How to hide other databases from User in Azure SQL Database? - sql-server

I am using SQL Server Management Studio v17.9.1. I followed guide of this post to use below command but failed with error.
REVOKE VIEW ANY DATABASE FROM PUBLIC
Securable class 'server' not supported in this version of SQL Server.
I tried below code as well with same error:
USE master;
GO
DENY VIEW ANY DATABASE TO TestUser;
GO
What's wrong for this?

In Azure SQL Database (and on-prem contained databases), users can be authenticate at the database level without a server-level login. For example, in the context of the Team1 database:
CREATE User Team1User WITH PASSWORD='<complex-password-here>';
And similarly for the other database:
CREATE User Team2User WITH PASSWORD='<complex-password-here>';
Users must specify the desired database when connecting and the sys.databases catalog view return only the current database.

Related

How to create login on azure ms sql server with access to all databases?

I need to create a login on a server that will have access to all databases on this server.
I have two azure servers: production and stage. I make a copy of a database from prod server on stage server. Then I need to do insert some test data in this new copied database.
The copying process is made on runbooks in azure automation account so every time I want to execute SQL script on a database I need to provide a login&password to a server.
If I create a login TestLogin on stage server and then copy database from prod server to stage, then this login does not have access to a new db. Thus, I need to login as administrator and create a TestUser in this new database for TestLogin.
This does not work for Azure:
GRANT CONTROL SERVER TO TestLogin;
Is there any way I can grant a TestLogin all rights so that it can have access to all the databases on server?
When you create a login in one instance of SQL Server and assign any roles to this user on a specific database, and then copy the database to another SQL Server instance, you have this user in the database, but no login for that user in the second SQL Server. This is also called an "orphaned user". Here is an article that describes how to fix that.
This does not work on Azure. You have to use ALTER USER instead.
As you said in comment, you must login with admin, then you have the permission to alter the new user in master DB, set the user as DB manager or db_owner.
If you only create new login or user and don't give it more permission, this login/user only and login the Database but can't access no database.
Fore details, please see Controlling and granting database access to SQL Database and SQL Data Warehouse.
Hope this helps.

Unable to access an SQL Server database created via Plesk in SQL Server 2014 Management Studio

In Plesk v12.5.30, I have created a new SQL Server database named ngo_database and a new database user called ngo_databaseuser.
I can connect to this new database via Navicat for SQL Server v12.1.20 (after providing host “xxx” + user name “ngo_databaseuser” + password + initial database “ngo_database”), And I am able to access “ngo_database” database and create new tables and queries.
But when I try to connect via SSMS 2014 (after providing server name “xxx” + login “ngo_databaseuser” + password + connect to database “ngo_database”), I am not able to access “ngo_database” database and the only databases available are master + tempdb. And I am not able to import nor create a new user database.
BTW, I have checked with the hosting company and the “Grant the ALTER DATABASE permission to all Microsoft SQL Server database users” is checked.
What I am doing wrong and why I can’t access the database via SSMS?
Not being a see a database in the object explorer of SSMS does not equate to not being able to access it. When you can only see the databases master and tempdb this very likely means that either you have had a DENY permission for VIEW ANY DATABASE added to your login, or a Server Role it belongs to, or VIEW ANY DATABASE has been revoked from the public role and you haven't been granted it.
SSMS builds the list in the object explorer by using the sys objects, and without VIEW ANY DATABASE, it can't see the databases you have access to to retrieve the relevant objects from it.
You can check if you have access to the database by using USE {Your Database} or trying to query a table (such as SELECT * FROM {Your Database}.sys.objects;).
If you need the VIEW ANY DATABASE permission, you need to speak to your DBA.

SQL Server 2008 R2 : restrict server login from seeing all but 2 databases on server

On my server that is hosting SQL Server 2008 R2, I open SSMS and under Security -> Logins there is a login named "SomeLoginName". When I log in to the server with this login, I am able to see all of the databases on the server.
I would like to restrict this user to only see 2 of the databases that are on the server. I've seen some solutions that say to revoke the VIEW ANY DATABASE permission for the login and then add the login as the db_owner for the databases I want "SomeLoginName" to be able to see. I don't want to have "SomeLoginName" as the db_owner for the databases that it is supposed to see.
Is there a way that I can configure "SomeLoginName" to only see 2 databases on the server without "SomeLoginName" being the db_owner for these 2 databases?
Thanks in advance.
Is there a way that I can configure "SomeLoginName" to only see 2
databases on the server without "SomeLoginName" being the db_owner for
these 2 databases?
No, as you are on SQL Server 2008 R2 there s no such a way.
Starting with SQL Server 2012 new Contained Databases were introduced.
Here is another useful article SQL Server 2012 Contained Database Feature
While looking through the new features and improvements in SQL Server
2012, we found a potentially interesting feature called Contained
Databases. A contained database basically includes all database
settings and the metadata within itself thereby resulting in no
configuration dependencies on the instance of the SQL Server Database
Engine where the database is actually installed. Users will be able to
connect to a contained database without authenticating a login at the
Database Engine level. This feature really helps to isolate the
database from the Database Engine thereby making it possible to easily
move the database from one instance of SQL Server to another. In this
tip we will take a look at how to configure and use this feature of
SQL Server 2012.
When using contained databases you don't need login (security principal at the server level), only user at the database level. It will be a database, not a server, to authenticate your user. And as the consequence, this user will not "see databases" other than the database where it was created.
This user has not to be db_owner, it's an ordinary user with any permissions or even without any permission at all.
Thanks to #sepupic , his/her answer is correct. It turns out that I actually am running MS SQL Server 2012 so I was able to implement the Contained Database concept. The steps listed on the linked pages in #sepupic 's answer didn't work for me though. I found this one and put this script together. Here's what it does:
Changes the 'contained database authentication' to 1 for the MS SQL Server instance
Runs RECONFIGURE
Creates a contained database
Creates a user for the database
Here's the script:
USE master;
GO;
EXEC sp_configure 'contained database authentication', 1;
GO;
RECONFIGURE;
GO;
CREATE DATABASE ContainedDB2
CONTAINMENT = PARTIAL;
GO;
USE ContainedDB2;
GO;
CREATE USER cduser2
WITH PASSWORD = N'Pa$$word',
DEFAULT_SCHEMA = dbo;
GO;
Then you just configure the connection to the contained database in the section that begins with
Login and Verify the User Permissions on a Contained Database
Using the script I put together and configuring the connection under the section I mentioned sets it up so you connect to the server with the user that is created and that user can only see the contained database(s) you want it to. You have to configure the user to have permissions like the db role db_datareader in the contained database but instructions on how to do these types of things are easy to come by if you search for them. Thanks again to #sepupic for getting me started on coming up with an answer.

What grants are needed for the SQL Server Telegraf plugin in Azure SQL Database

I'm using the Telegraf input plugin for SQL Server (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/sqlserver) to gather metrics and report to InfluxDB. It works well for SQL Server, but though it supports Azure SQL Database the documentation is a bit sparse.
The database user should be created like this:
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
GRANT VIEW SERVER STATE TO [telegraf];
GRANT VIEW ANY DEFINITION TO [telegraf];
That works on SQL Server, but in Azure it fails:
Securable class 'server' not supported in this version of SQL Server.
I wonder what I need to grant instead in order to solve this in the best possible way. We have a large number of databases running on the same server in an elastic pool, so if it is possible I would like to use a single user that logs in to the master and collects metrics for all the databases at once (the way it works with SQL Server). If that is impossible I can configure multiple logins and process one database at a time.
Perhaps I can grant VIEW DEFINITION at the database level, but VIEW SERVER STATE does not seem to be supported at all.
So, how should I configure the SQL Database login(s) for Telegraf with the SQL Server plugin to make it work?
EDIT:
Running as the super user for the server works without errors, but only produces metrics for master and tempdb. I need metrics for the many application databases and they are missing. Plus running as the super user is less than ideal.
Running as the super user for the server but connecting to a specific application database (add database in connection string) crashes with a nil pointer dereference and the log complains about VIEW DATABASE STATE permission denied in database master (the super user has access, but apparently not when connecting to a spefic database).
Granting VIEW DATABASE and VIEW DEFINITION to telegraf in an application database and connecting directly to that database as telegraf crashes with a nil pointer dereference and the log says the connection was closed.
EDIT 2:
Created bug report https://github.com/influxdata/telegraf/issues/4222.
EDIT 3:
As of the latest release the plugin works if the server admin account is used, so the issue has been solved. There is still no way to run with a less privileged account in Azure DB.
The answer:
GRANT VIEW SERVER STATE is not supported in Azure SQL Database.
On SQL Database Premium Tiers requires the VIEW DATABASE STATE
permission in the database. Permissions can not be granted in Master,
but the views can be queried in user databases. On SQL Database
Standard and Basic Tiers requires the SQL Database server admin
account due to security requirements following from multi tenancy of
those tiers.
Reason:
SQL Azure SQL is PaaS solution, therefore the most "server" specific features, DMVs, settings are blocked by purpose
References:
Grant View Server State - is it possible for a none SA user to have in Azure SQL?
SQL Azure VIEW DATABASE STATE permission denied in database 'master'
Possible workaround: (which is, anyway does not work in ewramner case)
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
USE [yourDB]
GRANT VIEW DEFINITION TO [telegraf];
GRANT VIEW DATABASE STATE TO [telegraf];
Therefore, (IMHO), there is no way to make such application working in SQL Azure without changing application code

db_datareader User mapping is allowed to do Update, Create Queries

In a SQL Server 2008 R2 database, I created a user login with:
Server Role: Public
User Mapping: master, model, msdb
Database Role Membership db_datareader, public
When I use with new user login to connect it connects and I can run update, create commands. Which I don't want to run.
The same setting I tried in SQL Server 2012. It didn't allowed me to run update and create commands.
I get an error :
CREATE TABLE permission denied in database 'TEMP'.
In SQL Server 2012 I have a different database.
Please give solution
I have followed this https://www.itsupportguides.com/server-side-tips/sql-management-studio-how-to-create-read-only-users/
for this Login
mark SERVER Role for following Databases as db_DenyDataReader , and db_DenyDatawriter

Resources