I have made a Simple CRUD application made in VB with the data stored in SQL Server on my local machine.
Within the Database security I have made Database Roles and assigned permissions accordingly, and added my (Domain) Computer user account into the Role.
My connection string is;
Data Source=(LocalDB)\MSSQLLocalDB;Initial Catalog=Assets;Integrated Security=SSPI
Now when I run my application it assumes the dbo role instead of the user who is running the application. As this is intended to run on a central machine and have multiple users connecting to it, with different permissions, what changes do I need to make so that I connect using my domain user account?
When I run commands in SSMS with the EXECUTE AS USER command the permissions apply.
If you want users to connect via their Windows login, your connection string is fine. However, you need to recongifure your security model. Ideally, you'll want to create one Active Directory group per application role. Then, you'd add users' Windows accounts to the appropriate AD group. Now, on SQL Server, you'd add the AD groups to the appropriate database roles.
For example, you create a database role "db_read_only". You'd create an AD group "MyApp.ReadOnly", using your company's AD group naming convention of course. You'd then add MyApp.ReadOnly to your database's db_read_only DB role. Then, John Doe wants read-only access to your app, so he'd request to be added to AD group MyApp.ReadOnly.
Your app roles define how many AD groups and DB roles you'd need. You might have MyApp.Admin, MyApp.DataEntry, MyApp.Approver... whatever.
Related
I have a specific problem to which I couldn't find any answer online.
The situation is the following:
We created a Canvas app that connects to the Azure SQL database. We set the connection type to be AAD integrated.
Users that are members of the AD can see the data in the app, but guest users, even though we gave them all the rights and PowerApps plan, cannot see the data. they recieve the same authorization window as members, but when they click on allow, the app starts but no data is being pulled from the SQL database.
When we try to connect directly to the Azure SQL database with the guest user email and credentials (via SQL server management studio), everything works as expected and the guest can see all the tables.
When we use implicitly shared connection (with SQL server authentification), guests can see the data, but we need to use AAD integrated due to its security.
So far we tried:
Changing PA environment from sandbox to production
Adding special permissions in SQL database like database owner etc
Trying out different AAD guest user settings, eq- setting that guest users have the same privileges as members (picture below).
Nothing seems to work. I would be more than happy if you could tell me how to make this work or even push me in the right direction.
I've reproduced your problem in my side. Here's my experience.
After assigning powerapp license(I use O365 E5 here) to guest account and share the app to this account, I can visit the app but can't see the data in the table. I assume that it resulted from the connector hasn't been shared, but it's true that this connector can't be shared because of no 'share button'.
Then I tried to add access policy to my guest account with these two sql:
CREATE USER [tiny-wa_outlook.com#EXT##xx.onmicrosoft.com] FROM EXTERNAL PROVIDER;
GRANT SELECT ON dbo.tinyTest TO [tiny-wa_outlook.com#EXT##xx.onmicrosoft.com];
Pls note here, I used the User Principal Name here(can find the principal name in azure ad->users), I also tested to use 'tiny-wa#outlook.com' in the sql but after executing successfully, it didn't work.
So I think you can try to use the sql above to add your guests accounts and make them can access the powerapp.
Here's some related docs:
create contained users mapped to azure ad identities
Share app resources
add table permission to user
==========================UPDATE==========================
Share my experience of this troubleshot.
First I need to create a power app but I found that after creating the connector with sql server azure ad authentication, it can't connect to the sql server, the error message is like 'Credentials are missing or not valid. inner exception: The credentials provided for the SQL source are invalid', solution is add my admin account as sql server instance Active Directory Admin.
Then I choose a table and successfully create a sample app. With the creating account, I can visit the app but other accounts can't. Here needs to share the app and it's related connectors to other users. But other accounts still can't reach the app because of no license. Because sql server connector is premium connector, so I assign O365 E3 license here. I met an error when assign license, the user's 'Usage location' can't be null or it can't assign license in M365 admin center.
Then I met similar error with Op, the difference is that both member account and guest account can't see the data in app. I try to find the way to share the connector to these uses but failed, I haven't made sure if those connectors without share button can be shared to others. So I have no options to study if this kind of connectors are authenticated in other ways so they don't need to be shared at all.
Next actions is using the account which used to create the sql server and database to sign in database and execute the sqls above.
Then the member account can see data in the power app while the guest account can't see. The reason is I used xx#outlook.com as the parameter in the sql, when I used xx_outlook.com#EXT##xx.onmicrosoft.com, it worked finally.
Hope this can also help you.
===================================================
For creating my demo app: First, I'm sure my environment isn't a sandbox(the environment in the screenshot below). And I think it's easy to create a demo app, and my app is simple, just choose to create an app from data and then select sql server as the connector, next I choose auzre ad auth and click the connector, enter server name and database name then choose a table, after that my app has created. That table has one row of data so when I signed in the app with the creating account, I see it in the screen while other accounts(member or guests) can't.
My sql server instance and database are created long time ago, but I'm sure I followed this tutorial to create them.
This appears to still be a limitation to access to Azure SQL via PA connector for guest users:
https://powerusers.microsoft.com/t5/Power-Apps-Ideas/Azure-SQL-to-PowerApps-Connector-AAD-doesn-t-work-for-guest/idi-p/1637817
If the "guest" does NOT have a PowerApps Per-App/Per-User plan, they cannot use your PowerApps with SQL data source (Note: SQL is a premium connector).
Determine exactly which type of license the guest has. Then, either your organization or the guest (or guest's org) must purchase one of these licenses. $5/$10/$20 per month depending on your use case.
REF
My requirement I have 20 users all are configured in azure active directory resource group.
I have one Azure SQL Server under I have 3 Azure SQL Databases like Dev, QA and UAT
In Active Directory configured 20 users I need different access in each database level, some people need only read access and some people need both write and read, etc.
Please help me to do this.
Is it possible to create users group in each database level with different roles for azure active directory users?
users can login SSMS with azure active directory credentials but each user having different access in each database
you can create groups in AAD and provide the groups/users access on the database individually.
Execute the below queries in individual databases:
1)
CREATE USER [GroupName] FROM EXTERNAL PROVIDER or
CREATE USER [xyz#abc.com] FROM EXTERNAL PROVIDER
2)
exec sp_addrolemember 'db_datareader', '<>' or
exec sp_addrolemember 'dbowner', '<>' etc based on the roles which you want to assign.
Note :
Since the user is not created at server level and directly at databases level, while trying to connect via SSMS ,
Put the database name explicitly.
Per my experience, you need manually configure the AAD users with different permissions or database role in each database.
In addition, you need connect to the Azure SQL with Azure AD admin account, only the admin account can do the operations for each database.
For example, one of the AAD user 'aa#abc.com' only needs have the read permission in database Dev but needs read/writer permission in database QA and UAT. User 'bb#abc.com' needs read/writer permission in database 'Dev' and read permission in 'QA' and 'UAT'. In each database, different users are derived to two roles. Then we can not configure group level permission for these AAD users in each database.
After doing that, all the users in your AAD group will have the different permissions in different database. When connect to the database with SSMS, current user can see all the databases which he has the permission to access. You also can choose the specific database in SSMS connection properties like #Nandan said.
HTH.
Problem
We have a server with multiple databases and we would like a way of allowing a single group of users the ability to access or execute a restricted set of objects in each database on a single server.
Context
This used to be managed via AD groups however we are trying to move away from AD groups to using a mix of server and DB roles. However, I don't want to have to add or remove a user from a db_role in each database or have to try to keep them all in sync. Is there a way to tie database permissions to a server role so I only need to maintain the users in the server role?
Situation:
A Windows user is member in multiple AD groups.
Every AD group is mapped to a SQL Server login.
Every SQL login is mapped to a database user.
Every database user has specific roles.
Question:
Is it possible that a Windows user is logging into SQL Server (using WinAuth) and that he gets all roles which he could get due to his membership in multiple AD groups?
Yes. A user's permissions on an object is the union of all permissions paths s/he qualifies for (including any DENY permissions). A quick way to verify is by using the sys.user_token and sys.login_token views as well as the sys.fn_my_permissions function. From an administrative perspective, these work especially well because they are accurate under impersonation (i.e. execute as login = 'yourDomain\someUser').
From MSDN: Application Roles on MSDN
An application role is a database principal that enables an application to run with its own, user-like permissions. You can use application roles to enable access to specific data to only those users who connect through a particular application. Unlike database roles, application roles contain no members and are inactive by default. Application roles work with both authentication modes. Application roles are enabled by using sp_setapprole, which requires a password. Because application roles are a database-level principal, they can access other databases only through permissions granted in those databases to guest. Therefore, any database in which guest has been disabled will be inaccessible to application roles in other databases.
Can someone explain this to me?
Does this mean that I cannot write a cross database query which refers to tables from another database on the same SQL Server Instance if guest account is disabled for that instance?
First, disabling the guest account on an instance is IMHO a bad idea. The guest account is designed to allow users to "see" databases (and very little more). Disabling the guest account for the instance (and consequestially master) will stop enumeration of the databases which may well stop an otherwise authenticated role connecting, depending on the connection string used. You can grant an application role to one or more databases and instances and the application running under this account will have access (unless its denied in some other way) Thus any userrs who can run the applicaion will have that access via the application) Its a way of allowing an application t do something without granting the user those rights. http://msdn.microsoft.com/en-us/library/aa905195%28v=sql.80%29.aspx By Instance I presume you mean sQL install instance...?