Is there option in the toolbar or somewhere else to display the current role you're using in Snowflake ? I haven't been able to find anything except on the connection window.
I can't find one, and the connection window will show the initial role not the current role.
use role accountadmin;
-- The DBeaver connection still shows SYSADMIN.
-- The current_role() function shows the one in use.
select current_role();
Related
I've been trying to figure out how to add a new user,
but I haven't managed to figure it out so the new user will have access to only a specific database without being able to see the whole server / users / databases.
Any help will be apperciated
thank you!
To add a new user who have access to only 1 database, you need to create a new login and add a user mapping to that login for the database you want,
to do this, open MSSQL Management Studio, on the left panel, expand your server by click on the checkbox and select security then Logins.
Then, right click on the logins box and select new login.
On the new login window, provide login name(user name) and authentication type, then there's select page tab on the left side, then select user mapping and add the database you want to that user, also remember to add object to default schema of that database.
USE Databasename ;
CREATE USER username WITH PASSWORD='passwd';
GRANT ALL ON Databasename TO username;
If you are on SQL Server 2012 and higher, Contained Databases is what you are looking for.
Making a database contained, you give it the ability to authenticate a user (not login), and the users of contained database will see nothing at the server level, no other databases will be visible to them.
As we all know that SSRS user can be created using Reporting Manager which can be accesses by the url given in Reporting Service configuration manager utility.
But, my requirement is to create a new SSRS user using a Query. I just want to know whether it is possible to do so or not. If yes, how?
something similar to this should work.
USE ReportServer
GO
IF NOT EXISTS (SELECT * FROM master.dbo.syslogins WHERE loginname = N'loginname')
CREATE LOGIN [loginname] FROM WINDOWS
GO
CREATE USER [loginname] FOR LOGIN [loginname]
GO
You can not create users using the Report Manager URL. The permission management/Role assignment only can be done through it.
Adding Login/User to [ReportServer] database does not mean that user can access the reports.
The Group or user name should be a Windows domain user or group account in this format: <domain>\<account>.
https://msdn.microsoft.com/en-us/library/ms156034.aspx?f=255&MSPPError=-2147217396
There is a way to achieve your requirement of checking users' access in a query. First, in Report Manager, give all users the "Browser" role (for example, "NT AUTHORITY\Authenticated Users"). Then, pass the current user of the report to your database query.
The current user of the report can be retrieved with report expression User!UserID. In my environment, this is returned in the form <DOMAIN>\<WINDOWS USER NAME>. See MSDN Built-in Globals and Users References (Report Builder and SSRS) for more info.
After customizing the role settings (changed the 'public' role, just tick everything to Deny, then I set it back), all of my users cannot login, except to give them the sysadmin permission. So, I want to reset the role settings, is there any way to do that?
At the database level, you'd drop and recreate the user
At the server level: un-deny everyone or drop/recreate logins
You can also use something like to create another query to fix everything
SELECT
'REVOKE DENY ' + name + 'Stuff'
FROM
sys.server_principals
...
However, I've never managed to lock all my users out like this so you'll have to play with this query to get it to do what you want.
I've just migrated from SQL2000 to SQL2008 and I have started getting an execute permission issue on a stored proc which uses sp_OACreate.
The rest of the system works fine with the db login which has been setup and added to the database.
I've tried:
USE master
GO
GRANT EXEC ON sp_OACreate TO [dbuser]
GO
But this fails with the following error:
Msg 15151, Level 16, State 1, Line 1
Cannot find the user 'dbuser', because
it does not exist or you do not have
permission.
I'm logged into the server as sa with full permissions. I can execute a similar sql statement and apply the permissions to a server role, however not a login/user.
How do I apply the changes to the specific user/login?
I can apply the permissions to the public role and it resolves my issue; however this seems to be a security issue to me which I don't really want to apply to the live server.
Leading on from John's answer I checked the user listings on the Master database and my user wasn't there. Whether it had been deleted or lost some how I don't know. Something may have gone crazy with the migration of the dbs to the new server instance.
Anyway; re-creating the user and associating it to the specific login enabled me to run the following statements on the master database to allow for the execution of the stored procs.
USE MASTER
GO
GRANT EXECUTE ON [sys].[sp_OADestroy] TO [dbuser]
GO
GRANT EXECUTE ON [sys].[sp_OACreate] TO [dbuser]
GO
GRANT EXECUTE ON [sys].[sp_OAMethod] TO [dbuser]
GO
GRANT EXECUTE ON [sys].[sp_OASetProperty] TO [dbuser]
GO
Thanks for all the help and pointers. Hope this helps other people in the future.
The error suggests that the User "dbuser" does not exist in the master database.
I assume the user exists within the master database?
You can check by using the following T-SQL
USE MASTER;
GO
SELECT *
FROM sys.sysusers
WHERE name = 'dbuser'
If the user turns out not to exist, simply use the CREATE USER statement and create a user called "dbuser". The user will automatically be mapped to a Login of the same name, provided one exists.
Your problem could be related to orphaned users.
Try
USE MASTER
GO
EXEC sp_change_users_login 'Report'
This will return one row per orphaned user name. Then,
EXEC sp_change_users_login 'Update_One', 'dbuser', 'dbuser'
Here is some code I'm using the verify that (current user) has EXECUTE permission on sp_OACreate etc:
use master;
select state_desc,name from
sys.database_permissions a
left join
sys.all_objects b
on a.major_id = b.object_id
where name like 'sp_OA%';
As pointed out by #John Sansom and #WestDiscGolf the user has to exist in the Master database and the execution rights must granted in the Master database, hence use Master is required. The query above will return records if the user has execute permissions and empty set if they do not. (Execution in the user database will also return empty set.)
I couldn't figure out a way check these permissions using fn_my_permissions, which is supposedly the right tool for jobs like this.
Check if your user has permissions for the database you use. You can do this by Security -> Logins -> Select User and open the properties window. Then select "User Mapping" from the right menu. Now check the databases that you want the given user to have access to. After that select from the bottom part of the window "Database role membership" and check "db_owner". Now the user will be the owner of the database and will be able to execute queries, store procedures and so on.
UPDATE:
Add user for the database by selecting your database -> security -> users -> right click "New User"
Or you can use this query
CREATE LOGIN AbolrousHazem
WITH PASSWORD = '340$Uuxwp7Mcxo7Khy';
USE AdventureWorks2008R2;
CREATE USER AbolrousHazem FOR LOGIN AbolrousHazem;
GO
Here are more details http://msdn.microsoft.com/en-us/library/ms173463.aspx
I have a database and I want let to some role the permission to query all info from the sys.databaseprincipals and see other user names. How can I do this?
Thanks.
Wrap the call in a stored proc or table valued function and use EXECUTE AS OWNER (assuming dbo.nameofcodeobject).
Otherwise, you have to switch off MetaData Visibility protection for the entire server
You can't use EXECUTE AS for views which would be useful here...
Edit, based on comment.
From sys.database_principals:
In SQL Server 2005 and later versions,
the visibility of the metadata in
catalog views is limited to securables
that a user either owns or on which
the user has been granted some
permission. For more information, see
Metadata Visibility Configuration.
dbo owns everything so sees everything
Permissions can not be granted because there is no "GRANT VIEW SECURITY"
Maybee its just me and my servers setup but I am able to query the sys.database_principals so long as I have the connect permission. I am also able to see the user name.
You can grant Connect by doing:
GRANT CONNECT TO [USER]