a "catch all" role that has execute rights on every existing and future (!!) stored proc in your database. Yes, that does include future stored procs, too! Very handy indeed (at least as long as every user is allowed to execute all stored procs)
That way, you don't have to create separate GRANT EXECUTE statements for each and every stored proc.......