When provisioning a new Azure Active Directory user's access to an Azure SQL Data Warehouse or Database does the user need to be added to the master database in the Azure SQL Server?
This documentation only talks about adding the Azure Active directory user to the specific warehouse database and associating them with a role within that database. I have however found that unless the user is added also added to the master database then they cannot sign on via SSMS.
Here is what I am doing:
CREATE USER [joe#domain.com]
from external provider
WITH DEFAULT_SCHEMA = dbo
EXEC sp_addrolemember 'db_datareader', 'joe#domain.com'
--toggle to master
CREATE USER [joe#domain.com]
from external provider
WITH DEFAULT_SCHEMA = dbo
Does the user always need to be added to master? Is there a better way to configure security so that I do not always have to add the user to master? Am I totally missing something here?
I am working on a project and I have access to SQL Server as external user with limited privileges.
When I want to create a login for example with this command, I get permission denied:
CREATE LOGIN [login] WITH PASSWORD=N'test', DEFAULT_DATABASE=[master],
DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF)
However when I try to create a login with this command I can make it and also I have privileges now to enable xp_cmd shell as well:
EXECUTE('EXECUTE(''CREATE LOGIN [test5] WITH PASSWORD=N''''test'''',
DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "hostname\domain"')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [test5]'')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [db_owner] ADD MEMBER [test5]'')
Can someone please explain why is that?
EXECUTE('string sql statement') AT "hostname\domain" == the 'string sql statement' is a pass-through command executed at the linked server "hostname/domain".
Has someone created a loop-back linked server (a linked server that points to the sql instance itself)?
Linked servers have their own security configuration/settings. If the security of the linked server is configured (for any login) to be made under the security context of a privileged login(eg. sa) then exec('') at linkedserver will be executed with way more/elevated permissions (than expected). This is a major security issue/hole.
Check the security of the linked server and change accordingly (and do you really need a loopback linked server?)
I am unable to create a database in SQL Server 2008. This is the message that I recieve every time:
TITLE: Microsoft SQL Server Management Studio
------------------------------
Create failed for Database 'university'. (Microsoft.SqlServer.Smo)
------------------------------
ADDITIONAL INFORMATION:
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
------------------------------
CREATE DATABASE permission denied in database 'master'. (Microsoft SQL Server, Error: 262)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=10.00.1600&EvtSrc=MSSQLServer&EvtID=262&LinkId=20476
What should be done?
This is related to the permission of the logged in user.
Solution 1)
Click on Start -> Click in Microsoft SQL Server 2005
Now right click on SQL Server Management Studio
Click on Run as administrator
Solution2)
check with select user_name() if you are not logged in as guest.
Add a domain account as sysadmin to SQL Express with SQLCMD
Start a command shell elevated
type SQLCMD –S (local)\sqlexpress
CREATE LOGIN [your domain account] FROM WINDOWS;
check if the login is created successfully
SELECT NAME FROM SYS.SERVER_PRINCIPALS
Grant sysadmin rights
SP_ADDSRVROLEMEMBER ‘darth\vader’, ‘sysadmin’
Reference : http://blogs.msdn.com/b/dparys/archive/2009/09/17/create-database-permission-denied-in-database-master-my-fix.aspx
You need to give the account your using permission to create databases.
You may need to login using the sa account and perform a GRANT on the user account.
GRANT CREATE DATABASE TO YourAccount;
http://msdn.microsoft.com/en-us/library/ms178569.aspx
I wrote a little app to backup SQL Azure databases using the very usefull 'CREATE AS COPY OF' command in SQL Azure. e.g.
CREATE DATABASE MyNewDB AS COPY OF MyOldDB
I run this command with the admin login (first login you get when creating a server). My Question: What are the minimal permissions a new login would need to execute the above command?
So far here's what I've done:
-- IN MASTER DB --
CREATE LOGIN DBCreator WITH PASSWORD = '?????????????'
CREATE USER DBCreator FROM LOGIN DBCreator;
EXEC sp_addrolemember 'dbmanager', 'DBCreator';
-- IN MyOldDB --
-- (I ran this stuff when the previous commands didn't do it) --
CREATE USER DBCreator FROM LOGIN DBCreator;
EXEC sp_addrolemember 'db_datareader', 'DBCreator'; --
And the result when running the above CREATE DATABASE command:
CREATE DATABASE permission denied in database 'MyOldDB'.
I could not add the db_owner role to new login, the command
EXEC sp_addrolemember 'db_owner', 'NewLogin'
throws the error
Cannot alter the role 'db_owner', because it does not exist or you do not have permission.
But using the dbmanager role works
EXEC sp_addrolemember 'dbmanager', 'NewLogin'
There is useful information in the article Managing Databases and Logins in Windows Azure SQL Database.
I want to write a script to create a admin user ( with abcd password ) in SQL Server Express.
Also I want to assign this user admin full rights.
Based on your question, I think that you may be a bit confused about the difference between a User and a Login. A Login is an account on the SQL Server as a whole - someone who is able to log in to the server and who has a password. A User is a Login with access to a specific database.
Creating a Login is easy and must (obviously) be done before creating a User account for the login in a specific database:
CREATE LOGIN NewAdminName WITH PASSWORD = 'ABCD'
GO
Here is how you create a User with db_owner privileges using the Login you just declared:
Use YourDatabase;
GO
IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'NewAdminName')
BEGIN
CREATE USER [NewAdminName] FOR LOGIN [NewAdminName]
EXEC sp_addrolemember N'db_owner', N'NewAdminName'
END;
GO
Now, Logins are a bit more fluid than I make it seem above. For example, a Login account is automatically created (in most SQL Server installations) for the Windows Administrator account when the database is installed. In most situations, I just use that when I am administering a database (it has all privileges).
However, if you are going to be accessing the SQL Server from an application, then you will want to set the server up for "Mixed Mode" (both Windows and SQL logins) and create a Login as shown above. You'll then "GRANT" priviliges to that SQL Login based on what is needed for your app. See here for more information.
UPDATE: Aaron points out the use of the sp_addsrvrolemember to assign a prepared role to your login account. This is a good idea - faster and easier than manually granting privileges. If you google it you'll see plenty of links. However, you must still understand the distinction between a login and a user.
Full admin rights for the whole server, or a specific database? I think the others answered for a database, but for the server:
USE [master];
GO
CREATE LOGIN MyNewAdminUser
WITH PASSWORD = N'abcd',
CHECK_POLICY = OFF,
CHECK_EXPIRATION = OFF;
GO
EXEC sp_addsrvrolemember
#loginame = N'MyNewAdminUser',
#rolename = N'sysadmin';
You may need to leave off the CHECK_ parameters depending on what version of SQL Server Express you are using (it is almost always useful to include this information in your question).
You can use:
CREATE LOGIN <login name> WITH PASSWORD = '<password>' ; GO
To create the login (See here for more details).
Then you may need to use:
CREATE USER user_name
To create the user associated with the login for the specific database you want to grant them access too.
(See here for details)
You can also use:
GRANT permission [ ,...n ] ON SCHEMA :: schema_name
To set up the permissions for the schema's that you assigned the users to.
(See here for details)
Two other commands you might find useful are ALTER USER and ALTER LOGIN.
If you want to create a generic script you can do it with an Execute statement with a Replace with your username and database name
Declare #userName as varchar(50);
Declare #defaultDataBaseName as varchar(50);
Declare #LoginCreationScript as varchar(max);
Declare #UserCreationScript as varchar(max);
Declare #TempUserCreationScript as varchar(max);
set #defaultDataBaseName = 'data1';
set #userName = 'domain\userName';
set #LoginCreationScript ='CREATE LOGIN [{userName}]
FROM WINDOWS
WITH DEFAULT_DATABASE ={dataBaseName}'
set #UserCreationScript ='
USE {dataBaseName}
CREATE User [{userName}] for LOGIN [{userName}];
EXEC sp_addrolemember ''db_datareader'', ''{userName}'';
EXEC sp_addrolemember ''db_datawriter'', ''{userName}'';
Grant Execute on Schema :: dbo TO [{userName}];'
/*Login creation*/
set #LoginCreationScript=Replace(Replace(#LoginCreationScript, '{userName}', #userName), '{dataBaseName}', #defaultDataBaseName)
set #UserCreationScript =Replace(#UserCreationScript, '{userName}', #userName)
Execute(#LoginCreationScript)
/*User creation and role assignment*/
set #TempUserCreationScript =Replace(#UserCreationScript, '{dataBaseName}', #defaultDataBaseName)
Execute(#TempUserCreationScript)
set #TempUserCreationScript =Replace(#UserCreationScript, '{dataBaseName}', 'db2')
Execute(#TempUserCreationScript)
set #TempUserCreationScript =Replace(#UserCreationScript, '{dataBaseName}', 'db3')
Execute(#TempUserCreationScript)
CREATE LOGIN AdminLOGIN WITH PASSWORD = 'pass'
GO
Use MyDatabase;
GO
IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'AdminLOGIN')
BEGIN
CREATE USER [AdminLOGIN] FOR LOGIN [AdminLOGIN]
EXEC sp_addrolemember N'db_owner', N'AdminLOGIN'
EXEC master..sp_addsrvrolemember #loginame = N'adminlogin', #rolename = N'sysadmin'
END;
GO
this full help you for network using:
1- Right-click on SQL Server instance at root of Object Explorer, click on Properties
Select Security from the left pane.
2- Select the SQL Server and Windows Authentication mode radio button, and click OK.
3- Right-click on the SQL Server instance, select Restart (alternatively, open up Services and restart the SQL Server service).
4- Close sql server application and reopen it
5- open 'SQL Server Configuration Manager' and tcp enabled for network
6-Double-click the TCP/IP protocol, go to the IP Addresses tab and scroll down to the IPAll section.
7-Specify the 1433 in the TCP Port field (or another port if 1433 is used by another MSSQL Server) and press the OK
8-Open in Sql Server: Security And Login And Right Click on Login Name And Select Peroperties And Select Server Roles And
Checked The Sysadmin And Bulkadmin then Ok.
9-firewall: Open cmd as administrator and type:
netsh firewall set portopening protocol = TCP port = 1433 name = SQLPort mode = ENABLE scope = SUBNET profile = CURRENT
This past week I installed Microsoft SQL Server 2014 Developer Edition on my dev box, and immediately ran into a problem I had never seen before.
I’ve installed various versions of SQL Server countless times, and it is usually a painless procedure. Install the server, run the Management Console, it’s that simple. However, after completing this installation, when I tried to log in to the server using SSMS, I got an error like the one below:
SQL Server login error 18456
“Login failed for user… (Microsoft SQL Server, Error: 18456)”
I’m used to seeing this error if I typed the wrong password when logging in – but that’s only if I’m using mixed mode (Windows and SQL Authentication). In this case, the server was set up with Windows Authentication only, and the user account was my own. I’m still not sure why it didn’t add my user to the SYSADMIN role during setup; perhaps I missed a step and forgot to add it. At any rate, not all hope was lost.
The way to fix this, if you cannot log on with any other account to SQL Server, is to add your network login through a command line interface. For this to work, you need to be an Administrator on Windows for the PC that you’re logged onto.
Stop the MSSQL service.
Open a Command Prompt using Run As Administrator.
Change to the folder that holds the SQL Server EXE file; the default for SQL Server 2014 is “C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn”.
Run the following command: “sqlservr.exe –m”. This will start SQL Server in single-user mode.
While leaving this Command Prompt open, open another one, repeating steps 2 and 3.
In the second Command Prompt window, run “SQLCMD –S Server_Name\Instance_Name”
In this window, run the following lines, pressing Enter after each one:
1
CREATE LOGIN [domainName\loginName] FROM WINDOWS
2
GO
3
SP_ADDSRVROLEMEMBER 'LOGIN_NAME','SYSADMIN'
4
GO
Use CTRL+C to end both processes in the Command Prompt windows; you will be prompted to press Y to end the SQL Server process.
Restart the MSSQL service.
That’s it! You should now be able to log in using your network login.