I want to give our technician rights to restore one particular database from a backup file. What are the minimum rights I can give him?
You could use the Server Role dbcreator to restore the database and the Database Role db_backupoperator to backup the database, as pointed out by #RBarryYoung in this great answer.
You can specify these settings in the properties of the login, selecting the tab Server Roles and User Mapping.
Related
The question is in the title. :)
From the RESTORE DATABASE documentation:
Permissions
If the database being restored does not exist, the user
must have CREATE DATABASE permissions to be able to execute RESTORE.
If the database exists, RESTORE permissions default to members of the
sysadmin and dbcreator fixed server roles and the owner (dbo) of the
database (for the FROM DATABASE_SNAPSHOT option, the database always
exists).
RESTORE permissions are given to roles in which membership
information is always readily available to the server. Because fixed
database role membership can be checked only when the database is
accessible and undamaged, which is not always the case when RESTORE is
executed, members of the db_owner fixed database role do not have
RESTORE permissions.
Is it possible to create a Firebird 3 user who may do backups of a given database but cannot connect as sysdba and use things like tracing or looking into the environment of all sessions?
In Firebird 2.5 and higher, you can grant a user the RDB$ADMIN role in a database. This will give that user owner or SYSDBA equivalent rights in that database.
GRANT [ROLE] RDB$ADMIN TO username
See also RDB$ADMIN Role in the Firebird 2.5 language reference.
A user with the RDB$ADMIN role can backup the database, provided the role is explicitly specified (option -role or -ro).
If you think that granting administrator rights to a user might be too much, consider that a user who can backup and restore a database can essentially do anything to the database. For example change owner on restore, or restore on a different machine where they are SYSDBA make necessary changes like granting privileges, manipulate data, etc and then back that up and restore over the original.
Firebird 4 will introduce an additional privilege USE_GBAK_UTILITY which can be use to specifically grant a user to only perform gbak operations. My previous point is an important caveat: a user that can backup and restore can do more than you think.
In other words, allowing a user to backup a database without granting them some form of administrator control over the database is not possible.
gbak just connects as regular connection to server and reads data through regular SELECT statements, and put them into a backup file. You need to specify either SYSDBA or database owner's account, because of only these accounts have a full access to all data and metadata of database.
As a solution of your problem you could create a batch file with a gbak command and give to the user only rights to execute this file.
In my SQL Server 2012 I have created a server role. I would like the server role can alter just one database one the server because I have many database on the server. How can I grant access for alter data in one database on the server?
Thank you in advance,
Nico.
Presumably you have just added the login to the server. Unless you have given the login sysadmin (I presume you have not), you will need to individually set the security per database ie. map the user to the database, e.g.
USE [Database]
GO
CREATE USER [User] FOR LOGIN [User] WITH DEFAULT_SCHEMA=[dbo]
GO
You will need to add the user to Security/Users in the actual database folder. If you want them to read/write data into/from existing tables, give them db_datareader and db_datawriter by right clicking and going to Properties -> Membership. If you want them to be able to create/drop objects in the database e.g. tables, they also need db_owner. They only have the rights for that db.
In addition of what TJB said, please document on : https://msdn.microsoft.com/ro-ro/library/ms178569.aspx
I'm trying to make a copy of a database in Azure. This requires that the user logged in be the db_owner of the database.
Unfortunately the person who created the database has left and we don't have their login credentials and they don't remember them either.
Is there any way to change the db_owner in Azure databases?
Note: Doing EXEC sp_addrolemember 'db_owner', 'login1User' doesn't work for this as the actual owner account is needed to copy a database in Azure.
ALTER AUTHORIZATION ON DATABASE::<YourDatabaseName> to [NewOwner];
You probably want to reset the password on the server (not the database). When you click on "SQL Databases" tab on the portal, you'll go to a list of your databases. On there there will be a
"Server" column. The entries in that column are hyperlinks. Click on the server you don't know the password for. on the Dashboard page for the server for the SQL Database you'll see a "Reset Administrator Password" link on the right under "quick glance".
Once you do that you can log into the management console for the database and change the logins for the database with ALTER LOGIN
To my knowledge there is no way to do this. Try looking in the former employees code for connections strings and hardcoded passwords.
You can also review this guide to see if there are any commands that may help you: Managing Databases and Logins in Windows Azure SQL Database
I was wondering if anybody knew exactly what permissions where needed on a database in SQL Server 2005+ so that when a person uses SQL Server Management Studio, they could then be able to at minimum see the Database Diagrams.
I have tried giving the person db_datareader, db_datawriter, and db_ddladmin, but to no avail.
I have also tried giving them access in the Properties → Effective Permissions of the user. Under Effective Permissions, I could not find the database object type for "database diagrams" or anything like that to give the user access to.
They are running SQL Server Management Studio (non-express version.)
Any help would be great.
FYI, I did not want to give them db_owner access.
EDIT:
As to one of the comments: Yes, the database is an SQL Server 2005 database.
As to one of the answers, moving the DB from production to development is not an option.
Giving admin rights is not the right approach, you need to be Database Owner for Database Diagrams, check out this thread for more details.
First you need to set up Diagram Designer (you need to be db_owner for that). Just expand the Diagrams node, and press 'Yes' to enable diagramming.
After that all other db users can create diagrams and see their own diagrams. Only db_owner can see other's diagrams.
Also the db_owner can change diagram owner to himself, but the original owner must be removed from database before doing that.
Copy the database to a development system, and grant the developers administrative rights. Anything else is a waste of time (like researching this question.)
See this post for better explanations.