I am using SQL Server authentication with login name sa (default)
When I execute query
select session_user
I get dbo as a user. I want to change this, how can I do this using SQL query? Also what is a schema in SQL?
Sql server has 2 different notions
login: what you use to connect to the server
User: what you give rights to in a database
When your login is granted database access you are actually creating a database user mapped to the login. The sa is the system administrator account and mapped to the dbo (database owner user) on the system databases. When you are logged in with a user with the create database right and create a new database this login will be automatically mapped to the dbo user.
If you want to change this afterwards, you need to map the dbo user to a new login. Afterwards you can map the sa account to another database user.
use master
create login xxx with password = 'yyy', check_policy = off
use <yourdatabase>
exec sp_changedbowner 'xxx'
create user 'newuser' from login 'sa'
This way the sa login will be mapped to the newuser database user from now on.
A schema is a securable item which can be used to group database objects. Each database user has a "default schema" assigned.
Schema is a way of categorising the objects in a database. It can be useful if you have several applications share a single database and while there is some common set of data that all application accesses.
DBO is a DataBase Owner. You have created the database and you are a database owner.
Related
I try to map my other DB to a user by going to Security > Logins > right click someuser > Properties > User Mapping > Select DB > set as db_owner and then ok, but I keep on getting an error saying
User, group, or role 'someuser' already exists in the current database. (Microsoft SQL Server, Error: 15023)
What is causing the error, and how do I map that user to the database?
To fix the user and login mapping you need to open a query window in the SQL Server Management Studio. Enter the following two lines and replace myDB with the database name and myUser with the correct user name:
USE myDB
EXEC sp_change_users_login 'Auto_Fix', 'myUser'
If run successfully you should get an output like this one:
The row for user '****' will be fixed by updating its login link to a login already in existence.
The number of orphaned users fixed by updating users was 1.
The number of orphaned users fixed by adding new logins and then updating users was 0.**
Your user should now be mapped correctly.
Edit:
New way to Resolve/Fix an Orphaned User:
In the master database, use the CREATE LOGIN statement with the SID option to recreate a missing login, providing the SID of the database user.
CREATE LOGIN <login_name>
WITH PASSWORD = '<use_a_strong_password_here>',
SID = <SID>;
To map an orphaned user to a login which already exists in master, execute the ALTER USER statement in the user database, specifying the login name.
ALTER USER <user_name> WITH Login = <login_name>;
When you recreate a missing login, the user can access the database using the password provided. Then the user can alter the password of the login account by using the ALTER LOGIN statement.
ALTER LOGIN <login_name> WITH PASSWORD = '<enterStrongPasswordHere>';
if it is just one or two users, then easiest way is to drop the database user from the restored database, remap the database user to the server login using SSMS. If the server login does not exist then just create it, map the user.
Option 2: If you are migrating a large number of users, use sp_help_revlogin. sp_help_revlogin is a Microsoft supplied stored procedure that will help migrate logins from one server to another, including passwords and SIDs. Here is a good article about it SP_HELP_REVLOGIN : http://www.databasejournal.com/features/mssql/article.php/2228611/Migrating-Logins-from-One-SQL-Server-to-Another.htm
Code patches to help use it :
run following T-SQL Query in Query Analyzer. This will return all the existing users in database in result pan.
USE YourDB
GO
EXEC sp_change_users_login 'Report'
GO
Run following T-SQL Query in Query Analyzer to associate login with the username. ‘Auto_Fix’ attribute will create the user in SQL Server instance if it does not exist. In following example ‘ColdFusion’ is UserName, ‘cf’ is Password. Auto-Fix links a user entry in the sysusers table in the current database to a login of the same name in sysxlogins.
USE YourDB
GO
EXEC sp_change_users_login 'Auto_Fix', 'ColdFusion', NULL, 'cf'
GO
Run following T-SQL Query in Query Analyzer to associate login with the username. ‘Update_One’ links the specified user in the current database to login. login must already exist. user and login must be specified. password must be NULL or not specified
USE YourDB
GO
EXEC sp_change_users_login 'update_one', 'ColdFusion', 'ColdFusion'
GO
2) If login account has permission to drop other users, run following T-SQL in Query Analyzer. This will drop the user.
USE YourDB
GO
EXEC sp_dropuser 'ColdFusion'
GO
Create the same user again in the database without any error.
If you assign permissions to a database user without mapping it to the database first, it throws the error you mentioned.
You should be able to delete the user, map it to the database and then assign the user to the db_owner role.
First drop your user, then execute the script below:
USE [YOURDB]
GO
CREATE USER [USERNAME] FOR LOGIN [USERNAME]
GO
USE [YOURDB]
GO
ALTER USER [USERNAME] WITH DEFAULT_SCHEMA=[dbo]
GO
I had the problem when I was trying to copy a production database to a local test database. In SSMS, I made sure to disconnect from the production server before executing scripts on the local. However, even though I thought I had disconnected, someone pointed out that the title of the production database was still there, and I got errors that objects were already there. The solution was to totally exit from SSMS and start it again, only connecting to the local test database that time.
you can solve problem by expand database ->Security -> Users
and delete the user 'someuser' ,after that go to user mapping and assign.
this problem happen some times because the database user 'someuser' was deleted from 'Logins' in Security section in SSMS and the database still own this user
Create failed for User (Microsoft.SqlServer.Smo)
SQL Server Error User, group, or role already exists in the current database. (Microsoft SQL Server, Error: 15023)
To fix above error delete user under each database individually
I have two databases.
Databases:
1. DB1
2. DB2
I have created two new logins.
Logins:
1. DB1_login
2. DB2_login
Next, I created user for each database mapped to the above logins.
create user DB1_login1_user1 for login DB1_login;
create user DB2_login2_user2 for login DB2_login;
So, DB1_login1_user1 user of DB1 database will be mapped to DB1_login1 login and DB2_login2_user2 user of DB2 database will be mapped to DB2_login2 login.
Granted database role permissions for both users is db_datareader and db_datawriter.
In DB2, I have a table named dbo.sample_table.
My requirement:
Let us consider that I have logged in as DB1_login1.
In this login, I have granted permissions for DB1_login1_user1 user to DB1 database.
Now from DB1, I have to select a table dbo.sample_table at DB2, which was mapped to another login DB2_login2.
Below is the query what am I trying to do is.
--CURRENTLY LOGGED IN AS DB1_LOGIN1
USE DB1;
EXECUTE as login='DB2_login2'
select * from DB2.dbo.sample_table
GO
I tried GRANT IMPERSONATE on LOGIN::DB2_login2 to DB1_login1, but it didn't work and also, I'm not aware about granting permissions across logins. I think granting permissions matters and I need help in doing that.
How can I execute the above query successfully?
Any help would be appreciable.
The users you created exist only in their respective databases, so what you're trying to do is not possible. Even if it were, or you allow acces (create users for login) in both databases and give then permissions and enable cross-database access, it would be too much of a security risk.
I'd suggest using stored procedures to acces data cross database. Stored procedure should be signed with a certificate, and the same certificate created in both databases. I've had it implemented on various occasions and it works flawlessly.
There is a great sample of this by Erland Sommarskog here.
I did granting permissions on login.
From administrator login "Sa", I executed the below query.
GRANT IMPERSONATE ON LOGIN::DB2_login to DB1_login;
And then from DB1_login, executed the below query for accessing DB across logins.
USE MASTER;
EXECUTE as login='DB2_login';
SELECT * FROM DB2.dbo.sample_table;
REVERT;
GO
Finally for my situation, I have solved the problem.
I am needing to update the password of one of the users in the database security folder in SQL Server 2012. Unfortunately, we do not have a DBA in-house and consequently needing some help. I've been told that I have sysadmin privileges on this SQL Server but I cannot find WHERE to update a user's password in the database. When I googled this, msdn show me how to update a login in the SQL Server 2012 box but this user is NOT listed under the Security\Logins folder in this server but this user is only under the database\Security\Users folder.
I had tried the ALTER LOGIN username WITH PASSWORD = 'password'; command but I only got this error:
Msg 15151, Level 16, State 1, Line 2
Cannot alter the login 'ATM', because it does not exist or you do not have permission.
Any help/direction would be appreciated. Thanks.
This is the difference between logins and users and how they relate to each other:
Logins - Instance level principals that allow an entity to connect to the SQL Server instance. They do not, by their nature, grant any access to databases on the instance. The exception to this is a login with sysadmin rights can use a database because they are sysadmin, but because of sysadmin level permissions.
Users - Database level principals that allow an entity to connect to a SQL Server database. Users are associated with logins via SIDs, creating a relationship between the two and allowing a login to connect to the instance and then use the associated user to connect to the database.
What commonly happens with SQL authenticated logins and database users on a restore is that the SIDS will be out of sync or a login will not exist for a user in the database, thus breaking the relationship. This relationship must be repaired before you can connect to the database using that login, because in the eyes of SQL Server those principals are no longer connected. If the login doesn't exist, you will have to first create it in order to associate it with the user:
--Windows login (Active Directory pass through)
CREATE LOGIN [DOMAIN\foo] FROM WINDOWS;
--SQL Authenticated
CREATE LOGIN [foo] WITH PASSWORD='5+r0ngP#55w0rd';
Once the login exists, associate it with the user:
ALTER USER [foo] WITH LOGIN=[foo]
You can use the following query in the context of your database to check for orphans:
select
dp.name [user_name]
,dp.type_desc [user_type]
,isnull(sp.name,'Orhphaned!') [login_name]
,sp.type_desc [login_type]
from
sys.database_principals dp
left join sys.server_principals sp on (dp.sid = sp.sid)
where
dp.type in ('S','U','G')
and dp.principal_id >4
order by sp.name
I'm using SQL Server 2012.
I restored a database onto a new server and had the change the "database owner" for some unrelated reason.
I create a new login mylogin and check off to map to my database which creates a new database user and schema.
When I log in and do
select current_user
The result is guest instead of mylogin. I tried fiddling with granting permissions but then the result is dbo.
Even when I do
execute as user='mylogin'
select current_user
I get dbo.
I'm lost. How do I get select current_user to return mylogin?
Figured it out. The login was added to the sysadmin role which forces dbo.
I have created one user named "tuser" with create database rights in SQL server 2005.
and given the 'db_owner' database role of master and msdb database to "tuser".
From this user login when I run the script for create database then it will create new database.
But "tuser" don't have access that newly created database generated from script.
Any one have any idea?, I want to write the script so "tuser" have access that new created database after creation and can have add user permission of newly created database.
I want to give 'db_owner' database roles to "tuser" on that newly created database in the same script which create new database. The script run under 'tuser'.
Grant securityadmin server role to [tuser]
Members of the securityadmin fixed
server role manage logins and their
properties. They can GRANT, DENY, and
REVOKE server-level permissions. They
can also GRANT, DENY, and REVOKE
database-level permissions.
Additionally, they can reset passwords
for SQL Server logins.
CREATE DATABASE says
Each database has an owner that can
perform special activities in the
database. The owner is the user that
creates the database. The database
owner can be changed by using
sp_changedbowner (Transact-SQL).
So tuser should own the DB already.
However, you could set up tuser as db_owner in the model db which used as the template for every db creation
BTW, why make tuser the owner of master and msdb?
If tuser doesn't have access to the new database it means is not the owner. The database owner cannot be denied access into his/her own database.
How does the CREATE DATABASE statement look like? Do you have any AUTHORIZATION clause that would change the database ownership of the new database?
Who is the actual owner of the new database? Check SELECT name, SUSER_SNAME(owner_sid) FROM sys.databases;
Thanks for your input.
i have given access of tuser to database from ehich the new database created.
now the issue is resolved.
Many thanks.