I created an Azure SQL Database AzureSQLTestDb in an Azure subscription. I can connect to this db using SSMS with my Azure SQL Admin login, as well as with my Azure AD account. I can run queries on it, as well. But following this article, from MS Azure team, when I try to create a Master key as follows, it gives me the error shown below. Question: What I may be missing here, and how can we resolve the issue?
Remarks: I know the above linked article mentions CONTROL permission required. But I am the one who created the db and the Azure SQL server.
-- Creates the master key.
-- The key is encrypted using the password "23987hxJ#KL95234nl0zBe".
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe';
Error:
Msg 15247, Level 16, State 1, Line 3
User does not have control permission to perform this action.
It seems like the issue with the permissions.
As per this official document, you need CONTROL permission on the database to create the master key.
You can GRANT CONTROL permission using below command:
GRANT CONTROL ON DATABASE::<dtabase:name> TO <user_name>
If the user already have CONTROL permission, try the ALTER command to create a new database master key and reencrypts the keys below it in the encryption hierarchy.
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe';
Related
I'm trying to follow this tutorial but I'm having issues with granting CONTROL permission.
This is on a Dedicated SQL pool (formerly SQL DW) within Azure by following this tutorial.
I initially try CREATE MASTER KEY ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe'; which returns
User does not have permission to perform this action.
So I try to apply CONTROL permission to the user account:
GRANT CONTROL ON DATABASE::master TO useradmin
But this returns
Principal doesn't exist or doesn't have sufficient privileges.
I have search the web for a solution but I cant find one that has yet worked so any help or advice would be much appreciated!
To create MASTER key in azure SQL, follow below statement in Azure SQL data base.
CREATE MASTER KEY
GO
For more details refer this SO Thread by Alberto Morillo and also refer this Microsoft official document.
Updated:
I reproduced same thing in my environment its working fine .
sample code:
CREATE MASTER KEY ENCRYPTION BY PASSWORD='xxxx'
GO
CREATE DATABASE SCOPED CREDENTIAL [cred-name] WITH IDENTITY = 'User_name' , SECRET = 'xxxx'
GO
I am trying to create a master key on a master database of my azure sql datawarehouse. But my user does not have required permissions to do so. What are the roles need to be assigned/granted to the user or login of the azure sql datawarehouse? I was able to grant control permission using GUI of SSMS to the user of sql server instance on-prem. And also I was able to create a master key with the help of that role on master database of that sql server.The Scripts I used for that are:
CREATE LOGIN LoaderRC20 WITH PASSWORD = 'a123STRONGpassword!';
CREATE USER LoaderRC20 FOR LOGIN LoaderRC20;
ALTER ROLE dbmanager ADD MEMBER [LoaderRC20];
ALTER ROLE loginmanager ADD MEMBER [LoaderRC20];
ALTER ROLE db_owner ADD MEMBER [LoaderRC20];
GRANT CONTROL ON DATABASE::[master] to LoaderRC20;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe';
But there's no direct provision to provide such access to the user on azure sql warehouse using GUI of SSMS.The scripts that I used for on-prem sql server instance are not working for azure sql datawarehouse.The GRANT CONTROL ON DATABASE::[master] to LoaderRC20; threw an error that cannot grant,deny or revoke permissions to yourself,sa,dbo,sys,etc. Is there any script to give permissions to azure sql datawarehouse's user of master db so that I am able to create a master key on it?If yes, then what are those scripts and their sequence?I have really tried hard to find answers to these questions. Please help me to find the answers
Dbmanager is intended for creating databases and loginmanager to manage logins.
To create a master key (CREATE MASTER KEY) in Azure SQL just run the following statements on the user Azure SQL Database context not on the master database. If you try to create the master key on the master database you may run into error "Msg 15247". On the context of any user database you can try:
CREATE MASTER KEY
GO
or
CREATE MASTER KEY ENCRYPTION BY PASSWORD='MyPassw0rdIsComplex.'
GO
I have a Premium P2 SQL Azure Database for my Production App, and for security reasons I've created DB Specific Schemas/Views/Roles and a specific DB User account for reading the Data from SSRS Queries.
Lets just call the server PRIMARY and my database MyApp
The setup script for this is below.
-- On Primary Master
CREATE LOGIN ssrsuser WITH password='******'
-- On Primary MyApp
CREATE USER ssrsuser FOR LOGIN ssrsuser
CREATE ROLE [ssrsreader] AUTHORIZATION [db_owner]
GRANT SELECT ON SCHEMA :: [App] TO [ssrsreader]
GRANT SELECT ON SCHEMA :: [Reports] TO [ssrsreader]
EXEC sp_addrolemember 'ssrsreader', 'ssrsuser'
So our users were putting a LOT of load on the Prod DB and we decided it was time to move the reporting functions off to a secondary sync'd slave database.
Since we're using the SQL Azure Premium Tier, we can enable Active Geo-Replication with a read-only secondary copy. In fact MS even say that it's suitable for read-only workloads such as reporting.
So I've setup the SECONDARY server, enabled the seeding, it's now complete and I can access the readonly copy using the SECONDARY admin user and password.
But the SECONDARY server doesn't have a login for ssrsuser and I while I can create one in SECONDARY.master, I can't DROP RECREATE the user since the SECONDARY.MyApp database is in readonly mode.
Is there any otherway to get around this. I really don't want to have to put the SECONDARY server admin user & password into SSRS connection strings.
There is no need to regenerate SID for ssruser in the user database. It is already there as a result of replication. All you need to do is associate that SID with a LOGIN in the master in the secondary server. This article provides the details.
https://azure.microsoft.com/en-us/documentation/articles/sql-database-geo-replication-security-config/
I hope this helps.
I am attempting to:
To copy your database to a new database on a different logical server
as detailed on this page:
How to: Use Database Copy (Azure SQL Database)
I have made sure I have the correct username and password for the source database and it's a dbo.
I have created a new user in the destination database in the master database with the same username and password.
The instructions say that to enable the new user to create a database it must be a member of the role "dbmanager" role.
But, there is no "dbmanager" role listed in my destination master database.
Ultimately I want to be able to run the following command:
CREATE DATABASE NewDatabase AS COPY OF abc12345.OldDatabase;
which is currently giving me the error:
CREATE DATABASE permission denied in database 'master'
Why haven't I got a "dbmanager" role please? Or should I be using some other role that does already exist.
Any help would be very much appreciated.
Thanks.
The only roles I have in the database, created through the Azure portal, are shown below...
I´m building an Azure SQL resource monitor, and I have to grant permission for a login to access the 'sys.resource_stats' on the master database of a Azure SQL 'server'. I can´t use neither loginmanager or dbmanager roles, because they grant some permission I don´t want to grant for a monitor application.
Is there another database role on the master database which i can add members?
I have recently created a special monitoring login/database user (see below) and I didn't find any reason to assign roles (I'm Azure noob thought).
Step 1
Create a login and a database user in master database:
-- in master database
-- create a login
create login <LOGIN> with password = '<PASSWORD>'
-- create a corresponding database user
create user <USER> from login <LOGIN>;
Step 2
Authorize the login to use a target database:
-- in target database
-- create a corresponding database user
create user <USER> from login <LOGIN>;
-- grant permission to view dynamic management views
grant view database state to <USER>;
In practice <LOGIN> and <USER> are the same, like foo_monitor.
See also:
Managing Databases and Logins in Azure SQL Database.
Which privileges does a user need to query used size in SQL Azure database?