I have a SQL Server 2017 database instance that was created before I was given administration of the database and I have a Login at DB server level named "atSupervisor" which is a user in database "StaffMonitoring". I wish to clone the login and user "atSupervisor" as login and user "bcSupervisor" in database "StaffMonitoring" to have all permissions, table access, grants etc.
I have tried a few suggestions on google such as this example - https://www.mssqltips.com/sqlservertip/3589/how-to-clone-a-sql-server-login-part-1-of-3/
This seems to creates the login and user and I can then assign the database "StaffMonitoring" in User Mapping in the login's properties and login with the user. However, none of the tables are present.
Is there a way to do this please that clones everything to include grant access to tables that mirrors the original login\user?
Related
I have created 2 azure security groups (Read-SQL and the second is Write-SQL) in order for them to login into multiple Azure SQL servers via SSMS using their Azure AD identity based on their group membership in order to access multiple databases on those services.
First of all I have configured an admin group on the SQL Server in our Azure tenant.
I have connected to the SQL via SSMS using my credentials and so far so good.
After that I opened a query and typed in master database
CREATE USER [SQL-READ] FROM external provider
ALTER ROLE db_datareader ADD MEMBER [SQL-READ];
(Did the same thing for Write-SQL)
only the user is created and no permission given with an error saying the user does not exist or I don't have permission.
I have Azure global administrator permission in Azure and I don't know why I get this error.
In the bottom line I would like that Read-SQL and Write-SQL will be able to login in to the SQL Server and have access to all databases within it as well as giving Read-SQL reading permissions and to Write-SQL writing permission.
I read a few Microsoft articles but I got even more confused since I don't know if I need to create a login or create a user or a contained user.
Please help
Thank you
Here are few screenshots for better understanding
enter image description here
enter image description here
Read the following articles but only partial success.
https://www.mssqltips.com/sqlservertip/6751/azure-ad-authentication-azure-sql-databases/
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver16
Whether you should create a login, user or contained user will depend on your access and security requirements. However, in Azure SQL Database, users are created per database. So, you can create the login in the master database and then you need to create the associated user in each database on that SQL Server.
This documentation gives more information on creating logins, users and contained users for Azure SQL Database.
Greetings,
When I login into a particular MSSQL database as sa I see the following: somebody moved a database from server A to server B using restore option. I can see all the users in place (restored along with the database) - great. There are logins previously created on server A - great. All of those logins have sysadmin role. I think there's one problem - I don't see any mappings done between logins and users on server B (currently I have no access to Server A so I can't look at the configuration).
According to security properties - all of those 'local' database users are 'SQL user without login' - but I'm sure a proper application uses those users on a regular basis and there are configuration files where passwords are stored.
Question #1 - if there's a login with sysadmin role and there's a local database user of the same name (as login) - does the application use login or local db user in order to work properly? (there's no mapping between the two)
Question #2 - should mapping be done between all the logins and corresponding database users when moved from one server to another? At the moment there isn't any mapping done and my cooworkers are using logins with sysadmin role to access whole database.
Regards,
1) If a particular login has the sysadmin role the application or person using this login can do anything on the database server. It is generally not considered good practice to have a lot of sysadmin users because it opens up the database server (and more) to security breaches.
2) Mapping SQL logins to database users makes sense if the users have minimal server-wide permissions and if you want to assign several certain data access rights in different databases. For example, you have a login X but users Y and Z and want to have read-only permissions for user Y in database Y but read-write permissions for user Z in database Z; in this case mapping can be useful.
There is something else you should be mindful of. If you backup a database (including database SQL users) on server A and restore the database on server B and the database users that are residing on server A were not created on server B using the same SID for the corresponding login(s) you end up with orphaned users, meaning the name of the login is not important to SQL Server but the SID of the login is.
You can find the SIDs in system login tables:
SELECT * FROM sys.sql_logins
SELECT * FROM sys.syslogins
To make sure the login on both servers is exactly the same (same SID!) you have to create the logins using a script like this:
CREATE LOGIN MyTestUser WITH PASSWORD=N'!#MyTestPassword#$', SID=0x552C84CB83802C4A801C670265CCAFA4, DEFAULT_DATABASE=tempdb, DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
Hopefully this helps.
I created a new SQL server with a database in Azure and after logging in with the admin account I added a new user that I wanted to only have access to one database.
In SSMS I right clicked on mynewdatabase database and selected New Query.
I executed
CREATE USER mynewuser WITH PASSWORD ='good password here';
ALTER ROLE db_owner ADD MEMBER mynewuser ;
Now after logging in as mynewuser I can still see the master database.
The question is how do I restrict mynewuser to only access mynewdatabase?
I'm sure this is something basic.
In SQL Server, including Azure SQL DB, all users can can see all system databases in sys.databases. This is not the same as being able to connect to them or run queries in them. This does not disclose any sensitive information as these are system databases and whether you saw them listed or not you would know they were there. See https://msdn.microsoft.com/en-us/library/ms178534.aspx#Anchor_0.
Based on the steps you describe, you have created a contained user that should not be able to connect to the master database or run queries in Azure SQL DB.
I´m building an Azure SQL resource monitor, and I have to grant permission for a login to access the 'sys.resource_stats' on the master database of a Azure SQL 'server'. I can´t use neither loginmanager or dbmanager roles, because they grant some permission I don´t want to grant for a monitor application.
Is there another database role on the master database which i can add members?
I have recently created a special monitoring login/database user (see below) and I didn't find any reason to assign roles (I'm Azure noob thought).
Step 1
Create a login and a database user in master database:
-- in master database
-- create a login
create login <LOGIN> with password = '<PASSWORD>'
-- create a corresponding database user
create user <USER> from login <LOGIN>;
Step 2
Authorize the login to use a target database:
-- in target database
-- create a corresponding database user
create user <USER> from login <LOGIN>;
-- grant permission to view dynamic management views
grant view database state to <USER>;
In practice <LOGIN> and <USER> are the same, like foo_monitor.
See also:
Managing Databases and Logins in Azure SQL Database.
Which privileges does a user need to query used size in SQL Azure database?
I am granting the "View any database" permission when creating a new server role, but realized this permission only allows the user to view the system databases.
I am trying to create a server role that is read-only and can read any database.
Is there a way to create a user-defined server role to read user databases? Or do I have to do this through user mapping per user?
So, no is the answer, you can't assign database level permissions to server level roles, you can't even add a server role to a database role, which I find really frustrating as I've tried to do the same thing as you.
The way I ended up doing this was not by using a server role at all, I did the following:
Created an AD group for each server that I wanted read only access for
Created a login on the server for the group
Assigned the login to the db_datareader role on the model database
Assigned the login to the db_datareader role on all the pre-existing databases
Added my windows users into the AD group
This way, you can simply assign (or train your servicedesk folks to assign) users who need read only access to all databases on a server to the AD group, plus, as the role is set in the model database, they will have access to all newly created databases on the server too.