I am having a problem with granting proper privileges to a server level role that I created. Whenever a user from the role tries to grant permition to other user I am getting an error like in the title. I did some research and add with grant option when I grant role priveleges but that not helped. I want to keep my role priveleges as low as it must be to perform the given script.
Here is how I create my role
CREATE SERVER ROLE [My_Server_Role]
go
GRANT ALTER ANY LOGIN
,ALTER ANY SERVER ROLE
,CONNECT SQL
TO [My_Server_Role]
WITH GRANT OPTION
go
now I have a user created like this (and a second one the same way)
CREATE LOGIN JohnSmith
WITH PASSWORD = 'MyPassword'
CREATE USER JohnSmith
FOR LOGIN JohnSmith
EXEC sp_addsrvrolemember [My_Server_Role], [JohnSmith]
Now, my problem is that whenever JohmSmith tries to execute
DENY CONNECT SQL TO [ThatOtherUser]
I have read to add WITH GRANT OPTIONS to CREATE ROLES statements but it didn't help. I can add CONTROL SERVER to MyServerRole but then users are getting too high privileges and are able co control other databases
Can anyone help? Perhaps i am messing something up with the idea. My point is to grant user (roles) priveleges to one database only plus I do not want to use build in server and database roles
You have two solutions for this:
1) Define the AUTHORIZATION for the role (See here)
CREATE SERVER ROLE role_name [ AUTHORIZATION server_principal ]
role_name
Is the name of the server role to be created.
AUTHORIZATION server_principal
Is the login that will own the new server role. If no login is specified, the server role will be owned by the login that executes CREATE SERVER ROLE.
The server principal will be able to grant the role.
2) Use CONTROL ON ROLE
You can add it within the list of the GRANTed permissions. Look at the Database role permissions section in this document:
From DENY server permissions:
Requires CONTROL SERVER permission or ownership of the securable. If you use the AS clause, the specified principal must own the securable on which permissions are being denied.
So, it would seem that because your server role doesn't have CONTROL SERVER, they can't deny connect themselves.
Related
I am unable to get the list of all the databases as it looks like my Azure Admin user privileges have been revoked after the admin user password was changed through the admin portal.
If I log into the Azure portal then I can see all the databases but through the Client Application like WorkBench - Admin users don't see any databases.
Please advise how to resolve this as it has been working fine prior to the admin password was changed.
Thank you.
The procedure you followed to reset the password by you is unknown at this moment. I would like to suggest you follow the procedure mentioned below.
then after clicking on reset password, change the password.
If the password is reset, the admin privileges will reset to default. that is the natural agenda. If the issue is still active, it is suggestable to raise the ticket to the support system.
I'm working on SQL Server. I created a new login, new user to the database then I log into the instance with sql server authentification using the same login.
I gave the user all the privileges by checking these
I've run the command :
grant all to [user]
and got this error
Cannot grant, deny or revoke permissions to sa, dbo, entity owner, information_schema, sys or yourself.
and then still can't save changes and update tables because it's not permitted.
how can I grant all the privileges the the user?
Thanks in advance.
Grant permissions using SA user because you can not give restricted permissions to yourself if you don't have permission to do it.
I created a login named logintest (SQL Authentication) then i created a user named usertest with this login
the user creation is successful, And i changed the authentication mode to mixed mode and also restarted the services SQLSERVERAGENT and MSSQLSERVER
and still this error appear when i try to login with the new user created
Cannot connect to SARAH.
Login failed for user 'usertest'. (Microsoft SQL Server, Error: 18456)
The login must have CONNECT right given.
The login must be enabled.
The default database linked to the login must be a database to which the login has rights to connect (for example by default master database gives rights to guest user to connect).
USE [master]
GO
ALTER LOGIN [logintest] WITH DEFAULT_DATABASE=[master]
GO
GRANT CONNECT SQL TO [logintest]
GO
ALTER LOGIN [logintest] ENABLE
GO
Then make sure the password is correct and that guest user is enabled on master database.
When a login is created in sql server to connect to it, does it also creates a default user ?
If you create a server login, like:
CREATE LOGIN TestUser WITH PASSWORD=N'password', DEFAULT_DATABASE=master
It will not create a database user, not even in the default database. However, the login can access any database that has the guest user enabled.
I created a login named mylogin with password= 'pass_1'
Then i logged into sql server using this login & tried to create a database , which gave the error that permission denied.
Then i executed this : sp_addsrvrolemember 'mylogin', 'dbcreator'
Then, again I logged into sql server using above login & tried to create a database, this time the database was created successfully
This was because I added the dbcreator server role for the login.
But, then i created a USER myloginuser for LOGIN mylogin ,
then executed this query:
execute as user = 'myloginuser'
then again i tried to create a database, but it failed. why so?
when the login MYLOGIN to which the user MYLOGINUSER is associated has the permission to create a database then why does the user does not have the permission? then whats the solution for this? do i have to grant permission to the user separately irrespective of the permissions granted to the login?
also, a user which is created for a login , have to be created inside a database? is it necessary?
The default user for the LOGIN [mylogin] was mylogin (which was created executing
sp_addsrvrolemember 'mylogin',
'dbcreator'
Hence this mylogin user had the db create permission. But you have created a MYLOGINUSER for the same Login. So the existing user mylogin was set to orphaned user, hence the mylogin Login dropped the db creator permission.
Is the SQL Server Authenticationmode set to Mixed instead of Windows?
Ypu'll have to set it to mixed.
A user must be created at the SQL Server level and given permissions in (mapped to) a database.