I have a Database say TestDatabase.I have already added an user under
NTAuthority\SYSTEM(Role) Db_owner.
Again i wish to add another user to the same Database under NTAuthority\System with
different role.
I received the following error :
The login already has an accoind under different username.
SQL Server Error :15063
How can i add different users to the same database with different role.
I would appreciate if i receive elobarate explanation.
You can't. You add the same user to multiple roles.
db_owner already has all rights anyway withing the database so any other permissions are superfluous.
CREATE USER [NTAuthority\SYSTEM] FROM LOGIN [NTAuthority\SYSTEM];
EXEC sp_addrolemember 'db_owner', 'NTAuthority\SYSTEM'
-- ...and fails
CREATE USER [bob] FROM LOGIN [NTAuthority\SYSTEM];
--Normally, for one user in multiple roles
EXEC sp_addrolemember 'DoStuff', 'NTAuthority\SYSTEM'
EXEC sp_addrolemember 'DoSpecialStuff', 'NTAuthority\SYSTEM'
--... and for another user
EXEC sp_addrolemember 'DoStuff', 'AnotherUser'
--... and for yet another user
EXEC sp_addrolemember 'DoLimitedStuff', 'TheThirdUser'
Edit:
Look at the MS documentation: Database-Level Roles and the parent Identity and Access Control topic
if is db_owner there is no point in adding him to any other role.
to add an existing user to a new role you run sp_roleaddmember
Related
I'm granting permissions to a Windows authenticated user (only the default 'public' server role was previously present, with no user mappings or securables added), in the example below in the master db, but it is also creating a user schema:
--Database Context
USE [master]
--Role Memberships
EXEC sp_addrolemember #rolename=[db_datareader],#membername=[Username]
EXEC sp_addrolemember #rolename=[db_datawriter],#membername=[Username]
--Database Level Permissions
GRANT CONNECT TO [Username]
--Set default schema
ALTER USER [Username] WITH default_schema = dbo
Whilst the permissions are correctly set, I'm unclear why it is also creating a user schema. I've checked online and I can't see anything that would explain it.
Is this a result of sp_addrolemember, due to the user not existing in the database?
I created a new login and a new user in Azure SQL server database.
What I want to do is providing a read only permission to this role for a single table in the database.
While doing this I ran the below script:
EXEC sp_addrolemember N'db_datareader', N'new_user'
GO
But with this permission the new user can view all the tables in the database.
So I tried running the below script with 'public' role.
EXEC sp_addrolemember N'public', N'new_user'
GO
But its giving me this error:
"Membership of the public role cannot be changed."
How to provide only a single table read permission to the new user?
Execute the following statement on master database to create your new user login (mydb_user)
CREATE LOGIN mydb_user
WITH PASSWORD = 'p#ssw0rd'
GO
Run below statements on the user database
CREATE USER mydb_user FROM LOGIN mydb_user ;
GO
GRANT SELECT ON dbo.Events TO mydb_user;
I tested this on my side. It should work on your side.
I have a database user which is the owner of the database. The application requirement is to send mail using database mail of sql server .
Is there any way that I can add grant only send mail permission to that user?
I have a user named testuser having server roles public and is db_owner for 1 database. Please tell me the way that I don`t need to give sysadmin serverroles to that user.
Please try with the below 2 options.
USE msdb;
--add our user
CREATE USER ClarkKent FOR LOGIN ClarkKent;
--give this user rights to use dbmail
exec sp_addrolemember 'DatabaseMailUserRole', 'ClarkKent'
now if we know ClarkKent is getting his authorization from a windows group, then you add that windows group as a user, and add that group to the same role;
USE msdb;
--add our user via a group we know he is in
CREATE USER 'mydomain\BusinessGroup' FOR LOGIN 'mydomain\BusinessGroup';
--give this GROUP rights to use dbmail
exec sp_addrolemember 'DatabaseMailUserRole', 'mydomain\BusinessGroup'
you need add 'DatabasemailUserRole' for MSDB database to user
You need to assign the login (or a role) to the mail profile after adding it to the database mail role. For the script below, a default of one may need to be set, instead of zero.
use msdb
exec sp_addrolemember 'DatabaseMailUserRole', 'sqlUser'
EXECUTE msdb.dbo.sysmail_add_principalprofile_sp
#principal_name = 'sqlUser',
#profile_name = 'sqlMailProfileName',
#is_default = 0
I am creating a new read/write user on SQL Azure as follows:
-- Connected to master
create login [fred] with password = 'xxx';
-- Connected to my DB
create user [fred] from login fred;
EXEC sp_addrolemember 'db_datareader', 'fred';
EXEC sp_addrolemember 'db_datawriter', 'fred';
When I login using SSMS I get an error saying Cannot open database "master" requested by the login. The login failed.
What am I doing wrong or missing?
By default, SSMS tries to connect to master, but your new account does not have access to master; only the user database I presume.
On the login screen of SSMS, you need to specify the database name as well; just click on the Options >> icon, which opens up the Connection Properties tab. In there, specify the database name you are trying to connect to.
After creating the database user in the specific database Database1,
again select 'master' and create database user.
Execute below statement twice - one for Database1 and another for 'master'
CREATE USER appuser1 FROM LOGIN appuser1;
Unfortunately, this is not documented in Azure help
https://learn.microsoft.com/en-gb/azure/azure-sql/database/logins-create-manage
--> Open new query window for master database and execute this commands
CREATE LOGIN AppLogin WITH password='XXXXXX'
GO
CREATE USER [AppUser] FOR LOGIN [AppLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
--> Open new query window for YOUR Database
CREATE USER [AppUser] FOR LOGIN [AppLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
EXEC sp_addrolemember 'db_owner', 'AppUser';
GO
Source: How to create custom user login for Azure SQL Database
As Karol commented in Herve Roggero's response, I had the same problem even after selecting the database.
In our case the problem was that the users we created in our databases were disabled.
After we run the following script in the database we wanted to connect for each user:
GRANT CONNECT TO [ourDbUser]
We refreshed the database's users and now they were enabled, and then we were able to connect to the database successfully.
For me, the issue was that the person who created the user on the database did so without specifying FROM LOGIN, therefore the user was available in the Security->Users tab, but login was still not possible. I had to recreate the user and linking it to the login with the same name on the database:
DROP USER [myuser]
GO
CREATE USER [myuser] FROM LOGIN [myuser] WITH DEFAULT_SCHEMA=[dbo]
GO
and then granting the correct permissions on the database, in my case:
ALTER ROLE db_datareader ADD MEMBER [myuser]
ALTER ROLE db_datawriter ADD MEMBER [myuser]
Two other reasons that can trip you up:
The Server Login and the Database User must be the same. You cannot have APILogin link to APIUser, Azure just doesn't like it
Hyphens aren't allowed in usernames on Azure, so you can't have API-User
I've done this before but not through scripts. I've to create a new user in SQL server (SQL Authentication) and map the user to a database and assign the roles for the user to that database using SQL scripts.
How can I do it?
Try:
CREATE USER [Username] FOR LOGIN [Domain\Username]
EXEC sp_addrolemember N'DatabaseRole', N'Username'
Obviously changing Username, and Domain\Username and the database role to being the username that you wish to grant rights to and the level of access, such as 'db_datareader'
The above solution works for me. However if the Username doesnt yet exist in that database as a USER, that username will not be fully mapped to the database role.
In this situation I first add the user:
USE databasename
CREATE USER [DOMAIN\svce_name] FOR LOGIN [DOMAIN\svce_name] WITH DEFAULT_SCHEMA=[dbo]
GO
Then I add the role:
USE databasename
EXEC sp_addrolemember N'db_ssisoperator', N'DOMAIN\svce_name'
GO