Is it possible to add users with guilds.json permission to the server at once? How can I write Python code that does this? In short, it is a code that adds it to the server in bulk when I run the code.
Related
Please find the diagram as below for my issue:
I have 3 servers in the same domain, there is a SQL Server instance A (it's windows service run under domain\User1), In this instance, we have a Stored Procedure used for BULK INSERT a text file from a network shared folder in server C, the domain\User1 has full permissions on this folder.
My issue is: The Stored Procedure runs ok (green arrow) when connecting by SSMS in its (server A). But it failed when I change to SSMS in server B (log in by the same domain\User1 to the same Instance A). The error is "Access denied" to the text file (red arrow). Does the client have a role in this? I think the client does not matter, the file reading is done from the server (by the user that run Instance A service)
Note: If I connect Instance A from SSMS B with SQL Logon User (not windows account), the stored procedure works fine.
Could anyone give me some advice and sorry for my bad English
This is just a link answer but hopefully it helps.
BTW I commend you for taking the time to analyse the issue to the extent of drawing a diagram. This is far higher quality than most questions on here.
I believe you are running into a double hop issue. I searched everywhere for the BULK INSERT permission model and finally found this https://dba.stackexchange.com/questions/189676/why-is-bulk-insert-considered-dangerous
which says this about using BULK INSERT:
When accessing SQL Server via a Windows Login, that Windows account
will be impersonated (even if you switch the security context using
EXECUTE AS LOGIN='...') for doing the file system access
and this
when accessing SQL Server via a SQL Server Login, then the external
access is done in the context of the SQL Server service account
When you have issues with windows authentication and there is three servers and impersonation, it's often a double hop issue.
This may help you with that:
https://dba.stackexchange.com/questions/44524/bulk-insert-through-network
Which in turn references this:
https://thesqldude.com/2011/12/30/how-to-sql-server-bulk-insert-with-constrained-delegation-access-is-denied/
The Current Action cannot be completed because the user data source credentials that are required to execute this report are not stored in the report server database
Take a look at your datasources for your reports. There are two settings.
User can supply them.
Or they can be stored in DB.
They need to be stored in DB for subscriptions (at least that's how the error reads). See if you can modify your datsources.
please ignore if you had already solved it.
This issue may also happen if default user credentials (like windows userID) do not have enough permissions to run a piece of SQL script or a SP. We can go to SQL server report configuration and select an option to ask for credentials every time you run a report.
You can provide the correct user id paswd when prompted?
Praveen
When I link the Microsoft Access to SQL Server locally, everything works. The second I go to a computer that is on the network, I am not able to open the form I created on the Access database.
I found out that if I open the link, I will get an error. If I choose where the DB through configurations in Access, I get the error again. If I try this a third time, it connects to the database and it is fully linked--I am able to type data into Access and it will store it in the SQL Server database as well.
My question is: How do I get it to connect to the server on the first try? I have to hit "connect" three times which takes about 5 minutes to log in. That isn't very efficient when the people using this program nothing about computers.
Linking Access to SQL Server uses ODBC. Make sure your ODBC settings are correct.
Executing SqlScript at the remote DB causes an error:
Failed to connect to SQL database. (-2147467259 myDB1)
The SqlScript is the following:
<sql:SqlString
Id='UpdateSomething1'
SqlDb='myDB1'
ExecuteOnInstall='yes'
User='SQLUser'
ContinueOnError='no'
ExecuteOnReinstall='no'
ExecuteOnUninstall='no'
Sequence='26'
SQL='[SqlString]'/>
where the Db is:
<sql:SqlDatabase
Id='myDB1'
Database='myDB1'
Server='[DATABASE_SERVER]'
CreateOnInstall='yes'
DropOnInstall='no'
DropOnUninstall='no'
ContinueOnError='no'/>
and the user is:
<util:User
Id="SQLUser"
Name="myUserName1"
Password="password1"/>
The problem does not occur with the local DB.
We extracted more specific error message from the IP traffic (the actual error that the remote MSSQL server throws):
Can not open database "myDb1"
requested by the login. The login
failed. {remote machine name} Login
failed for user {user name}
Thank you for any help and information.
Max
I would need more information to be sure but here are some general observations I've had over the years.
In MSI, you typically run deferred custom actions with no impersonation so that they run as Administrator to support managed/elevated installs where the invoking user doesn't have admin either because they really don't or because UAC hasn't elevated their process.
In InstallShield, and I'm sure WiX is similar, this typically causes a problem for remote database connections. If you have a dialog in the UI sequence to test the connection it will succeed ( when expected to ) because the interactive user has permissions to that database/instance. And if installing locally it will succeed because SYSTEM (typically) has permissions the database/instance. But when installing to a remote instance it will frequently fail because SYSTEM can't authenticate against SQL on the remote machine. Your mileage will improve if using sql authentication ( e.g. SA ).
Personally I have some practices that I follow. If I'm creating a single tier system, I restrict the database to (local). If I'm creating a 2 tier system, I create two installers: one for my database layer which I restrict to (local) and one for my application layer which I then reuse the sqllogin dialog to verify connectivity and write the values out to a web.config or app.config. This allows me to loosely couple the layers and service them independently of each other.
I hope this helps to understand the types of issues that can be encountered. I don't know your exact problem without seeing your environement.
The WiX custom actions are just using standard OLEDB commands to connect to the remote server. If the credentials work locally but not remotely then I'd start by ensuring the credentials are correct. There isn't anything different in the WiX custom actions between local and remote servers.
Looking at your database element I would say that you have not added the User attribute to the sql:SqlDatabase so it is creating the database impersonating the current user.
Try:
<sql:SqlDatabase
Id='myDB1'
Database='myDB1'
Server='[DATABASE_SERVER]'
User='SQLUser'
CreateOnInstall='yes'
DropOnInstall='no'
DropOnUninstall='no'
ContinueOnError='no' />
I'm using SQL Server 2008 (without application server or anything).
Numbers of users can be up to 1000. Windows Authentication is used.
The question is:
How to handle modes, so
some users will be allowed to work
in read-only mode
some users won't
have access to db for some time
My versions:
Using a table with a mode id for
every group of users, that will work
the same way. On Form Load
application will query that table
for mode id.
Using trigger on the tables, that
must work according to that mode.
The trigger will query mode value
and doesn't work if access is closed
or it's in read-only mode
I know these are not the best solutions, that's why I'm asking for your advice.
There's one more point.
If the mode is changed to "access-is-closed" for a group of users, that group must not be able to query to DB starting that moment.
With first solution I wrote it won't work, because user can be in application at that moment and no form load event will work. How can I do this?
Is there any optimal solution?
Thank you. Any help would be appreciated.
It depends somewhat on how you Access app interacts with the server, but for number 1 why not just use the built in Role/User permissions system in SQL Server?
For number 2, as your using Windows Authentication you can restrict logon hours in active directory on a per-account/OU basis this should prevent them from logging on to SQL server.
You could also do it via Logon Triggers which would not also prevent access to other domain resources.