is there any possibility to query the definition behind an Azure Synapse Analytics security policy that has been applied on a table?
I can see the list of security policies from sys.security_policies but when I try to the following code to view the definition behind, it does not return anything:
SELECT sm.object_id,
OBJECT_NAME(sm.object_id) AS object_name,
o.type,
o.type_desc,
sm.definition,
sm.uses_ansi_nulls,
sm.uses_quoted_identifier,
sm.is_schema_bound,
sm.execute_as_principal_id
-- using the two system tables sys.sql_modules and sys.objects
FROM sys.all_sql_modules AS sm
JOIN sys.objects AS o ON sm.object_id = o.object_id
WHERE sm.object_id = OBJECT_ID('my_schema.my_policy_name')
ORDER BY o.type;
Is there any way to query definitions of security policies?
I'm not sure what exactly you are trying to achieve by mentioning definition of security policies. There is no such requirement or feature request available in Microsoft official documents and any third-party article/forum.
The maximum you can try is to query sys.security_policies which returns a row for each security policy in the database. Refer sys.security_policies (Transact-SQL) for more details. Apart from this there is no support in Azure Synapse to query definitions of security policies.
Related
I am using the dotnet ef dbcontext scaffold command to create my database context. Since updating the toolchain to v7.0.2, I am getting this warning in the output:
Build started...
Build succeeded.
The database user has not been granted 'VIEW DEFINITION' rights. Scaffolding requires these rights to construct the Entity Framework model correctly. Without these rights, parts of the scaffolded model may be missing, resulting in incorrect interactions between Entity Framework and the database at runtime.
The database user is in the db_owner role, but furthermore I have manually executed against the Master database
grant view any definition to [dbusername]
The warning message remains. Can anyone assist with this?
Technically user's don't need VIEW DEFINITION to see metadata. Normally metadata visibility for a table is granted to users who have any other permission on the table. See Metadata Visibility Configuration.
The VIEW DEFINITION permission acts as an override to change this behavior, granting metadata access to a user who otherwise would have it, or denying it a user who otherwise would.
So checking for VIEW DEFINITION is not the same as checking if a user can see the metadata. You can start by checking the grants for an applicable DENY of VIEW DEFINITION, and if a user isn't subject to a DENY and has SELECT on the table, or it's schema or database, then the user will have metadata visibility.
select state_desc,
permission_name,
user_name(grantee_principal_id) grantee,
case when class = 0 then 'DATABASE'
when class = 1 then concat(quotename(schema_name(o.schema_id)),'.',quotename(object_name(o.object_id)))
end target
from sys.database_permissions p
left join sys.objects o
on o.object_id = p.major_id
--where state = 'D'
I was trying a simple query to list Windows Groups & their Logins.
As you can see below, my second principal appears to have no corresponding login.
However, when a sys_admin runs this exact same code, he gets 'MyLogin2Name' instead of the NULL that I see.
Does anyone know what is going on here ?
It has us both scratching our heads ! :(
USE myDB;
SELECT
p.principal_id, p.[name], sl.[name]
FROM sys.database_principals p
LEFT OUTER JOIN sys.syslogins sl
ON p.sid = sl.sid
WHERE p.[type] in ('G');
when a sys_admin runs this exact same code, he gets 'MyLogin2Name'
Right a sysadmin can see all the logins. A regular user cannot. This behavior is documented in sys.server_principals, which is the non-legacy view for logins:
Permissions
Any login can see their own login name, the system logins,
and the fixed server roles. To see other logins, requires ALTER ANY
LOGIN, or a permission on the login. To see user-defined server roles,
requires ALTER ANY SERVER ROLE, or membership in the role.
The visibility of the metadata in catalog views is limited to
securables that a user either owns or on which the user has been
granted some permission. For more information, see Metadata Visibility
Configuration.
sys.server_principals
I am querying Active Directory from SQL Server via a Linked Server called LDAP.
The linked server was created thus, authenticating through a specially created service account myDomain\ServiceAccountWithNoPermissions.
exec master.dbo.sp_addlinkedserver #server = N'LDAP', #srvproduct=N'Active Directory Service Interfaces', #provider=N'ADSDSOObject', #datasrc=N'adsdatasource'
exec master.dbo.sp_addlinkedsrvlogin #rmtsrvname=N'LDAP',#useself=N'False',#locallogin=NULL,#rmtuser=N'myDomain\ServiceAccountWithNoPermissions',#rmtpassword='########'
And I'm querying the members of a specific Active Directory Group with the following:
select *
from OpenQuery (LDAP, '
select objectGUID, sAMAccountName
from ''LDAP://myServer.myDomain.com/DC=myDomain,DC=com''
where MemberOf=''CN=Some Group,OU=Folder,DC=myDomain,DC=com''
order by sAMAccountName asc
');
Here's my problem. The above system is working correctly for some Active Directory Groups and not others.
By default I think Authenticated Users is supposed to be able to query any User or Group objects in Active Directory. And as a test I verified that the effective permissions of myDomain\ServiceAccountWithNoPermissions includes "Read all properties" on Groups for which the members are both queryable and non-queryable.
What could be the difference between Groups that are queryable and non-queryable?
You didn't describe what you mean by it working incorrectly, so I can only guess. But the most obvious thing I can see is that you're querying the membership of a group by using memberOf. Depending on how your environment is setup, that may not give you all the results you hope for. I wrote about this, but here's the important part:
Groups only get added to memberOf if they have a Group Scope of:
Universal and are in the same AD forest as the user, or
Global and are on the same domain.
Groups do not get added to memberOf if they have a Group Scope of Global and are on another domain (even if in the same forest).
On top of that, memberOf will only include Domain Local groups from the same domain of the server you are retrieving results from. (if you are working in a multi-domain environment and reading from a Global Catalog, this may not be the same domain the user is from)
It will also not report the user’s primary group (usually Domain Users), if that’s important to you, nor will it include groups on external trusted domains.
The most reliable way to find all the members of a group is to read the member attribute of the group itself. But if the group is used as the primary group for any users, then you would also have to use a different way to find those.
Someone deleted my azure database tables and procedures. Now I want to know from which workstation/ip this has happened.The person used db owner Id.
Azure portal activity logs don't give any details as deletion is done through sql queries.
I know how to see active sessions in sql service, but I want the history of sessions that existed in last 3 days with my database. Please help!
Using the below query can find the history of connection sessions, but it only can shows the local client IP address:
SELECT connection_id,
c.client_net_address,
c.session_id,
connect_time,
client_net_address,
client_tcp_port,
host_name,
program_name,
login_name,
row_count
FROM sys.dm_exec_connections c
JOIN sys.dm_exec_sessions s ON s.session_id = c.session_id
You will get the results like this:
Maybe it can help you know from which workstation/ip this delete operation has happened
Hope this helps.
as a developer I have access to a DB, I know that exists in master a list of logins, I want to get the available logins to create users with.
Indeed, I can execute CREATE myuser FOR LOGIN one_of_the_available_logins but I would like to check if a login is available to raise an error
I try it with a SELECT * FROM sys.sql_logins but for security I have didn't allowed to use reserved keywords on schemas
Please some help!!
We can use the below T-SQL to get the Logins and the associated Users.
select l.name as [login name],u.name as [user name] from sysusers u inner join sys.sql_logins l on u.sid=l.sid
Then, we can check if the Login user has the associated User already.