I seem to be getting an error like this when running some SQL against my SQL Server database hosted in Azure..
The REFERENCES permission was denied on the object 'MyDbTable', database 'master', schema 'dbo'.
Then I try to execute the SQL like this to grant the user elevated permissions:
exec sp_addrolemember 'db_owner', 'mydbuser'
Which fails with:
Cannot alter the role 'db_owner', because it does not exist or you do not have permission.
Probably because I'm logged in with the user that doesn't have a high level of permissions and I'm trying to elevate myself..
I don't see an easy way to grant admin level permissions to a SQL Server user in the Azure portal..
Could someone please assist on how to do this in Azure SQL Database?
As #Larnu suggested you cannot alter the db_owner role in master in an Azure SQL Database. you are facing this error. I also tried to do like that and got similar error.
To Overcome this, select particular database and then execute the command
EXEC sp_addrolemember 'db_owner', 'newpratiklg';
GO
Related
I took a backup and when I tried to restore it on another server, everything seemed to work perfectly, but I can not connect to it from any of my web applications or services.
I get this error:
System.Data.SqlClient.SqlException: Login failed for user 'domain\user'.
I use an Active Directory technical user in my web application.
I ran this line due to its user:
USE database;
ALTER USER [domain\user] WITH LOGIN = [domain\user]
I tried restore it in SSMS and with this code, too:
USE master;
GO
RESTORE DATABASE database
FROM DISK = 'U:\BACKUP\database.bak'
WITH RECOVERY,
MOVE 'database' TO 'U:\DATA\database.mdf',
MOVE 'database_log' TO 'V:\LOG\database_log.ldf';
GO
I added the db_datareader and the db_datawriter and even the db_owner roles to the technical user.
I do not know what the problem is.
UPDATE
The source SQL Server version is 11.0.6567.0, the target version is 11.0.7001.0.
UPDATE 2
I tried this:
EXEC sp_change_users_login 'Update_One', 'domain\user', 'domain\user'
but it throws this error:
Terminating this procedure. The User name 'domain\user' is absent or invalid.
You have to map login (sql server) to user (database).
After restore, do those command, in that order :
CREATE LOGIN [domain\user] from windows
and
USE database;
ALTER USER [domain\user] WITH LOGIN = [domain\user]
I have the following script which creates a new database, a new user and login. I have some custom software that my clients use to log into the database and create the necessary tables, SP and populate the tables with data. The databases are hosted remotely online which I have full access to.
**EDIT-> The problem I have is that I cannot open a new connection and create any tables using the new user. Its looks like a permissions issue as it works ok with sa root account login.
Ideally I would like run this single script so I can deploy a new database to a new client via SQL Server Management Studio easily with the minimal of fuss
Please see my script below:
-- SEARCH AND REPLACE THE FOLLOWING TERMS
--
-- db_TestDatabase Database name
-- TestPa$$w0rd password
-- TestUser1 username
use master
go
--create a test database
CREATE DATABASE [db_TestDatabase]
GO
--create user login
CREATE LOGIN [TestUser1] WITH PASSWORD=N'TestPa$$w0rd'
GO
--create user in database
CREATE USER [TestUser1] FOR LOGIN [TestUser1] WITH DEFAULT_SCHEMA=[test_Schema]
GO
--create role
CREATE ROLE [test_Role] AUTHORIZATION [dbo]
GO
--create schema
CREATE SCHEMA [test_Schema] AUTHORIZATION [TestUser1]
GO
--apply permissions to schemas
GRANT ALTER ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT CONTROL ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT DELETE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT INSERT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT UPDATE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT REFERENCES ON SCHEMA::[dbo] TO [test_Role]
GO
--ensure role membership is correct
EXEC sp_addrolemember N'test_Role ', N'TestUser1'
GO
--allow users to create tables in test_Schema
GRANT CREATE TABLE TO [test_Role]
GO
--Allow user to connect to database
GRANT CONNECT TO [TestUser1]
Any suggestions would be appreciated.
Thank you
It could be a User Access Control issue, try right clicking Management Studio and Run as Administrator, if you have that privilege and it may get past the issue you're seeing.
Some related reading:
User Account Control and SQL Server
User Account Control affects Microsoft SQL Server in terms of
connectivity (SQL Server login) and in limiting access to resources on
the administrators’ access control list (ACL).
In versions earlier than Windows Vista and Windows Server 2008,
members of the local administrator group do not need their own SQL
Server logins and they do not need to be granted administrator
privileges inside SQL Server. They connect to SQL Server as the
built-in server principal BUILTIN\Administrators (B\A), and they have
administrator privileges because B\A is a member of the sysadmin fixed
server role. Administrator rights are stripped away in Windows Vista
and Windows Server 2008, so administrator users cannot connect to SQL
Server instance by virtue of being B\A, unless connecting from an
elevated client application.
I am working with sql server 2012 - I have created a Server Role - XXXX and I want to grant execute priviliges to this role on a stored procedure. I am using this command:
GRANT EXECUTE ON [dbo].[MyStoredProcedure] TO [XXXX]
However I get this error:
Cannot find the user 'XXXX', because it does not exist or you do not have permission.
Any idea if my syntax is wrong or what I am doing wrong?
I logged into SQL Server 2008 via SQL Server Management Studio using Windows admin account. When I run the command (ALTER LOGIN sa ENABLE) I get the following error.
Cannot alter the login 'sa', because it does not exist or you do not have permission.
You account doesn't have permissions. It isn't sysadmin.
CREATE DATABASE requires
Requires CREATE DATABASE, CREATE ANY DATABASE, or ALTER ANY DATABASE permission.
This is (legacy SQL Server 2000 lingo):
sysadmin
dbcreator
If the account is "end user" consider wrapping the call in a stored procedure to hide the permissiosn escalation
Edit, after question update
sa is always sa; you can't disable it as such
You need to grant some permissions to the Windows account using GRANT
Follow the advices in this article:
http://blogs.msdn.com/b/dparys/archive/2009/09/17/create-database-permission-denied-in-database-master-my-fix.aspx
EDIT: The whole question changed!
I want to be able to invoke an SSIS package at will from a web application. I've found that I can do this successfully with sp_start_job when running on my local machine. However, when I publish to our test site, I get:
The EXECUTE permission was denied on the object 'sp_start_job', database 'msdb', schema dbo'
So I tried this
USE msdb
CREATE USER [TheUser] FOR LOGIN [TheLogin]
GO
GRANT EXECUTE ON sp_start_job TO [TheUser]
GO
However, after running this, I am still getting the permission denied error. Is there something special you have to do to grant permissions to system stored procs?
Edit: don't know if it makes a difference or not, but the Webserver is in a DMZ, so I am using sql server authentication to communicate between webserver and db server.
From MSDN:
By default, members of the sysadmin
fixed server role can execute this
stored procedure. Other users must be
granted one of the following SQL
Server Agent fixed database roles in
the msdb database:
* SQLAgentUserRole
* SQLAgentReaderRole
* SQLAgentOperatorRole