I have a sql server database that uses linked server concept to connect to DB2 database. The DB2 database has read access only. I need to check every day whether the Db2 user is locked or not (due to incorrect password entered more than three times) from SQL Server. Once this is checked I can probably send an email to set of users about the status of the DB2 user (locked or unlocked)
How I can implement this feature? I am aware about SQL Server "loginproperty" concept that checks whether the user (using SQL Server Authentication) is locked out or not.
Thanks,
DB2 does not do user authentication -- the task is delegated to the operating system (or LDAP, if so configured). Therefore you will need to get the locked account information from that external authority (OS or LDAP), not DB2.
Query the remote table. If you get an error SQL30082N, the account is locked.
Related
I have a scheduled task on my warehouse server that runs a batch file, which triggers a command that runs a sproc on my SQL server. The task is set up to run as ACCOUNTS\sqlservice.
I recently made some updates to my linked server objects to avoid warehouse users querying data from them by mapping just the user(s) that should have query access in the linked server security. While mapping the local sql server login to sql server login works, I can't seem to map a domain account between the two servers successfully, that is, the ACCOUNTS\sqlservice, who has sa on both servers.
Any ideas on how I can give the sqlservice account access to query the linked server object? Thank you!
One solution: use an appropriate alternative user for the remote mapping that is a local sql server login rather than a domain account.
There may be another way to do this between domain accounts, but haven't the time for that.
I backed up a database from a SQL Server 2008 and restored it to my local machine using SQL Server 2012, now I'm trying to login to the server with the copied database user account and I wasn't able to do so.
After googling the issue I found that I have to change the user type from SQL User Without Login to SQL User with Login but the drop-down list is disabled as you can see in the picture below, how can I fix this and is this is the best way of doing what I need to accomplish or do I need to add this user to the server level?
I remember running into this before when doing backup / restore across servers. Basically it comes down to how SQL Server works. There's SQL Server users & there's database users (SQL Server users who are database users are represented via mappings). They are however not the same thing.
A SQL Server user belongs to the SQL Server, a database user ONLY belongs to the associated database. What happens when you have a database user, but not a SQL Server user? You can't login to SQL Server non-obviously.
Thereby what I do is after moving the database, I add the user I need to login as to SQL Server users using SSMS, remove the old database user (it's got dependencies associated w it that prevent mapping to it) & lastly make a new user on the database by mapping my SQL user to the database w appropriate permissions.
This approach is by no means elegant, but it works 100% of the time w no code needed, & you should consider a more permanent system if you have automated backup / restores happening. For the one off, this is how I've always done it.
I am trying to audit our security for our SQL Servers. I am trying to run a trace on a database to get the users that logon and access the database. However if the query is ran from a different database there are no logon events generated.
Example: I am trying to trace logons for [Database2]
Use [Database1];
Go
SELECT * FROM [Database2].[dbo].[Table]
But there are no events logged in the trace under Database2.
Our environment is SQL Server 2008 R2 Standard Edition. Any suggestions would be appreciated.
This is because database users don't login to SQL Server. SQL Server has security entities called "logins" that are used to login to an instance of SQL Server. These logins are either Windows logins from Active directory or SQL Server logins, that you can define and specify user name and a password. Database "users" are defined at database level. Users don't login to anywhere, they don't even have a password. The idea is that SQL Server "login" is mapped to a specific database "user" when connecting to a specific database.
Your query to a different database doesn't generate a login, because logon is a server-wide event, not a database-wide.
For example see here
I have a Microsoft SQL server database and a set of users.
Now in my app I want to make some functionality only visible, if the user has entered username and password with certain rights (admin).
Since the databases and the usernames and their rights can change, how do i check what permissions/rights an Microsoft SQL server user has?
You can check current user's right on certain securables using [sys.fn_mypermissions][1] which returns all permission on the securable. You can also check a specific permission with HAS_PERMS_BY_NAME. Eg. you can check for CONTROL SERVER permission which implies an administrator is logged in:
SELECT HAS_PERMS_BY_NAME(null, null, 'CONTROL SERVER');
The simplest way to do this is using the IS_MEMBER('rolename') function, that checks whether the user is in the role/group 'db_owner'. The function will perform a check at database level, and returns 1 (Int32), if the user has the specified role.
If you need to check at server level, you can use the IS_SRVROLEMEMBER function. Both are available since SQL Server 2005.
I'm not entirely certain that I understand your problem definition however assuming I do.....
I would suggest that you create a SQL Server Database Role that you can add the relevant application users to, perhaps via some group membership maintained within the App (or a Windows Domain Group). You can use the group to Role mapping to independently manage user membership, from managing the relevant permissions to securables within the database via the Role.
This way, you just need to check that an application User is a member of the relevant application or windows group, without the need to query the security configuration of SQL Server.
As per requirement i need to get the information whether an user is present in given database or not. Whether there is any stored procedure which i can use to get this information of user. I just want to check whether user is present in given database, and proceed further with my usage.
I am using MSSQL Server 2005.
Also i need another information, there is on method LastErrorMessage() to get the last error message in ADO. is there any method to get the error number.
Thanks,
Santhosha
SQL Server has logins (server level) and users (database level). Users are permissioned on databases/database objects and are mapped (well not neccessarily) to logins (roles are also at database level).
users are available from the sys.database_principals system view in each database
logins are available from the sys.server_principals
You need to be aware that you can only see objects/principals which the user you are using to connect to SQL server has permission to see. So a user might exist, even if you don't see it in the views.