I have a group in AD that logins to windows and what I want to do is to grant the same AD group access to SQL Server using the AD credentials.
My SQL Server is setup to use mixed mode (windows and SQL Server logins).
So lets say my AD group name is : MyCompanyGroup
I want to grant access to that group to be able to connect to SQL Server.
Can anybody guide me how to do this?
Thanks.
If you have 100+ SQL Server instances, you have to run this script 100+ times.
Also: you will need to create specific users for that login in those databases that the login should have access to.
Basically use something like:
USE (database name)
CREATE USER (username) FOR LOGIN (loginname)
See the MSDN How-To: Create a Database User for detailed info.
But everything can be scripted. And with a decent tool like Red-Gate SQL MultiScript, you can even have it executed on all your 100+ instances automagically.
Related
I have a front end application needs access to 3 different SQL Server databases:
1st. database read/only
2nd. database read/write
3rd. database read/write
The user’s logins that will be using the database/application are using Windows authentication.
This application also calls a few SQL jobs that need to run.
What I would like to do is set up role to accomplish this and then easily map users to the role as needed.
Is there a way to do this in SQL Server 2008 R2?
Is there a better or easier approach?
I'm trying to avoid need to explicitly set up each user.
Thanks
Create an AD Group for your application. Get the DBA to hand out the appropriate permissions to the AD Group. Then have the Service-Desk add users to the AD Group as the business requires it.
Can someone tell me how can I add Azure Active Directory groups into the azure sql server, I am using server manager tool to do this but cant find any way to figure this out, I can add simple Azure Active Directory user though..What about groups?
I will assume that you are wanting to provide access for end-users to connect, not Database Administrators. For my example below, let's say that the end-users are in a group called "AZ-Users", and that your Database Administrators (including you) are in a group called "AZ-DBAs".
For Azure SQL Databases, there are key things that must be in place to get this to work:
There must be an "Active Directory admin" configured for your server. This can be any AAD user or an AAD group. You can check if this has been set or not by going to the Azure portal page for your server. Be careful that you are looking at the Overview page for the server, not the individual database, they are not the same thing. Detailed instructions here. In our example, we would configure this to be the AAD group called "AZ-DBAs".
When you are ready to create the AAD login for "AZ-Users" on your Azure SQL Database, you must yourself be logged in using AAD... meaning a member of the "AZ-DBAs" group from my example above. You can use SSMS or any other similar tool for executing TSQL commands. Note that if you try a SQL auth connection instead, it won't work for step 4 below - you'll get this error:
Msg 33159, Level 16, State 1, Line 1
Principal 'AZ-Users' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Change the context to the database you want to provide access to for your end users.
Execute this statement:
CREATE USER [AZ-Users] FROM EXTERNAL PROVIDER
Note that this will create a "contained database user", as detailed here. That's it. This process works for AAD groups and AAD users.
You will probably also want to grant some level of permissions as well, such as:
EXEC sp_addrolemember 'db_datareader', 'AZ-Users'
All you need to know about how to configure and manage Azure Active Directory Authentication you can find it in this article.
Then to connect to SQL Azure using Azure Active Directory authentication please read here.
Connect to the server via SSMS as your Azure AD admin. Create a new query with the db you want to affect. Run this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
To modify permissions, do something like this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
I have been trying to get a solution for this topic.actually I already posted this several times but still I didn't receive any solution.
What I am looking .In our Database environment there more than 1000 users , these users are Windows users and these users are added as members in several Windows AD Groups based on the DB access requirements.
There are few AD groups which are having Sysadmin server role.
Now the requirements is we need to configure DATABASE AUDIT for those AD groups which are having 'SysAdmin' Server Role.We need to audit for DML operation (Insert, Update,Delete) for all those AD groups which are having 'SysAdmin' Server Role. Please let me know what should be the Database configuration details.I have already tested in different way but I am getting any correct result.
I am trying to audit our security for our SQL Servers. I am trying to run a trace on a database to get the users that logon and access the database. However if the query is ran from a different database there are no logon events generated.
Example: I am trying to trace logons for [Database2]
Use [Database1];
Go
SELECT * FROM [Database2].[dbo].[Table]
But there are no events logged in the trace under Database2.
Our environment is SQL Server 2008 R2 Standard Edition. Any suggestions would be appreciated.
This is because database users don't login to SQL Server. SQL Server has security entities called "logins" that are used to login to an instance of SQL Server. These logins are either Windows logins from Active directory or SQL Server logins, that you can define and specify user name and a password. Database "users" are defined at database level. Users don't login to anywhere, they don't even have a password. The idea is that SQL Server "login" is mapped to a specific database "user" when connecting to a specific database.
Your query to a different database doesn't generate a login, because logon is a server-wide event, not a database-wide.
For example see here
I'm quite new to Microsoft SQL Server. I have some experience with MySQL, and there you have a user with privileges, if I understand things right; these privileges decide which databases you have access to on the MySQL server.
However now I am in the situation where I have to restore a database on my SQL Server 2005 Express, and this database has it's own users and user password. So if I want to make these users accessible from the outside (so that they can connect to my server), how would I go about that?
To illustrate clearer; say there are two login accounts on the database server "Mike" and "John", and on the database "Animals" there are two users; "Chris" and "Jeff".
I need Jeff to be able to sign in to get access to the database. Is there a good way to make this happen without creating new users/logins? And if not, what is the best/most common solution?
I would really appreciate any helpful input on this!
One server-level object (login) is mapped to multiple database-level objects (users).
A login cannot be mapped to more than one user within a database, but can be mapped to at most one user in each database.
Therefore, you need to create new logins for those users, but map them to existing users. This is done with ALTER USER command. Or, if you don't have any use for the Mike and John logins apart from mapping them to those existing users, you can do so, too.
Any user needing to access a database needs to either have their own login, or you can create a login for a Windows security group and grant access that way to a whole set of users. Then if you need to give access to more users in the future you can just add them to the windows security group.