I am working in an environment which has multiple sql server instances.
In one server my user is able to access any database even after restore.
In another server my user losses access to the database after doing a restore.
What could be the difference in access for my user in both servers.
probably in your first instance, your user has sysadmin privileges. on the other hand in second SQL instance, your user have database level privileges which are overridden upon restore.
Related
On my server that is hosting SQL Server 2008 R2, I open SSMS and under Security -> Logins there is a login named "SomeLoginName". When I log in to the server with this login, I am able to see all of the databases on the server.
I would like to restrict this user to only see 2 of the databases that are on the server. I've seen some solutions that say to revoke the VIEW ANY DATABASE permission for the login and then add the login as the db_owner for the databases I want "SomeLoginName" to be able to see. I don't want to have "SomeLoginName" as the db_owner for the databases that it is supposed to see.
Is there a way that I can configure "SomeLoginName" to only see 2 databases on the server without "SomeLoginName" being the db_owner for these 2 databases?
Thanks in advance.
Is there a way that I can configure "SomeLoginName" to only see 2
databases on the server without "SomeLoginName" being the db_owner for
these 2 databases?
No, as you are on SQL Server 2008 R2 there s no such a way.
Starting with SQL Server 2012 new Contained Databases were introduced.
Here is another useful article SQL Server 2012 Contained Database Feature
While looking through the new features and improvements in SQL Server
2012, we found a potentially interesting feature called Contained
Databases. A contained database basically includes all database
settings and the metadata within itself thereby resulting in no
configuration dependencies on the instance of the SQL Server Database
Engine where the database is actually installed. Users will be able to
connect to a contained database without authenticating a login at the
Database Engine level. This feature really helps to isolate the
database from the Database Engine thereby making it possible to easily
move the database from one instance of SQL Server to another. In this
tip we will take a look at how to configure and use this feature of
SQL Server 2012.
When using contained databases you don't need login (security principal at the server level), only user at the database level. It will be a database, not a server, to authenticate your user. And as the consequence, this user will not "see databases" other than the database where it was created.
This user has not to be db_owner, it's an ordinary user with any permissions or even without any permission at all.
Thanks to #sepupic , his/her answer is correct. It turns out that I actually am running MS SQL Server 2012 so I was able to implement the Contained Database concept. The steps listed on the linked pages in #sepupic 's answer didn't work for me though. I found this one and put this script together. Here's what it does:
Changes the 'contained database authentication' to 1 for the MS SQL Server instance
Runs RECONFIGURE
Creates a contained database
Creates a user for the database
Here's the script:
USE master;
GO;
EXEC sp_configure 'contained database authentication', 1;
GO;
RECONFIGURE;
GO;
CREATE DATABASE ContainedDB2
CONTAINMENT = PARTIAL;
GO;
USE ContainedDB2;
GO;
CREATE USER cduser2
WITH PASSWORD = N'Pa$$word',
DEFAULT_SCHEMA = dbo;
GO;
Then you just configure the connection to the contained database in the section that begins with
Login and Verify the User Permissions on a Contained Database
Using the script I put together and configuring the connection under the section I mentioned sets it up so you connect to the server with the user that is created and that user can only see the contained database(s) you want it to. You have to configure the user to have permissions like the db role db_datareader in the contained database but instructions on how to do these types of things are easy to come by if you search for them. Thanks again to #sepupic for getting me started on coming up with an answer.
I'm using the Telegraf input plugin for SQL Server (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/sqlserver) to gather metrics and report to InfluxDB. It works well for SQL Server, but though it supports Azure SQL Database the documentation is a bit sparse.
The database user should be created like this:
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
GRANT VIEW SERVER STATE TO [telegraf];
GRANT VIEW ANY DEFINITION TO [telegraf];
That works on SQL Server, but in Azure it fails:
Securable class 'server' not supported in this version of SQL Server.
I wonder what I need to grant instead in order to solve this in the best possible way. We have a large number of databases running on the same server in an elastic pool, so if it is possible I would like to use a single user that logs in to the master and collects metrics for all the databases at once (the way it works with SQL Server). If that is impossible I can configure multiple logins and process one database at a time.
Perhaps I can grant VIEW DEFINITION at the database level, but VIEW SERVER STATE does not seem to be supported at all.
So, how should I configure the SQL Database login(s) for Telegraf with the SQL Server plugin to make it work?
EDIT:
Running as the super user for the server works without errors, but only produces metrics for master and tempdb. I need metrics for the many application databases and they are missing. Plus running as the super user is less than ideal.
Running as the super user for the server but connecting to a specific application database (add database in connection string) crashes with a nil pointer dereference and the log complains about VIEW DATABASE STATE permission denied in database master (the super user has access, but apparently not when connecting to a spefic database).
Granting VIEW DATABASE and VIEW DEFINITION to telegraf in an application database and connecting directly to that database as telegraf crashes with a nil pointer dereference and the log says the connection was closed.
EDIT 2:
Created bug report https://github.com/influxdata/telegraf/issues/4222.
EDIT 3:
As of the latest release the plugin works if the server admin account is used, so the issue has been solved. There is still no way to run with a less privileged account in Azure DB.
The answer:
GRANT VIEW SERVER STATE is not supported in Azure SQL Database.
On SQL Database Premium Tiers requires the VIEW DATABASE STATE
permission in the database. Permissions can not be granted in Master,
but the views can be queried in user databases. On SQL Database
Standard and Basic Tiers requires the SQL Database server admin
account due to security requirements following from multi tenancy of
those tiers.
Reason:
SQL Azure SQL is PaaS solution, therefore the most "server" specific features, DMVs, settings are blocked by purpose
References:
Grant View Server State - is it possible for a none SA user to have in Azure SQL?
SQL Azure VIEW DATABASE STATE permission denied in database 'master'
Possible workaround: (which is, anyway does not work in ewramner case)
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
USE [yourDB]
GRANT VIEW DEFINITION TO [telegraf];
GRANT VIEW DATABASE STATE TO [telegraf];
Therefore, (IMHO), there is no way to make such application working in SQL Azure without changing application code
We created a database and spent time loading the data. We might have accidentally changed some permissions, and now we are not longer able to access that database from the owner account (or any other). (We are both wading through the mud here)
Is there any way to restore the revoked permissions so we can access our data, or do we need to start all over?
Well, that's all in the docs:
You can reset the assigned permissions for your DB instance by
resetting the master password. For example, if you lock yourself out
of the db_owner role on your SQL Server database, you can reset the
db_owner role password by modifying the DB instance master password.
By changing the DB instance password, you can regain access to the DB
instance, access databases using the modified password for the
db_owner, and restore privileges for the db_owner role that may have
been accidentally revoked. You can change the DB instance password by
using the Amazon RDS console, the AWS CLI command modify-db-instance,
or by using the ModifyDBInstance action. For more information about
modifying a SQL Server DB instance, see Modifying a DB Instance
Running the Microsoft SQL Server Database Engine.
Source: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troubleshooting.html#CHAP_Troubleshooting.ResetPassword
I have a .NET application which connects to SQL Server 2008 for storing some data. I use SQL Server authenthication providing an sq username and a password to my end-user in app.config file. If something more needs to be changed I give to the end-user some other credentials.
How can I limit the sql user to only have permission to read/write data and executing existing stored procedures and everything else to be forbidden?
What is the best practice for setting permisions for a sql user that an application is using to connect to a database? Can I prevent somehow the user from logging in Management Studio and mess with my data?
I'm not searching for the perfect 100% reliable solution, but the best existing practice to do this. Thank you very much in advance.
Update: I work on a shared hosting SQL Server environment.
You'll need to create a new SQL user, something like 'LimitedUser'. To do this in SSMS, select the Security Folder of the server you are using, right-click, select New, select Login.
Select your authentication type (SQL server authentication is easily managed), and set the Default database to your database.
You'll need to set Server Roles so this new user only maps to your DB, and in the last page (Status), set Login to false so they cannot use these credentials to login to SSMS and 'mess with your data'.
Click OK, and you're done creating your limited user.
Assign it to your database, and then in SSMS, right-click on your db, select Properties, Permissions.
Select your user or role, and in the permission grid below, switch on only what need to be switched on.
As I see, your question is fully concerned with SQL server security.
You can limit user permissions on server, database or object scope, using GRANT statement, server or database roles. For example, you can assign db_datareader role for user, and then grant EXECUTE permission to this user for some stored procedures (or for entire database).
The current practice in my organization is to create the database roles (e.g. application admin, operator, and so on), adding the appropriate permissions to these roles and then assign these roles to database users.
I'm not completelly sure that you can prevent login into SQL Server Managent studio (SSMS), but SSMS wll not display information that must be invisible for user with user current permissions.
Shared SQL Server hosting where a single instance is shared among multiple customers is not compatible with with typical client-server applications. You are expected to perform all operations through a middle tier server such a WCF Data Service and maintain user accounts within your database in a table with Forms Authentication etc.
For your client-server application you need VPS hosting with your own instance of SQL server where you can create server-level logins. Without creating server-level logins there is no method to secure a client-server application. Any workarounds are just pseudo-security.
I want to manage permissions and access to a SQL Server database server on a development machine. I've created a local windows group (called DBReaderGroup) and assigned various people to it. The group was created as a SQL Server login successfully:
create login [MYMACHINE\DBReaderGroup] from windows
My goal is to grant this group read/write access to all databases (which are constantly being added and dropped). Is it possible to configure the right settings so that SQL Server manages this?
My biggest challenge is that each time a db is created, I have to update the "User Mapping" settings for this group on the new database.
Am I missing something simple?
Add the login to the Model database in the db_datawriter role, and any new database will give that login full write access by default. This won't work, however, if the databases being added are from other sources (ie restored versions).