I've experienced that a user lost the his access to a specific view unexpectedly.
I had dropped and afterwards re-created the view yesterday so can this be the reason ?
As mentioned in the comments, object permissions are also removed when a database object is dropped. It is necessary to re-grant permissions after the object is recreated.
Consider using ALTER VIEW instead of DROP/CREATE. ALTER will retain existing view permissions.
Related
The problem is our user cannot be granted permission to VIEW ANY DATABASE, nor CREATE DATABASE. So we've setup an account that is db_owner of the database and created blank database to fill.
Tested locally, above works only when we GRANT user to VIEW ANY DATABASE so won't apply in our target environment. My assumption was that EF is trying to establish whether database is already there, but since it cannot see any it'll always try to create one. Is there any way around it? Ideally - is there a setting that will tell EF that DB is there and there's no need to look for it?
This is a bug in EF6. The code makes the incorrect assumption that db_id('dbname') works without VIEW ANY DATABASE. It only works if the login running the query is the database owner. Not a mere member of the DB_OWNER fixed database role. I've reported it, and suggesed an improvement. But I'm not sure it will get fixed.
As a workaround just make the app user the real database owner. That won't prevent sysadmins from connecting as dbo. eg
alter authorization on database::AppDatabase to Appuser
You'll have to drop the database user before making the login the owner.
I dont know if im doing something completely wrong or im just missing the point of SQL Server security.
Here's what I'm trying to do using SSMS, a simple two-level access (network\DomainUsers, network\SQLAdmins).
Domain users would not be unable to view any tables within SSMS but can access data via applications.
SQLAdmins see all
To start with I thought I had it cracked by setting up a new server role for domain users and assigning view and database/definition permisions then removing these from the public role - no joy!
Staying with the same settings I then branches down to the table to grant permissions but again no joy.
I've setup several roles / users and applied all forms of permissions but as soon as database/definition is altered in public it overrides everything. I thought public was a default setting which then became redundant when other roles became active?
Can someone please point me in the correct direction before either my head pops or the machine learns to fly :-)
SSMS: v17.8.1
SQL Server: 2012
Depending on how you actually defined your roles (which isn't clear from your question) it can simply be that you DENY view any database on the public role. This will in turn make it so everyone is denied. Because everyone is always a part of the public role. (This is why messing with the public role is a bad idea).
Deny's trump Grants. So no matter what you grant them later on, the deny overrides it. So if you denied it at the top level, it will stay like that no matter what you specify later on.
The exception to this is, that you can always see the objects that you own. And members of the sysadmin server role can't be denied since they always jump in as the owner. So you can technically hide all databases by revoking view permissions on the public database. But then you need to make a shared login and assign ownership to the databases that you want to be viewable.
Of note is that in this case, it means they can do whatever they want in said databases. Since you can't 'deny' them rights in something they own (which is why they can view it in the first place).
In overall, you're better off finetuning roles on the DB level, or making some custom server roles depending on what you want to accomplish.
Note, unless you messed with the public role. Logins with no user mapping in a database can't see the tables within a database, they can only see the existance of the database itself.
Is there a good way to automate creating a new user and adding it as a DB owner on every new database created on an Azure-hosted SQL Server?
so basically create user + alter role db_owner add member (or sp_addrolemember) every time a new database is created on the server.
TL;DR on 'why' : I need to have every database on the server accessible (and editable, change schema objects, change data, etc) with a user attached to a specific login, relating to this issue.
I tried checking with ARM templates to see if there is a possibilty of editing templates to add users..But there is no option at present.Read comments section for more info..
If the logical server name is same for all the databases.. you could try using azure functions and loop each db and use execute non query method..
you can set to run this function every one hour or 12 hours and also it should check if that user status before creating
I accidentally made a SQL Server user own the db_denydatareader schema. I understand that normally to remove this ownership you need to transfer it to another user.
But I don't want to transfer a "deny" schema to another user. Also I understand you can create a bogus user and transfer it but then you can't delete that user once it owns the schema right?
How do I get rid of this?
I think i just figured it out. The schema by default owns itself. so you can just go to properties of the schema and put the schema owner back to itself.
Is there a way to prevent that a user sees all databases in an instance? I tried to deny this from user 'mark' by
DENY VIEW ANY DATABASE TO mark
but this prevented him to see (in the SSMS Object Explorer) also the database he is attached to (as a db_reader).
In this case you DENY VIEW ANY DATABASE TO public because "mark" is a member of public (as are all logins). Reference
You don't remove rights for logins indivially because then all rights are lost even where expected.
Generally, if a login has permissions on an object (database, table, whatever) they can see that object in Object Explorer in SSMS
Edit: it's not foolproof and the database owner needs changed. Sorry, forgot about that.
Even if the DB is visible, no rights are conferred or implied.