I have created one user named "tuser" with create database rights in SQL server 2005.
and given the 'db_owner' database role of master and msdb database to "tuser".
From this user login when I run the script for create database then it will create new database.
But "tuser" don't have access that newly created database generated from script.
Any one have any idea?, I want to write the script so "tuser" have access that new created database after creation and can have add user permission of newly created database.
I want to give 'db_owner' database roles to "tuser" on that newly created database in the same script which create new database. The script run under 'tuser'.
Grant securityadmin server role to [tuser]
Members of the securityadmin fixed
server role manage logins and their
properties. They can GRANT, DENY, and
REVOKE server-level permissions. They
can also GRANT, DENY, and REVOKE
database-level permissions.
Additionally, they can reset passwords
for SQL Server logins.
CREATE DATABASE says
Each database has an owner that can
perform special activities in the
database. The owner is the user that
creates the database. The database
owner can be changed by using
sp_changedbowner (Transact-SQL).
So tuser should own the DB already.
However, you could set up tuser as db_owner in the model db which used as the template for every db creation
BTW, why make tuser the owner of master and msdb?
If tuser doesn't have access to the new database it means is not the owner. The database owner cannot be denied access into his/her own database.
How does the CREATE DATABASE statement look like? Do you have any AUTHORIZATION clause that would change the database ownership of the new database?
Who is the actual owner of the new database? Check SELECT name, SUSER_SNAME(owner_sid) FROM sys.databases;
Thanks for your input.
i have given access of tuser to database from ehich the new database created.
now the issue is resolved.
Many thanks.
Related
I have a requirement where I need to revoke users access on a particular schema as we will be purging that schema and its table in future.
Currently, the process followed to create Schema and grant access is like below,
Create Schema
Create DB Role
Create Azure AD Group on azure portal
Create DB User with the same name as AD group
Then, we run EXEC sp_addrolemember command to add DB user to DB role in database.
Finally, we run the Grant command to give permission (Select, Insert etc) on Schema to DB Role.
Now, whenever any new user need access to that schema we simply add him in the Azure AD group and he is able to see and access that schema.
However, when I Revoke the access of user by removing him from Azure AD group he is still able to see that Schema.
As I am not an expert in SQL so I am not sure what am I missing in order to revoke his access.
I also tried Revoke command like below but still the user is able to see the schema.
REVOKE SELECT ON SCHEMA :: Schema_Name TO [DB Role]
Am I missing anything, can anyone please let me know the right steps to revoke user access so that they should not be able to see that schema anymore or should not be able to run any command on that schema not even select command?
Then, in addition to remove it from the AD group, try to deny permissions on the schema:
DENY SELECT,VIEW DEFINITION On SCHEMA::Schema_Name To [user_name]
I have multiple databases in postgreSQL. I have created unique users with the intention of giving them access to a unique database. After creating the users, the first thing I did was use the following command:
GRANT ALL PRIVILEGES ON DATABASE dbname to username;
Then all the created users could connect to all the existing databases.
After this I tried with a new user without granting any permissions. Instead I created a new role with connect on privilege to a particular database and attached this role to the new user. But the result was same, the new user could connect to any database. I then tried revoking all privileges with the command:
REVOKE ALL ON DATABASE dbname FROM PUBLIC;
The issue remains.
Look at the permissions on the database:
SELECT datacl FROM pg_database WHERE datname = 'dbname';
If that is NULL, then the default permissions apply: the owner of the database has all privileges, and PUBLIC can CONNECT and TEMP.
In that case, your REVOKE statement would prevent username from connecting to that database, unless username is the owner of the database (or a member of the owner).
I have an Sybase database and a user that has all privileges to access that database. Now I want to create a new user who can only get the DDL of all objects like user tables,views,procedures,functions etc in database and can only read the data. What are the least privileges or roles that are needed to be granted to the new user? I don't want to perform any kind of alter, update or delete on that database.
You need to be the 'dbo' database user for the database you want to reverse-engineer. The easiest way to achieved this is by granting sa_role & sso_role to the login that you're using to connect to the ASE server.
I have two databases.
Databases:
1. DB1
2. DB2
I have created two new logins.
Logins:
1. DB1_login
2. DB2_login
Next, I created user for each database mapped to the above logins.
create user DB1_login1_user1 for login DB1_login;
create user DB2_login2_user2 for login DB2_login;
So, DB1_login1_user1 user of DB1 database will be mapped to DB1_login1 login and DB2_login2_user2 user of DB2 database will be mapped to DB2_login2 login.
Granted database role permissions for both users is db_datareader and db_datawriter.
In DB2, I have a table named dbo.sample_table.
My requirement:
Let us consider that I have logged in as DB1_login1.
In this login, I have granted permissions for DB1_login1_user1 user to DB1 database.
Now from DB1, I have to select a table dbo.sample_table at DB2, which was mapped to another login DB2_login2.
Below is the query what am I trying to do is.
--CURRENTLY LOGGED IN AS DB1_LOGIN1
USE DB1;
EXECUTE as login='DB2_login2'
select * from DB2.dbo.sample_table
GO
I tried GRANT IMPERSONATE on LOGIN::DB2_login2 to DB1_login1, but it didn't work and also, I'm not aware about granting permissions across logins. I think granting permissions matters and I need help in doing that.
How can I execute the above query successfully?
Any help would be appreciable.
The users you created exist only in their respective databases, so what you're trying to do is not possible. Even if it were, or you allow acces (create users for login) in both databases and give then permissions and enable cross-database access, it would be too much of a security risk.
I'd suggest using stored procedures to acces data cross database. Stored procedure should be signed with a certificate, and the same certificate created in both databases. I've had it implemented on various occasions and it works flawlessly.
There is a great sample of this by Erland Sommarskog here.
I did granting permissions on login.
From administrator login "Sa", I executed the below query.
GRANT IMPERSONATE ON LOGIN::DB2_login to DB1_login;
And then from DB1_login, executed the below query for accessing DB across logins.
USE MASTER;
EXECUTE as login='DB2_login';
SELECT * FROM DB2.dbo.sample_table;
REVERT;
GO
Finally for my situation, I have solved the problem.
I am using SQL Server authentication with login name sa (default)
When I execute query
select session_user
I get dbo as a user. I want to change this, how can I do this using SQL query? Also what is a schema in SQL?
Sql server has 2 different notions
login: what you use to connect to the server
User: what you give rights to in a database
When your login is granted database access you are actually creating a database user mapped to the login. The sa is the system administrator account and mapped to the dbo (database owner user) on the system databases. When you are logged in with a user with the create database right and create a new database this login will be automatically mapped to the dbo user.
If you want to change this afterwards, you need to map the dbo user to a new login. Afterwards you can map the sa account to another database user.
use master
create login xxx with password = 'yyy', check_policy = off
use <yourdatabase>
exec sp_changedbowner 'xxx'
create user 'newuser' from login 'sa'
This way the sa login will be mapped to the newuser database user from now on.
A schema is a securable item which can be used to group database objects. Each database user has a "default schema" assigned.
Schema is a way of categorising the objects in a database. It can be useful if you have several applications share a single database and while there is some common set of data that all application accesses.
DBO is a DataBase Owner. You have created the database and you are a database owner.