I am looking to add a user to multiple Azure databases. We have multiple subscriptions and each subscription has multiple Azure databases. We have a requirement to add the same SQL user to all the databases (dev environment). Is there an easy way to do it using PS?
On-premises security at the server / database level SQL Server and Azure SQL Database are fairly similar, however there are some significant differences.
The first distinction is the idea of a contained user, which is a user who is not associated with a login and whose authentication takes place in Azure Active Directory or in the database itself. Traditional SQL Server logins with a user in a database mapped to it continue to exist, but this departs from the notion of the necessary login that grants access to the server and the user that grants access to the database. Users who are self-contained make the database more portable.
Conventional database level roles such as db_datareader, db_datawriter, db_ddladmin, and so on are the same, however traditional server level roles such as sysadmin, serveradmin, and so on do not exist in Azure SQL Database. There are, however, two server admin roles: db_manager (similar to db_creator), which can build and drop databases, and loginmanager (similar to securityadmin), which can create new logins.
-- create SQL auth login from master
CREATE LOGIN test
WITH PASSWORD = 'SuperSecret!'
Connect to your Azure SQL Database server as an administrator and choose the database to which you wish to add the user(s). Create a SQL authentication contained user called 'test' with the password 'SuperSecret!' and assign it the db_datareader and db_datawriter responsibilities.
-- select your db in the dropdown and create a user mapped to a login
CREATE USER [test]
FOR LOGIN [test]
WITH DEFAULT_SCHEMA = dbo;
-- add user to role(s) in db
ALTER ROLE db_datareader ADD MEMBER [test];
ALTER ROLE db_datawriter ADD MEMBER [test];
Alternative here is a PowerShell command to run:
$instance = 'localhost'
$dbs = dir SQLSERVER:\SQL\$instance\DEFAULT\Databases
$sql = 'CREATE USER [foo] FROM LOGIN [foo]; ALTER ROLE db_datareader ADD MEMBER [foo];'
$dbs | ForEach-Object {Invoke-Sqlcmd -ServerInstance $instance -Database $_.Name -Query $sql}
Related
I created my first database (let's call it MyDB) on Azure and created a user that I want to use to query the DB from my applications. I only wanted to give that user db_datawriter and db_datareader because I think that is all this user needs to do from the application.
When I run this on MyDB:
SELECT DP1.name AS DatabaseRoleName,
isnull (DP2.name, 'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
LEFT OUTER JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = 'R'
ORDER BY DP1.name;
I get this back:
db_accessadmin No members
db_backupoperator No members
db_datareader MyDBUser
db_datawriter MyDBUser
db_ddladmin No members
db_denydatareader No members
db_denydatawriter No members
db_owner dbo
db_securityadmin No members
public No members
so that seemed to work. The problem is - I have to give this user also Permission to connect to the DB in the first place, because when I try to connect to the server, I get this:
===================================
Cannot connect to abc.database.windows.net.
===================================
The server principal "MyDBUser" is not able to access the database "master" under the current security context.
Cannot open user default database. Login failed.
Login failed for user 'MyDBUser'. (.Net SqlClient Data Provider)
I think this is probably, because my new user can't connect to master DB, as the errormessage suggests. However, when I look at the properties of MyDB, "Connect" was granted for the user by dbo
How can I let my user connect to the Azure DB Instance, preferably with as less permission as possible, I would only like for him to select, update, insert etc. on MyDB
I tried to change default DB with this command, so I don't need to do anything on masterDB, but the stored procedure wasn't found:
Exec sp_defaultdb #loginame='MyDBUser', #defdb='MyDB'
Edit: That's how I created the Login / User in SSMS
First (on instance):
CREATE LOGIN MyDBUser
WITH PASSWORD = '******'
GO
Then (on MyDB):
CREATE USER MyDBUser
FOR LOGIN MyDBUser
WITH DEFAULT_SCHEMA = dbo
GO
-- Add user to the database owner role
EXEC sp_addrolemember N'db_datawriter', N'MyDBUser'
GO
You have created a LOGIN and then created a USER for the LOGIN but only in the database you want them to connect to but not in master.
SQL Azure Databases are contained databases, so there is no need to create a LOGIN; the databases use their own scoped credentials.
First DROP the USER and LOGIN you created. Connect to MyDB and DROP the user first:
DROP USER MyDBUser;
Then connect to master and DROP the LOGIN:
DROP LOGIN MyDBUser;
Now connect to MyDB again and CREATE the USER with the needed credentials:
CREATE USER MyDBUser WITH PASSWORD = N'Your Secure Password', DEFAULT_SCHEMA = N'dbo';
Then you can give it the needed database roles. Don't use sp_addrolemember; it has been deprecated for ~10 years.
ALTER ROLE db_datareader ADD MEMBER MyDBUser;
ALTER ROLE db_datawriter ADD MEMBER MyDBUser;
I've had a similar error message when connecting to Azure SQL DB with SSMS. The solution there was to identify the database, hence the message "access the database "master"". You probably have entered the DB server name already.
You do not mention how you are trying to connect to the DB, but in case of SSMS, enter the name of the database on the tab "Connection properties" (available behind the "Options>>>" button on "Connect to Server" screen).
We have moved our database from a physical server to a Azure PaaS SQL database. The server login is used by the application to connect to the database. I need to create another login account with read-only access to the database. Can someone please help.
Things i have tried already.
CREATE LOGIN login123
WITH PASSWORD = *******
CREATE USER login123
FOR LOGIN login123
WITH DEFAULT_SCHEMA = dbo
ALTER ROLE db_datareader ADD MEMBER login123
The above was executed successfully but when the application uses this login it gets the below error.
"The server pricipal "login123" is not able to access the database "master" under the current security context. Cannot open user default database. Login failed."
When you run this query:
CREATE LOGIN login123
WITH PASSWORD = *******
CREATE USER login123
FOR LOGIN login123
WITH DEFAULT_SCHEMA = dbo
ALTER ROLE db_datareader ADD MEMBER login123
This means that the new user only have the readonly permission for the database.
Which database the query run in, the readonly permission is for which database.
The user don't have the permission to access other database or master db.
For more details, please see:
Controlling and granting database access to SQL Database and SQL
Data Warehouse
Database-Level Roles
If you want the user both have the readonly permission to more database, you should create more user(with the same) in different database. Using one Login mapping to more users.
Here the T-SQL code, I tested and it works in Azure SQL database:
USE master
CREATE LOGIN login123
WITH PASSWORD = '****'
GO
CREATE USER login123
FOR LOGIN login123
WITH DEFAULT_SCHEMA = db_datareader
GO
USE Mydatabase
CREATE USER login123
FOR LOGIN login123
WITH DEFAULT_SCHEMA = dbo
GO
ALTER ROLE db_datareader ADD MEMBER login123
GO
``````
Hope this helps.
With Azure-Sql-database You can't use a sql server login to connect to the master database
You have to put in the connection string the database that you want to access.
you can find more information on this link :
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-manage-logins#non-administrator-users
How do I check to see if the current user has access to create a database in SQL Azure?
In regular SQL Server, I have various easy methods at my disposal to check this. Normally, I might use IS_SRVROLEMEMBER('dbcreator'). Apparently SQL Azure has a dbmanager role instead, but IS_SRVROLEMEMBER('dbmanager') does not work either.
I also tried HAS_PERMS_BY_NAME(null, null, 'CREATE ANY DATABASE') but that does not work either.
I've verified that I do indeed have access to create a database. Does anyone have suggestions?
First: the query that should get you as close as possible to what you're looking for on the server specifically:
SELECT sys.database_role_members.role_principal_id, role.name AS RoleName,
sys.database_role_members.member_principal_id, member.name AS MemberName
FROM sys.database_role_members
JOIN sys.database_principals AS role
ON sys.database_role_members.role_principal_id = role.principal_id
JOIN sys.database_principals AS member
ON sys.database_role_members.member_principal_id = member.principal_id
WHERE role.name = 'db_owner';
From the RBAC poster on SQL Server:
NOTE: CREATE DATABASE is a database level permission that can only be
granted in the master database. For SQL Database use the dbmanager role
From the CREATE DATABASE (Azure SQL Database) documentation
To create a database a login must be one of the following:
The server-level principal login
The Azure AD administrator for the local Azure SQL Server
A login that is a member of the dbmanager database role
You can edit db_owner to any role on this page - this is the azure specific role:
dbmanager Can create and delete databases. A member of the dbmanager role that creates a database, becomes the owner of that databasee which allows that user to connect to that database as the dbo user. The dbo user has all database permissions in the database. Members of the dbmanager role do not necessarily have permission to access databases that they do not own.
An important note: You may have intertwined two different Role Based Access Control levels. SQL RBAC and Azure RBAC both have some relationship to SQL Server/SQL DB. In that way, they are related, certainly, but are not the same thing. For example: Being able to create a DB via the portal is different than being able to create a DB while connected to the server; it is possible to give an Azure user the ability to create a database while that user has no valid login to connect to the server. (Which would not be true if Azure RBAC and SQL RBAC were identical.)
Users with SQL DB Contributor or SQL Server Contributor roles will be able to create a database without ever connecting to the database. I examined enumerating these roles in a partially related question here.
You'll be able to audit the RBAC of Azure most easily through this powershell command:
Get-AzureRmRoleAssignment -ResourceGroupName <your resource group name>
-ResourceType Microsoft.Sql/servers -ResourceName <your server name>
-IncludeClassicAdministrators
I believe this should do what you are looking for. It will return "1" if the current login has the dbmanager role. You need to execute this in the master database.
SELECT 1 AS DatabaseManager
FROM sys.database_role_members rm
JOIN sys.database_principals r
ON rm.role_principal_id = r.principal_id
JOIN sys.database_principals m
ON rm.member_principal_id = m.principal_id
WHERE r.name = 'dbmanager' and m.name = CURRENT_USER;
I'm a newbie on SQL, I'd like to know how to grant select and other permissions to a specify user in Azure Sql Server.
I'm trying to use AUMC to do this, I've created a new login as well as a new user test and grant all permissions I can select on AUMC. (for master database, I've assigned roles loginmanager and dbmanager to test, for other database, I've assigned permissions db_owner, db_securityadmin, db_accessadmin, db_backupoperator, db_ddladmin, db_datawriter, db_datareader, db_denydatawriter, db_denydatareader to test).
After the setting, I'm trying to login to the Azure SQL Server via ssms. The login is success, but I cannot find any tables on the database except the System Tables.
And when I execute SELECT TOP 1 * FROM <a_table>, it returns The SELECT permission was denied on the object <a_table>, database <the database>, schema dbo.
The problem is likely that you are adding your test user to the db_denydatawriter and db_denydatareader roles. These roles prevent the user from reading or writing in the database, overriding the permissions granted by other roles like db_datawriter and db_datareader. Try removing your user from these two 'deny' roles.
For more information on the various database-level roles, see: https://msdn.microsoft.com/en-us/library/ms189121.aspx
I´m building an Azure SQL resource monitor, and I have to grant permission for a login to access the 'sys.resource_stats' on the master database of a Azure SQL 'server'. I can´t use neither loginmanager or dbmanager roles, because they grant some permission I don´t want to grant for a monitor application.
Is there another database role on the master database which i can add members?
I have recently created a special monitoring login/database user (see below) and I didn't find any reason to assign roles (I'm Azure noob thought).
Step 1
Create a login and a database user in master database:
-- in master database
-- create a login
create login <LOGIN> with password = '<PASSWORD>'
-- create a corresponding database user
create user <USER> from login <LOGIN>;
Step 2
Authorize the login to use a target database:
-- in target database
-- create a corresponding database user
create user <USER> from login <LOGIN>;
-- grant permission to view dynamic management views
grant view database state to <USER>;
In practice <LOGIN> and <USER> are the same, like foo_monitor.
See also:
Managing Databases and Logins in Azure SQL Database.
Which privileges does a user need to query used size in SQL Azure database?