I am having trouble granting permissions to users of my database. For instance, I cannot seem to get my user SELECT privileges no matter how many securables and memberships I give it. I started by giving the user select permission database>security>Users>Properties>securables
and giving it db_datareader membership. After this did not work I added the user to all of the memberships and granted him all permissions available in the securables section. After that failed, I gave the user all permissions available in the security>login>properties, I added the login to all server roles accept sysadmin and gave the user ownership of all schemas in the database I want him to access. Still I get this same error below:
The SELECT permission was denied on object 'Patient_Information', database 'Clinical_Data', schema 'dbo'
When I add the login to the role sysadmin, the user that it is mapped to has no problem doing selects, inserts and basically anything else. The weird thing is that when I look into database>properties>Permissions the user does not have any of the permissions that I have granted him in the securables section. Here is the code I use to grant:
USE Clinical_Data; GRANT Select on schema::DBO to lab31
Thanks in advance for any help you can provide.
I usually create a database role and assign the user to the role. Assign the schema privileges to the database roles. A quick example of this using code for a fictitious database is below.
--
-- 1 - GRANTING CORRECT USER ACCESS BY SCHEMA
--
--create test user login
CREATE LOGIN [User1] WITH PASSWORD=N'p#55w0rd'
GO
-- Make sure we are in autos
USE [AUTOS]
GO
--create user in test database
CREATE USER [User1] FOR LOGIN [User1] WITH DEFAULT_SCHEMA=[ACTIVE]
GO
--create role
CREATE ROLE [Auto_User] AUTHORIZATION [dbo]
GO
--apply permissions to schemas
GRANT ALTER ON SCHEMA::[ACTIVE] TO [Auto_User]
GO
GRANT CONTROL ON SCHEMA::[ACTIVE] TO [Auto_User]
GO
GRANT SELECT ON SCHEMA::[ACTIVE] TO [Auto_User]
GO
--ensure role membership is correct
EXEC sp_addrolemember N'Auto_User', N'User1'
GO
If you are more comfortable with SQL Server Management Studio, here is a go. All actions might not be exact but I did check them with SS 2012.
Lets say your login is [bilbo] and the database they want to access is [middle earth].
Is the default database for the server login = [bilbo] the database they are trying to query, [middle earth]?
[SMSS object explorer path]: Server -> security -> logins -> right click + properties
Is the server login mapped to a database user named [bilbo] in the [middle earth] database?
[SMSS object explorer path]: Database name -> security -> users
Make sure the user [bilbo] is not in any deny database roles (db_denydatareader, db_denydatawriter). Any deny actions over ride any grants.
[SMSS object explorer path]: Database name -> security -> roles -> database roles -> select + right click + properties
{You would add your custom database role here.}
Make sure the user [bilbo] has permissions to the schema.
[SMSS object explorer path]: Database name -> security -> schemas -> select + right click + properties
This should give you the layout of the land.
Find the offending revoke or lack of permission and assign it.
Please do not give out all server roles or all database roles! You are just asking for a head ache when the user does something stupid like drop table.
Related
I have a requirement where I need to revoke users access on a particular schema as we will be purging that schema and its table in future.
Currently, the process followed to create Schema and grant access is like below,
Create Schema
Create DB Role
Create Azure AD Group on azure portal
Create DB User with the same name as AD group
Then, we run EXEC sp_addrolemember command to add DB user to DB role in database.
Finally, we run the Grant command to give permission (Select, Insert etc) on Schema to DB Role.
Now, whenever any new user need access to that schema we simply add him in the Azure AD group and he is able to see and access that schema.
However, when I Revoke the access of user by removing him from Azure AD group he is still able to see that Schema.
As I am not an expert in SQL so I am not sure what am I missing in order to revoke his access.
I also tried Revoke command like below but still the user is able to see the schema.
REVOKE SELECT ON SCHEMA :: Schema_Name TO [DB Role]
Am I missing anything, can anyone please let me know the right steps to revoke user access so that they should not be able to see that schema anymore or should not be able to run any command on that schema not even select command?
Then, in addition to remove it from the AD group, try to deny permissions on the schema:
DENY SELECT,VIEW DEFINITION On SCHEMA::Schema_Name To [user_name]
I am connecting to my SQL studio manager using Power BI (a report writing software). I only want tables appearing listed under a certain schema, and deny permission to access all others, instead of displaying all tables which it currently does.
Usually, when preventing individual users from accessing a schema, I would use the following code:
revoke select on schema::UnwantedSchema to User
grant select on schema::WantedSchema To User
However, now I want it so ALL users and Logins have these permission settings. Not just the individual user. Is there a way I can do this without having to set the permissions for every individual user?
If you wanted to set the privileges to multiple user logins, You need to create a role and assign the role to the ers to that role. The give required permission to the role created.
Following are the sample steps.
--Create a new role
EXEC sp_addrole 'yourRole'
GO
--Assiging role to the user
EXEC sp_addrolemember 'yourRole', 'yourUser';
GO
--Assigning permissions to the Role
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
UPDATE, VIEW DEFINITION ON SCHEMA::YourSchema TO yourRole;
GO
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO yourRole;
GO
I have a user set up in SQL Server Management Studio whose user mapping is set so they can only access the 'ReportServer' database.
When I connect to my SQL Server through MS Word, I am given the following options for databases to connect to:
enter image description here
I do not want this user to have access to, or even be able to see the master, tempdb or msdb databases, and I have not got them selected in the user mapping for this user. How can I set it up so the user can't see these databases?
Use DENY View..
DENY VIEW ANY DATABASE TO testuser;
Steps in general include..
1.Create login with default database
2.create user for that login in all databases
3.Deny view
DENY VIEW ANY DATABASE TO testuser;
step1:
//create login with default database
1.USE [master]
GO
CREATE LOGIN loginame FROM WINDOWS WITH DEFAULT_DATABASE='testdb'
GO
step2:
2.create user in all databases..
use testdb
create user username for loginname
Now You can assign Permissions to that user like read,write... and by default this user will be shown only one database..
Step3:
DENY VIEW ANY DATABASE TO testuser;--this should be repeated in all databases which you wish to hide from user..
if you have aleady existing login..Then you can change default login for that user like below..
Exec sp_defaultdb #loginame='login', #defdb='testdb'
References:
https://www.mssqltips.com/sqlservertip/2995/how-to-hide-sql-server-user-databases-in-sql-server-management-studio/
I am creating a new read/write user on SQL Azure as follows:
-- Connected to master
create login [fred] with password = 'xxx';
-- Connected to my DB
create user [fred] from login fred;
EXEC sp_addrolemember 'db_datareader', 'fred';
EXEC sp_addrolemember 'db_datawriter', 'fred';
When I login using SSMS I get an error saying Cannot open database "master" requested by the login. The login failed.
What am I doing wrong or missing?
By default, SSMS tries to connect to master, but your new account does not have access to master; only the user database I presume.
On the login screen of SSMS, you need to specify the database name as well; just click on the Options >> icon, which opens up the Connection Properties tab. In there, specify the database name you are trying to connect to.
After creating the database user in the specific database Database1,
again select 'master' and create database user.
Execute below statement twice - one for Database1 and another for 'master'
CREATE USER appuser1 FROM LOGIN appuser1;
Unfortunately, this is not documented in Azure help
https://learn.microsoft.com/en-gb/azure/azure-sql/database/logins-create-manage
--> Open new query window for master database and execute this commands
CREATE LOGIN AppLogin WITH password='XXXXXX'
GO
CREATE USER [AppUser] FOR LOGIN [AppLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
--> Open new query window for YOUR Database
CREATE USER [AppUser] FOR LOGIN [AppLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
EXEC sp_addrolemember 'db_owner', 'AppUser';
GO
Source: How to create custom user login for Azure SQL Database
As Karol commented in Herve Roggero's response, I had the same problem even after selecting the database.
In our case the problem was that the users we created in our databases were disabled.
After we run the following script in the database we wanted to connect for each user:
GRANT CONNECT TO [ourDbUser]
We refreshed the database's users and now they were enabled, and then we were able to connect to the database successfully.
For me, the issue was that the person who created the user on the database did so without specifying FROM LOGIN, therefore the user was available in the Security->Users tab, but login was still not possible. I had to recreate the user and linking it to the login with the same name on the database:
DROP USER [myuser]
GO
CREATE USER [myuser] FROM LOGIN [myuser] WITH DEFAULT_SCHEMA=[dbo]
GO
and then granting the correct permissions on the database, in my case:
ALTER ROLE db_datareader ADD MEMBER [myuser]
ALTER ROLE db_datawriter ADD MEMBER [myuser]
Two other reasons that can trip you up:
The Server Login and the Database User must be the same. You cannot have APILogin link to APIUser, Azure just doesn't like it
Hyphens aren't allowed in usernames on Azure, so you can't have API-User
I am using SQL Server authentication with login name sa (default)
When I execute query
select session_user
I get dbo as a user. I want to change this, how can I do this using SQL query? Also what is a schema in SQL?
Sql server has 2 different notions
login: what you use to connect to the server
User: what you give rights to in a database
When your login is granted database access you are actually creating a database user mapped to the login. The sa is the system administrator account and mapped to the dbo (database owner user) on the system databases. When you are logged in with a user with the create database right and create a new database this login will be automatically mapped to the dbo user.
If you want to change this afterwards, you need to map the dbo user to a new login. Afterwards you can map the sa account to another database user.
use master
create login xxx with password = 'yyy', check_policy = off
use <yourdatabase>
exec sp_changedbowner 'xxx'
create user 'newuser' from login 'sa'
This way the sa login will be mapped to the newuser database user from now on.
A schema is a securable item which can be used to group database objects. Each database user has a "default schema" assigned.
Schema is a way of categorising the objects in a database. It can be useful if you have several applications share a single database and while there is some common set of data that all application accesses.
DBO is a DataBase Owner. You have created the database and you are a database owner.