I have following situation
ACL group: domain\aclgroup
user account: domain\account
user account is a member of the ACL group
in the sql server ACL group is added to the server logins, mapped to the database with default schema dbo.
user account is not added to the sql server, I can log by this user account base on that ACL group
So the default schema as I though for the user account should be dbo, but it is not.
When I try to create a table without schema like: CREATE TABLE Test (id int), it creates this table in the schema: [domain\user].Test
Why it behaves like this and how I can setup it to create a table in dbo without explicitly typing CREATE TABLE dbo.Test?
I found the problem, user account was not present (deleted?) from server logins but it was present in the database users, with own schema. After deletion of the user, the default schema is dbo
Related
We have Windows Authentication on our SQL Server Databases.
Every object gets created as dbo which I don't mind. But we are unable to track who created what? Can someone help on how it can be managed so we can at least track who is doing what? The login names from the trace is also generic
login name - ABC\gMSA_SQL$
If I login to the server with my windows authentication and run the below command select SUSER_NAME(), I can see my username and not a generic one. So now if I create a table where can I get this username from?
The default schema of the user are set to dbo. It could be due to many reasons, as mentioned in the below msdn reference
The default schema will be the first schema that will be searched by
the server when it resolves the names of objects for this database
user. Unless otherwise specified, the default schema will be the owner
of objects created by this database user.
If the user has a default schema, that default schema will used. If
the user does not have a default schema, but the user is a member of a
group that has a default schema, the default schema of the group will
be used. If the user does not have a default schema, and is a member
of more than one group, the default schema for the user will be that
of the Windows group with the lowest principal_id and an explicitly
set default schema. (It is not possible to explicitly select one of
the available default schemas as the preferred schema.) If no default
schema can be determined for a user, the dbo schema will be used.
DEFAULT_SCHEMA can be set before the schema that it points to is
created.
DEFAULT_SCHEMA cannot be specified when you are creating a user mapped
to a certificate, or an asymmetric key.
The value of DEFAULT_SCHEMA is ignored if the user is a member of the
sysadmin fixed server role. All members of the sysadmin fixed server
role have a default schema of dbo.
You can find out the default schema of the users by running the below query. Refer to sys.database_principals
SELECT default_schema_name FROM sys.database_principals
If you want to restrict the users to only create objects on their schema, you have to do below things:
CREATE SCHEMA [userPrincipalSchema];
GO
CREATE USER [userPrincipal]
WITH PASSWORD='SUPERCOMPLEXPASSWORDHERE'
, DEFAULT_SCHEMA=[userPrincipalSchema]
GO
DENY ALTER ON SCHEMA::[dbo] to [userPrincipal]
GO
ALTER AUTHORIZATION ON SCHEMA::[userPrincipalSchema] to [userPrincipal];
GO
GRANT CREATE TABLE, CREATE VIEW, CREATE PROCEDURE TO [userPrincipal];
GO
This way, you can ensure that the [userPrincpal] is able to create objects only on their schema and you can track, the objects created by them.
I am trying to create a new database user account in Oracle Database 12c Standard Edition that ONLY has access to run a specific view (let's call it "MyApp.MyView").
I created a view as an administrative user under my main application's schema. I created the user (details below) but it seems to have the ability to query any table or view in the app's schema. I ONLY want them to be able to query the specific view I made. Can this be done?
Then, using SQLDeveloper, I right clicked on MyView and granted privileges to MyUser. I can query it as MyUser, but I can also query anything and I don't want that.
-- USER SQL
ALTER USER "MyUser"
DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TEMP"
ACCOUNT UNLOCK ;
-- QUOTAS
-- ROLES
ALTER USER "MyUser" DEFAULT ROLE "CONNECT";
-- SYSTEM PRIVILEGES
Below creates a user with the minimum set of privileges needed to query a view/table in another schema. If the user is able to query other tables/views, then they must have been granted elsewhere either through additional grants or roles.
create user MyUser identified by testpassword account unlock;
grant create session to MyUser;
grant read on MyApp.MyView to MyUser;
I understand that dbo is a default schema for every object in database owned by dbo user but we can't login with dbo user and the account we specify during setup gets rights automatically.
Why do we have a dbo user for dbo schema if we can't login with it. We could have had the setup account with full previleges on all schemas.
What's the significance of it?
We don't have to use dbo schema till in DB we don't have another objects with same name in anothers schemas.
But if you build queries without specifying this, then the speed of query execution will slow down. Since the query optimizer will scan other schemes. You can assume that this is just a default namespace
I created a new user in Sql Server 2012 and "by accident" I marked them as owner of multiple schemas. I meant to mark them as members of the schema but I was on the wrong tab!
Because they are now owners of the schema I can't unselect the ownership and I can't delete the user either. How can I undo my mistake?
You must transfer ownership of the schema to some other user, probably dbo, prior to removing the user:
To test this, I did the following:
Create a user to own the schema, and a test schema:
USE tempdb;
CREATE USER [testuser] WITHOUT LOGIN;
GO
CREATE SCHEMA [max] AUTHORIZATION testuser;
GO
Try to drop the user, which will fail:
DROP USER [testuser];
GO
Msg 15138, Level 16, State 1, Line 1
The database principal owns a schema in the database, and cannot be dropped.
Transfer ownership of the schema to some other user, in this case the special user, dbo, which owns the database:
ALTER AUTHORIZATION ON SCHEMA::[max] TO dbo;
GO
Now, drop the test user, which works:
DROP USER [testuser];
Following code recreates a user:
-- Remove link to order schema
ALTER AUTHORIZATION ON SCHEMA::order TO dbo
-- Recreate order user without login
DROP USER order
CREATE USER order WITH DEFAULT_SCHEMA = order
-- Restore link to order schema
ALTER AUTHORIZATION ON SCHEMA::order TO order
My question is, why do we need to remove link to schema before dropping a user, and restore it back after user created?
The behavior of Schemas changed in SQL Server 2005. Schemas are no longer equivalent to database users; each schema is now a distinct namespace that exists independently of the database user who created it. In other words, a schema is simply a container of objects. A schema can be owned by any user, and its ownership is transferable.
https://msdn.microsoft.com/en-us/library/ms190387.aspx
http://basitaalishan.com/2014/05/29/the-database-principal-owns-a-schema-in-the-database-and-cannot-be-dropped/
Ok, just found why we need to temporary move the schema link to another owner before deleting a user.
It will return error if not doing so:
The database principal owns a schema in the database, and cannot be dropped.