I was wondering if anybody knew exactly what permissions where needed on a database in SQL Server 2005+ so that when a person uses SQL Server Management Studio, they could then be able to at minimum see the Database Diagrams.
I have tried giving the person db_datareader, db_datawriter, and db_ddladmin, but to no avail.
I have also tried giving them access in the Properties → Effective Permissions of the user. Under Effective Permissions, I could not find the database object type for "database diagrams" or anything like that to give the user access to.
They are running SQL Server Management Studio (non-express version.)
Any help would be great.
FYI, I did not want to give them db_owner access.
EDIT:
As to one of the comments: Yes, the database is an SQL Server 2005 database.
As to one of the answers, moving the DB from production to development is not an option.
Giving admin rights is not the right approach, you need to be Database Owner for Database Diagrams, check out this thread for more details.
First you need to set up Diagram Designer (you need to be db_owner for that). Just expand the Diagrams node, and press 'Yes' to enable diagramming.
After that all other db users can create diagrams and see their own diagrams. Only db_owner can see other's diagrams.
Also the db_owner can change diagram owner to himself, but the original owner must be removed from database before doing that.
Copy the database to a development system, and grant the developers administrative rights. Anything else is a waste of time (like researching this question.)
See this post for better explanations.
Related
I would like to create a user account in SQL Server 2012 with limited access, i.e., he should be only able to run queries and view data and nothing else. No backups, restores, user modifications should be allowed.
I tried looking at the built in server roles, but could not really understand it too well. The Server consists of some 7-8 different databases and we would like this user to have only querying access across all databases and nothing more. Would be great if somebody could guide me as to how to implement it.
Regards
Saurabh
Simple create role and grant access to needed objects with command GRANT. Example:
GRANT SELECT ON TABLE1 TO ROLE_ONLY_VIEW_FOR_EXAMPLE
Then you can assign this role to any user you want.
I have a window Application and I have some tables in database(sql server) that can be updated from the application .I need to host this database to the client machine .How I can protect our tables to be modified directly.Its a simple sql table that has some Data.Please Help.
You can use GRANT to remove the "unwanted" rights (e.g. UPDATE) from the user(s).
In general I would use database-level roles for that: introduce a special "read-only-role" and GRANT the needed rights (in your case only SELECT) to that role.
Second create a kind of "writer-role" and do the same (e.g. with INSERT,UPDATE,DELETE).
This is only an example - you should make clear what roles/user groups you need on database level and what rights these roles should have.
Try to keep it simple and give as few right s as possible to the users.
For further help - this article gives a nice introduction.
Please also have a look at the Identity and Access Control-section of the SQL Server 2008-R2 Technet documentation.
Hope that helped a bit.
*Jost
I am not a DBA and so dont really know anything about SQL 2005 security settings, etc. I am attempting to set up an empty copy of our database by generating the full database from SQL Management Studio generated scripts. Unfortunately I don't know what many of the options do and the MSFT documentation of this processes isn't great.
There is an option to generate script for Schemas, Tables, Views and Users. It is the users I am confused about, because I don't understand how they affect the usage of the database. We have some developers in the team who are in this list and some who are not, yet everyone can do anything on the database, at least when they are hosting it on their own machines.
Do I need to keep these Users in my new generated database and what do they do?
We also have a dbo User who is a db_owner and owns many of our schemas. What is this dbo User? What is the significance of a user Owning Schemas? We use Schemas as "namespaces" to group logically related tables in our database but I take it there is more to them than that?
There is also a username tied to this dbo User, its the windows NT login of one of our developers, but he doesn't have his own User object in the list...is there any significance to this? Is this a bad thing?
Other Users are guest, INFORMATION_SCHEMA and sys, but I think these are all defaults?
Sorry but I am a SQL admin ignoramus and usually left these things to the DBA in my previous job!
Thanks for any help.
Do I need to keep these Users in my new generated database and what do they do
The answer is it depends. If your applications use a mixed mode authentication then you will need the user accounts created in SQL. If you use windows authentication (and it sounds like you are) then you might not need them.
What is the significance of a user Owning Schemas?
In SQL Server 2005 all schemas must be owned by a user. Schemas can be used to group functionality but they can also be used to group security. For example a user account may only have access to a specific schema (or multiple schemas).
Hopefully that helps answer some of your questions
I have to access some customers databases being hosted in a shared environment. There are numerous databases being hosted on any given customers instance. So everytime I access a database I have to scroll and search.
I would like to be able to configure Management Studio to just go directly to the database I want to work with for a given connection and hide all others on that connection/instance. But i still want to be able to see databases on other instances i might be working with, i.e. local using the same Object Explorer.
If that not possible is there any reason why the web hosting provider would grant their customers the VIEW ANY DATABASE permission? Im assuming thats why I can see all the other dbs?
If i cant configure Management studio to do what i want as per (1) then I was going to email the provider and ask that they prevent me from seeing them from the "server" end. Would this be an easy thing for them to do? If they REVOKE the VIEW ANY DATABASE permission then that should solve my "problem" right? But would it create any others?
You will require access to the master db to effect the outcome you want. There are no options to configure Sql Server management Studio (SSMS) to do what you want.
So (1) is out.
(2) however is a go so long as your service provider play alongs. You are right they will have to
DENY VIEW ANY DATABASE TO youruseracount
which will require access to the master db. But before they do this they will have to set youruseraccount as the owner of your database.
sp_changedbowner 'youruseraccount'
The side affect of all of this is
a. You wont be able to see any other databases in the instance which is what you want.
b. Only one user will be able to use SSMS to admininster your database with the 'View Only My Db' list. This is because only one user can be the Database Owner.
..
Richard
2 articles describe it (no point if I copy/paste, really)
One and Two
What is the lowest permission level I need on a user to be able to create diagrams in SQL Server Enterprise Manager?
I'm currently set as data reader and I am unable to create diagrams. (I wouldn't expect to be able to at this permission level)
The database diagrams feature is actually a quite powerful schema editor - you can change tables/fields and relationships as well. (don't know why they did it that way). I'd imagine you need quite high permissions to be able to create diagrams because of the editing possibility - probably owner or ddladmin.
After some further investigation, with the dbo role, I was able to create database diagrams.