I have a user created in sqlserver -> security -> Logins
I would like to provide the db owner role to the existing user to a database.
When i try change the user properties in SSMS, i get the following error:
The user already exists. I only want to update the owner property.
Can anyone help me with this?
Thanks
Because the user already exists in individual db, update the db owner can't be done until the user is dropped.
so i dropped the user by droppping the owned schema first and then dropped the user
https://dba.stackexchange.com/questions/19456/the-database-principal-owns-a-schema-in-the-database-and-cannot-be-dropped-mess/19458
Related
I have a huge problem with rights of new users of my SQL Server database. The new user cannot see any tables but is still able to drop them or create new tables.
Code to create the user:
--Code Start
--This is how I instantiate the new user:
CREATE LOGIN userName WITH PASSWORD 'password';
CREATE USER userName FOR LOGIN userName;
--Furthermore, the user get some roles. So that the user can do at least something:
CREATE ROLE roleExample;
GRANT DELETE, INSERT, SELECT, UPDATE ON dbo.exampleTable TO roleExample;
SP_ADDROLEMEMBER roleExample, userName;
--Code End
In my opinion, the new User should only be able to operate on the exampleTable now. But as I said, the user is also able to create and drop tables.
That's why, I added some constraints to the role, the new user gets:
DENY CREATE TABLE TO roleExample AS dbo;
This did not help either. The User is still able to create tables in dbo.
This problem is btw. not related to a specific schema. The new user can create and drop tables in any schema.
I guess that new users are allowed to create or drop tables by default. Sadly, I do not know how to change it.
I hope you guys can help me.
Attached is an example, where you can see that the user does not know the schema, where a new table should be created. Nevertheless, the schema exists and after executing this statement, the table is created. The error-message just says that this table is already created, because I executed this statement twice. Still, the user is not able to see its own created table in SQL Server Management Studio.
User does not know schema, but still can create tables in it
OK, so there's several things that it might be, but by far the most likely is that someone has granted some database permission(s) to the public role or to some AD group that your users are all in. (Also possible, but less likely is that something similar has been done to the server permissions).
To check for database permissions open SSMS (SQL Server Management Studio), right-click on your database in the Object Explorer pane and select "Properties". Then in the Database Properties window click the "Permissions" page from the list on the upper-left.
If there are any database permissions granted to any Users or Roles, they should appear in the upper listbox. If Public is in there click it to see if has been granted any database-wide permissions. All users have the Public role, so anything granted here is automatically granted to all users.
If that isn't it, then check any other roles listed in the upper listbox. Also check any users that look like they might be AD Groups because these work like DB roles except that SQL Server cannot administer them, nor tell who's in a specific group from these interfaces.
If you don't find anything here, then repeat this for the Server Permissions also.
A user had an issue with a login to an application. The error is "The Update permission was denied on the object '{tablename}', database '{databasename}, schema 'dbo'.
The user already has permissions based on a role that already allowed other users to properly login, making the necessary entry into the "log" table.
When checking the user with this code,
EXECUTE AS LOGIN = N'[AD UserName]';
SELECT
permission_name AS [Permission]
FROM fn_my_permissions(N'[ServerName]', N'DATABASE')
ORDER BY permission_name;
REVERT;
the results were:
CONNECT
EXECUTE
SELECT
VIEW ANY COLUMN ENCRYPTION KEY DEFINITION
VIEW ANY COLUMN MASTER KEY DEFINITION
I expected this:
CONNECT
DELETE
EXECUTE
INSERT
SELECT
UPDATE
VIEW ANY COLUMN ENCRYPTION KEY DEFINITION
VIEW ANY COLUMN MASTER KEY DEFINITION
I granted Insert, Update, Delete and Execute directly to the user for the database. The permissions were still not showing Insert, Execute or Delete and still the user can not log in.
I applied permissions directly to the table. Again the user could not access the application due to the error when inserting into the table.
Additionally the user has access to other DB's on the server but I am not able to find why on this database the user's granted permissions are not correctly applied.
Where can I find if permissions are being altered due to server level permissions or other ideas i am not able to think of.
Thank you in advance
The issue was the user was part of a group that had db_denywriter checked on the same database.
The question still remains what is the best way to determine the permissions of a user, even if it's through a group permission, are denied or granted.
The lack of something should not equate to true, or false.
Thanks!
Suppose I have a login metamanager\test which shows when I execute T-SQL, but it is not there when when I expand Security -> Login in SSMS.
Same with a database user.
I try to replicate but failed
use master
select * from sys.syslogins is used for login
use DB
select * from sys.sysusers is used for database user
A LOGIN and a USER are completely different objects.
A LOGIN is a server object, and appear in sys.syslogins, as you see.
A USER is a database object, and for a LOGIN to have access to a database, it needs to have a USER mapped to the LOGIN in that database. A LOGIN with no mapped logins in any databases, and without any server level roles, will be unable to access any of the database on the instance, apart from those that the public roles has in tempdb and master.
It appears, here, you need to create the user in the database, and then give it the appropriate permissions. You can create the USER with the following:
USE {YourDatabase};
GO
CREATE USER 'metamanager\test' FOR LOGIN 'metamanager\test';
You'll need to give it the appropriate permissions afterwards.
Also, after you have created the user, ensure you have refreshed your object explorer. Object explorer doesn't automatically refresh after you create an object.
Not sure if you explaining it correctly, but syslogins and server_principals are about the same. Only the difference that server_principals include "Roles".
As far as I know it is impossible to have something in syslogins, which does not exist in server_principals.
i dont know how to ask my question but still i try. I am using SQLServer2008R2. I have created one database say DB1 and also created one SQLServer user say User1. Now I want that only User1 can have access of DB1 database and other user can not access to DB1.
You should look at the security node in management studio for your database.
Check that your user is the only login that associated with your database.
If you want to prevent that user creating another user, revoke his permissions to create users.
For more information on users and roles, see the documentation http://msdn.microsoft.com/en-us/library/aa337552.aspx
Using SQL Server 2008.
I created a new database, created a new user and mapped the user to the same login name.
Gave the user all the roles available including db_owner.
The user created a new table but when the user tried to select from the table, an error "The SELECT permission was denied on the object ...." showed up.
Why doesn't the user have select permission if the user is member of the db_owner and db_datareader roles?
I recall this used to work before.
MOst likely the user isn't actually the DBO. Check the table name is [dbo].[tablename] and that the user actually is the dbo.
Actually - More information about the error would be nice. Cause you usually have select access to tables you have created.
Are there any deny permissions set?