I am creating some users on SQL server but I am a little confused as to whether I grant "alter any login" or "alter any linked server" to my LOGIN or to the USER account?
As you all know, on SQL server, you create users in this order:
Create LOGIN sysUser1 (in master db)
Create USER myUser1 for LOGIN sysUser1 (in users db)
CREATE SCHEMA myUser1 AUTHORIZATION myUser1
then, run sp_addrolemember for myUser1 as needed
then, do grants
I am confused as to whether I should:
grant alter any login to myUser1
or
grant alter any login to sysUser1
Can anyone clarify? Am I thinking of this incorrectly?
ALTER LOGIN is a server level permission, so you can't grant it to database users. You need to grant it to sysUser1 in your case.
See http://msdn.microsoft.com/en-us/library/ms186717.aspx
Edit: Dito for linked server.
Logins and Linked Servers are both objects that exist at the instance level, as opposed to at the database level, so these permissions both need to be applied to the login, rather than the user.
If you are using SQL Server 2012, then it is possible to create you own Instance level roles, but in 2008 and below, you are rrestricted to the built in server roles.
There is a server role called setupadmin that lets members manage linked servers.
Related
I have got myself into a little bit of a bind, using SQL Server Management Studio to create a database in Azure SQL. My issue appears to be with assigning roles to users in the database. When I created the database, it prompted me to create a new login, with an associated user, that appeared to have all the rights of a database owner. However, I am now trying to create two additional logins and I realize I am screwed. The login that I created when I made the database isn't the database owner, even though I could do all the DDL / DML necessary to create the full schema under that account. I created an additional login, and I added two users to that login. I now want to add that login to a role (db_datareader, db_denywrite) but I cannot.
It appears that the database owner is a user / login called "dbo" that I did not set up. This is the only user that is added as a database owner, and subsequently is the only one that can edit roles. But I do not know the login credentials for this user!
if I use what I believed to be the administrator account (the one I made) to add a role I get the error:
Cannot alter the role 'db_datareader', because it does not exist or you do not have permission.
How can I fix this? How can I get my original account added as a DB Owner? There has got to be a way, but everything I tried points to the fact that I am not the owner of the resource I created; I'm an outcast in my own country...
Thanks!
Users are created with dbcreator and public role. They can create and delete their own databases.
How do I give them the ability to grant permission to their database to other users? Currently they can only see public and guest object.
You don't need to make someone a sysadmin. The minimum required permissions are described on this page.
In SQL Server, requires ALTER ANY LOGIN permission on the server or
membership in the securityadmin fixed server role.
These permissions still give a user a lot of power. They are able to delete other sysadmin logins.
Perhaps partial contained databases can be a solution for you.
A database user in a regular database needs to be mapped to a login on server level. Managing these server level logins requires a lot of permissions.
Database users within a partially contained database can exists without a login. These users can only login to that specific database. No server level permissions are required to manage these users.
I want to grant access to a user to a specific database with read and write access. The user is already available in the domain but not in the DB.
So, how can I give them that access with creating a new user and password?
Someone told me that it can be done with only specifying the user, domain & the DB that you want to give the user the access to without needing to create a new user and password.
This is the old way that I was implementing. It works but it creates a new login and user rather than using the one that is available in the domain:
use DBName;
create login a_2 with password='Aa123';
create user a_2 for login a_2;
grant insert to a_2;
grant select to a_2;
This is a two-step process:
you need to create a login to SQL Server for that user, based on its Windows account
CREATE LOGIN [<domainName>\<loginName>] FROM WINDOWS;
you need to grant this login permission to access a database:
USE (your database)
CREATE USER (username) FOR LOGIN (your login name)
Once you have that user in your database, you can give it any rights you want, e.g. you could assign it the db_datareader database role to read all tables.
USE (your database)
EXEC sp_addrolemember 'db_datareader', '(your user name)'
Create a new user/login in sql azure with access to read/insert/update on the database items like tables sp,view etc.
This user will not have the permission to drop table/drop procedures.
Please give me an example.
First connect to the server and switch to the master database. In master create a login and then add a user for that login to the master database.
CREATE LOGIN [MyLogin] WITH password='xxxxxxxxx'
GO
CREATE USER [MyUser] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
Next connect/switch to the database you want the new user for. Create a user in that database
CREATE USER [MyUser] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
EXEC sp_addrolemember 'db_datareader', 'MyUser';
GO
EXEC sp_addrolemember 'db_datawriter', 'MyUser';
GO
GRANT EXECUTE ON SCHEMA :: dbo TO MyUser;
GO
You can also use the Azure User Management console - AUMC to manage the Logins and Users.
It's an open-source project available on CodePlex AUMC.codeplex.com
UPDATE: Since CodePlex has been retired (thanks to #Danny the code was saved), I recreated a repo in GitHub and created a release.
This new version uses .NET 4.8
Project Description
Azure User Management Console - AUMC is a User
Graphic Interface (GUI) that manages the users and logins of an Azure
SQL database. The tool is simply converting your action into T-SQL
commands and executing them on the Azure SQL Database.
A quick simple tool with a user interface!
Enjoy!
please read this article from Microsoft on how to properly create logins, users and assigning access rights in SQL Azure: Managing Databases and Logins
Then, in order to assign or deny specific permissions, review this article from Microsoft as well: Granting Access to a Database Object
And here is the link to specifically deny access to permissions: Deny Object Permissions
Note that you can also apply permissions to schemas. A schema is a container of database objects on which you can assign permissions. So you could easily place all your stored procedures in a single schema that you created to that effect, deny alter/drop permission, and grant execute on the schema directly. This way, all the objects within that schema will inherit the permissions defined. Here is the article for schema permissions: GRANT Schema Permission
Also you can do it manually by assigning proper user roles. Check out article: How to create custom user login for Azure SQL Database
Some Azure sql administration tips can be found here
http://thetechnologychronicle.blogspot.in/2013/11/azure-sql-administration-useful-commands.html
http://thetechnologychronicle.blogspot.in/2013/11/securing-windows-azure-sql-using.html
I've moved to creating/using schemas in Sql Server 2005, where I've also created database roles and assigned schemas to the roles.
The problem I have is one of the db roles I have should have full access - say SuperSysRole.
However, when I assign a login to that role, it cannot execute specific commands. In particular, I want a user within this role to manage password resets. However, when I execute the stored procedure, it does not return back all users in the database.
The stored procedure has been run which returns back the details and calls a view which integrates the sysusers and sysmembers tables.
The user, say myAdmin, has been assigned to the role SuperSysRole. The role SuperSysRole has been granted execute to the stored procedure selectRoles.
It's probably a simple thing but can someone please tell me what I am missing?
My application authenticates using the myAdmin user name and password. It works fine when I login with the sa account.
Database role membership is queryable through the sys.database_principals and sys.database_role_members catalog views, which are the proper catalog views to use instead of the deprecated sysusers and sysmembers. Both have the same security restrictions:
In SQL Server 2005 and later versions,
the visibility of the metadata in
catalog views is limited to securables
that a user either owns or on which
the user has been granted some
permission.
The necessary permissions are listed in GRANT Database Principal Permissions: VIEW DEFINITION. There is no permission that can be granted to view any principal and role definition.
Your best option is to create a procedure that selects from the proper metadata catalog views and sign this procedure with a credential that is added into the db_securityadmin role. See Signing an Activated Procedure for an example how to sign a procedure. The grant EXECUTE on this procedure to whoever required to view these principals and role memberships.
However, all of this will get you nowhere with regard with the declared intent: manage password resets. Only server principals (aka. logins) have passwords, and any scheme designed at the database principals level can have no effect on server principals, since they are the wrong abstraction. And since there are no server roles to define (you can only have Windows groups as roles, but you want to use SQL Auth), you cannot have this done by role membership.
My recommendation is, again, to use code signing. Create procedures that do the activities you want (query sys.server_principals and sys.sql_logins to inspect password expiration, issue ALTER LOGIN statements to reset passwords etc) then use code signing to sign these procedures and grant the required privileges to the signature. I refer you again to Signing an activated procedure for an example how to do that. Then grant EXECUTE on these procedures to the 'special' users that have to manage these.