New to SQL Managed Instances. Currently I am testing our on-prem SQL databases in an Azure Managed Instance. There are some logging procedures in our application database which are gathering information to save in an audit trail. Some of these are referencing some of the DMVs such as sys.dm_exec_connections and sys.dm_exec_sql_text.
Accessing these using the MI administrator user works fine. However it is the AD service account which will be accessing the database. This service account does not appear to have access to those.
The service account has been added to the db_owner role within the database but I am not able to set at the server or database level the view server state and view all definitions permissions. I cannot see anything which could be the equivalent in a Managed Instance.
Does anyone know how and where to look in order to resolve this?
I have even tried with an account that is the AD Admin account of the instance.
Many thanks.
Please use sql logins instead of AAD login/users for this scenario.
In the current version of Managed Instance you can either create global AAD Admin that don't have full server admin privileges, or you can create contained AAD users as CREATE USER myusr FROM EXTERNAL_PROVIDER that cannot get server-level permissions because grant permission at server level can be given to server-level logins and not database-level users.
In the future we will have better AAD logins that are much similar to the existing Windows logins, but in the meantime, it might be painful if you try to setup this scenario with the existing AAD login/users.
Related
This may be a problem with Azure databases, but I'm hoping there is a solution.
On creating an SQL Database in Azure, the server has a SQL Admin account, which is configured, in this case, manually via the Portal when provisioning. This can only be a SQL Authenticated user.
And of course, I have an AAD group/user configured as the AD Admin as well.
I have also set up an automated deployment using SSDT. The problem arises when I attempt to register the DACPAC as part of the deployment, but only after the first deployment if I'm using the AD account to deploy. It tries to update the registered data-tier application but gets an error stating that it already exists. If I deploy with the SQL Authenticated SQL Admin user instead, then it deploys successfully.
For a few reasons, I want to deploy using an AD account, not least of which to be able to create other contained AD users, which a SQL Authenticated user can't do.
Doing some poking about, I'm able to delete the registered dacpac in SSMS if I'm connected as the SQL user, but when I attempt to do so with the AD user I get:
The current user does not have sufficient permissions on the instance of SQL Server to delete the data-tier application. The user must be the database owner of the database associated with the data-tier application.
I know that the data-tier application info is stored in the virtual master database. e.g.
select * [master].[dbo].[sysdac_history_internal]
select * [master].[dbo].[sysdac_instances_internal]
It looks like you need to have db_owner on the master database in order to work with DACs in this way, but the only user that can be db_owner is the SQL authenticated SQL Admin.
So unless I can create a contained AD user that can do this, I don't think I can use dacpac registration, which is a real shame as drift detection is a real seller for the use SSDT.
If anyone knows how to manage this, I'd be very grateful to hear it.
Description
We use Azure SQL database with multiple databases on a server. It is possible to grant permissions to a single database via the user's Azure AD login by creating a group, say "DBReader". in AAD and assign the group to the role "Reader" via the server's settings in azure portal and then create a user when connected to the database as CREATE USER [DBReaders] FROM EXTERNAL PROVIDER, which will allow connecting to the single database.
Problem
We'd like to grant read access to all databases, so that the user sees all databases with a single connection and must not add them separately. Normally, you'd create a login on the server for this. However, the preview feature https://learn.microsoft.com/en-gb/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-mi-current, which would allow CREATE LOGIN ... FROM EXTERNAL PROVIDER is not available for Azure SQL database.
Question
Is there any way we did not think of to simply grant access to all databases via an AAD group?
Is there any way we did not think of to simply grant access to all databases via an AAD group?
No. Outside of Managed Instance, which requires a minimum of 4 vCores, Azure SQL Database users must be added to each database.
A suitable solution would involve the user to being able to see all databases he has permissions to at once
For Azure SQL Database, this requires the client to connect to Master to, and then reconenct to switch databases. SQL Server Management Studio does this, but other clients may not.
I have following situation: my user connects to SQL Server as a user with no privileges and then he authorises to application role. Is it possible to configure application role to allow him adding MSSQL login and database user when he is already authenticated?
The short answer seems to be no for the logins, at least without setting a trace flag. According to the documentation:
In SQL Server, application roles cannot access server-level metadata
because they are not associated with a server-level principal. To
disable this restriction and thereby allow application roles to access
server-level metadata, set the global flag 4616
I'm not sure why you want to use an application role here anyway: if you trust people enough to let them manage SQL Server security then you might as well just give them securityadmin permissions directly.
It's common practice for trusted administrators to have two Windows or SQL Server logins, e.g. SomeUser and SomeUserAdmin. Only the admin account has permissions to manage security, so they can do most of their work with a normal account without special privileges, and use their admin account only when necessary.
I have a .NET application which connects to SQL Server 2008 for storing some data. I use SQL Server authenthication providing an sq username and a password to my end-user in app.config file. If something more needs to be changed I give to the end-user some other credentials.
How can I limit the sql user to only have permission to read/write data and executing existing stored procedures and everything else to be forbidden?
What is the best practice for setting permisions for a sql user that an application is using to connect to a database? Can I prevent somehow the user from logging in Management Studio and mess with my data?
I'm not searching for the perfect 100% reliable solution, but the best existing practice to do this. Thank you very much in advance.
Update: I work on a shared hosting SQL Server environment.
You'll need to create a new SQL user, something like 'LimitedUser'. To do this in SSMS, select the Security Folder of the server you are using, right-click, select New, select Login.
Select your authentication type (SQL server authentication is easily managed), and set the Default database to your database.
You'll need to set Server Roles so this new user only maps to your DB, and in the last page (Status), set Login to false so they cannot use these credentials to login to SSMS and 'mess with your data'.
Click OK, and you're done creating your limited user.
Assign it to your database, and then in SSMS, right-click on your db, select Properties, Permissions.
Select your user or role, and in the permission grid below, switch on only what need to be switched on.
As I see, your question is fully concerned with SQL server security.
You can limit user permissions on server, database or object scope, using GRANT statement, server or database roles. For example, you can assign db_datareader role for user, and then grant EXECUTE permission to this user for some stored procedures (or for entire database).
The current practice in my organization is to create the database roles (e.g. application admin, operator, and so on), adding the appropriate permissions to these roles and then assign these roles to database users.
I'm not completelly sure that you can prevent login into SQL Server Managent studio (SSMS), but SSMS wll not display information that must be invisible for user with user current permissions.
Shared SQL Server hosting where a single instance is shared among multiple customers is not compatible with with typical client-server applications. You are expected to perform all operations through a middle tier server such a WCF Data Service and maintain user accounts within your database in a table with Forms Authentication etc.
For your client-server application you need VPS hosting with your own instance of SQL server where you can create server-level logins. Without creating server-level logins there is no method to secure a client-server application. Any workarounds are just pseudo-security.
I have to setup a .net-application that connects to an SQL Server 2005 in a new database. The app uses an application role to authenticate on the server and handles then all security-checks in the app.
I have successfully created the application role and the app can successfully logon to the db. However, the role has no permissions to query any database-object.
How do I assign the roles db_datareader and db_datawriter to the application role so that it has full read-and write access to all tables of the database? Or is there another way to give the role full access to the tables, queries and stored-procedures.
(The app was developped on sql-server 2000, however there are already running instances of it with SQL Server 2005 but I have not seen how it is done that the application role has the desired rights.)
Please note, giving the app role manualy access to every object is not an option because the app creates dynamicly new objects (tables, queries and sp's) and the app must also have access to these new objects without change the roles security configuration.
For reading:
GRANT SELECT TO application_role
For writing:
GRANT INSERT TO application_role
GRANT UPDATE TO application_role
GRANT DELETE TO application_role