I have CICD pipeline setup for deploying the database using DACPAC.
I have arguments for sqlpackge.exe here
/p:ExcludeObjectTypes="Users;RoleMembership;Logins;ServerRoles;ServerRoleMembership"
This works fine, the users for the database is disabled with a red X after deploying. User cannot login after deploy
GRANT
CONNECT
TO
TheUser1
About code could enable the user again, but I don't want to touch any user permission in my pipeline
/p:ExcludeObjectTypes="Permissions"
exclude Permissions will not revoke connect the user
Related
I am trying to enable Active Directory access for an Azure SQL Database. But I ran in a bit of a chicken-egg problem:
On the properties tab of my SQL database, The Active Directory admin shows an AD user group I am a member of
I cannot login. If I try to connect to my database using this AD-user, either via the Query editor (preview) tab or through SSMS, I get "Login failed for user ''."
If I login using the Server admin login or through a SQL account, I can login, but I cannot execute CREATE USER myname FROM EXTERNAL PROVIDER. It returns "Only connections established with Active Directory accounts can create other Active Directory users"
How did I create this mess?
On Azure, I already had a SQL Server with a SQL database. I can login onto that server using my Active Directory account. I had a local database, and in SSMS I selected "Deploy database to Microsoft Azue SQL database..." and selected my existing SQL Server.
As I understand it, AAD needs to know the SQL server, not each individual SQL database. If I do a Point In Time restore of my main database, I can also access this database with my AAD-account. But of course, this database already contains the active directory user group.
So Azure thinks I can logon to the database with my AAD-account,
but the database itself does not know any AAD accounts.
And I can only create AAD accounts in the database when logged in with an AAD-account.
How do I create an Active Directory Account within my database without being logged on with an Active Directory Account?
How do I create an Active Directory Account within my database without being logged on with an Active Directory Account?
No, we can't. In Azure SQL database, you need to first to configure the Azure AD admin for the SQL Server, then login the database with AAD admin account to create the AAD user.
I think you have configured it. As you said you can login with you AAD-account. That's the Azure AD admin account. It has the permission to access all the database.
Important:
To create contained users mapped to Azure AD identities, you must be
logged in using an Azure AD account that is an administrator in the
database in Azure SQL Database. In SQL Managed Instance, a SQL login
with sysadmin permissions can also create an Azure AD login or user.
Ref here: Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics
Here are my steps:
Step #1. Create a contained user in my SQL Server 2019 database
Step #2. Use this database-level user to connect to “Partially contained database” in my SQL Server. Yes, it works
Step #3. Export this SQL Server 2019 database to a .bacpac file, and import it into Azure database via Azure Portal
Step #4. Use this database-level user to connect to Azure database, no luck. But if I logged in as SA to Azure, I can see this user.
Step #5. Drop this user and recreate it in Azure database. All good. I could connect.
I was expecting that step #4 would work. Not sure why it failed. I googled some but could not find answers. Any suggestions?
Export and import the .bacpac file to create the new database in Azure SQL database, it's a database migration.
The limit is that We must create the login/user manually.
We can not database-level user to connect to Azure database directly, we must enable the login and user first.
To improve security, SQL Server Authentication logins are stored in a
DAC export file without a password. When the file is imported, the
login is created as a disabled login with a generated password. To
enable the logins, sign in using a login that has ALTER ANY LOGIN
permission and use ALTER LOGIN to enable the login and assign a new
password that can be communicated to the user. This is not needed for
Windows Authentication logins because their passwords are not managed
by SQL Server.
For more details, you could ref: Import a BACPAC File to Create a New User Database
HTH.
Adding on to the answer by #LeonYue, you can change the password for users that have no login (i.e. database-level SQL authentication) after import by connecting to the database as sysadmin and executing ALTER USER <user-name> WITH PASSWORD='<user-password>';.
Like on-prem contained database users, Azure SQL Database allows SQL authentication at the database level for users with a password (no associated login). However, the password is not exported/imported for security reasons.
This may be a problem with Azure databases, but I'm hoping there is a solution.
On creating an SQL Database in Azure, the server has a SQL Admin account, which is configured, in this case, manually via the Portal when provisioning. This can only be a SQL Authenticated user.
And of course, I have an AAD group/user configured as the AD Admin as well.
I have also set up an automated deployment using SSDT. The problem arises when I attempt to register the DACPAC as part of the deployment, but only after the first deployment if I'm using the AD account to deploy. It tries to update the registered data-tier application but gets an error stating that it already exists. If I deploy with the SQL Authenticated SQL Admin user instead, then it deploys successfully.
For a few reasons, I want to deploy using an AD account, not least of which to be able to create other contained AD users, which a SQL Authenticated user can't do.
Doing some poking about, I'm able to delete the registered dacpac in SSMS if I'm connected as the SQL user, but when I attempt to do so with the AD user I get:
The current user does not have sufficient permissions on the instance of SQL Server to delete the data-tier application. The user must be the database owner of the database associated with the data-tier application.
I know that the data-tier application info is stored in the virtual master database. e.g.
select * [master].[dbo].[sysdac_history_internal]
select * [master].[dbo].[sysdac_instances_internal]
It looks like you need to have db_owner on the master database in order to work with DACs in this way, but the only user that can be db_owner is the SQL authenticated SQL Admin.
So unless I can create a contained AD user that can do this, I don't think I can use dacpac registration, which is a real shame as drift detection is a real seller for the use SSDT.
If anyone knows how to manage this, I'd be very grateful to hear it.
I'm trying to create a user for my sql server database in plesk 12.5 web panel but when I create a user, this user has limited role.
I can't change user privileges even though T-sql...
for example when I tried to copy one of my databases that is on another server to this server using Management Studio, I get this error in image below:
SSMS Database Copy Wizard Error
I want to create a user with owner role and full access...
this is my plesk options for ceating new database user:Plesk Options
I'm so confused that what's going on here!
in earlier versions of plesk I didn't face this issue...
any suggestion?
You can ask your hosting provider to switch on option
"Grant the ALTER DATABASE permission to all Microsoft SQL database users"
in Tools&Settings > Database Hosting Settings
or if you have access to RDP you can execute following command:
plesk sbin server_pref -u -grant-alter-database-to-mssql-users true
net application running on IIS6. I've setup the logging configurations however it does not log to our database.
I think this should be a permission issue because when I run the app from visual studio it logs fine.
but I"ve already given the app pool identity account datawriter rights to the logging database. The directory security is setup to windows authentication.
Does the account have permission to execute the InsertCategoryLog, AddCategory, and WriteLog stored procs?