although I have set all the three checkboxes (Enable Filestream for TSQL, I/O and for remote access) in instance of SQL Server via MMC.exe to true I get the following error when trying to access the Share / FileTable... What could be wrong that prevents me from using the feature?
Thx
With a FileTable, SQL Server performs authorization checks based on the user's Windows account. The Windows account must have permissions to connect to the SQL instance and database along with permission on the FileTable, just like when the table is used directly in T-SQL. These permissions can be assigned directly or via Windows group membership.
USE YourFileTableDatabase;
CREATE LOGIN [YourDomain\WindowsUserOrGroup] FROM WINDOWS;
CREATE USER [YourDomain\WindowsUserOrGroup];
GRANT SELECT ON dbo.YourFileTable TO [YourDomain\WindowsUserOrGroup];
Your Windows Explorer screenshot looks to be missing both the database directory and FileTable directory in the path. Perhaps this is because of insufficient permissions. The full UNC path to a FileTable is in the form:
\\<servername>\<instance-filestream_share_name>\<database-filestream-directory>\<file-table-directory>
Related
I'm trying to create a linked table connection in MS Access to a SQL Server instance table through Linked Table Manager in the External Data ribbon.
To grant access to this SQL Server instance in READONLY mode, a DBA in the organization I work for create a new Domain User Account different from my personal one.
In other applications, Windows authentication as different user in case of Excel and Powerbi and Run as different for SSMS works fine.
In MS Access there is no -Use Alternative Windows credential- term of authentication and all the others that I have tried do not function (Active Directory Password/Integrated/Interactive/servicePrincipal).
Does anyone know a possible solution to access the SQL Server from MS Access using a different Windows Domain user?
open the command prompt in administrative mode and run the below command
replace <<domain\username>> with user details.
update the msaccess.exe location("C:\Program Files\Microsoft Office\root\Office16\MSACCESS.EXE") if it differs in your system.
C:\Windows\System32\runas.exe /netonly /user:<<domain\username>> "C:\Program Files\Microsoft Office\root\Office16\MSACCESS.EXE"
by this way ms-access will be opened using alternate user credential,
then click the "Linked Table Manager" and connect to SQL server, it will connect to SQL server using alternate user credential.
I am trying to grant a user access to export data from SQL Server into an Excel file using OPENROWSET.
The user is getting the following error:
Cannot initialize the data source object of OLE DB provider
"Microsoft.ACE.OLEDB.12.0" for linked server "(null)".
We can reproduce the issue running the following block of code, which I can run successfully and the user cannot:
INSERT INTO OPENROWSET('Microsoft.ACE.OLEDB.12.0', 'Excel 12.0 Xml; HDR=YES;IMEX=0; Database=\\servername\exportdirectory\exportfile.xlsx', 'Select ExcelColumn from [TabName$]')
SELECT TOP 1 SQLColumn FROM SQLTable
The only difference I can see between the users is that those who can successfully run this command and get the data into Excel are admins on the Windows server hosting both the SQL instance and the target directory.
The user who is unable to run the code has full control permissions on the target file directory where the excel file resides and has sysadmin permissions on the SQL instance.
Is there any way to allow this user to write to this file without granting full server admin rights on the Windows server itself?
According to MS Documentation the user who is executing the command needs Administrator Bulk Operations.
This is a server level permission - bulkadmin. So you have to put any user that is going to do this in this role (at the server level) not necessarily make them a DBA.
https://learn.microsoft.com/en-us/sql/t-sql/functions/openrowset-transact-sql?view=sql-server-2017:
OPENROWSET permissions are determined by the permissions of the user name that is being passed to the OLE DB provider. To use the BULK option requires ADMINISTER BULK OPERATIONS permission.
If you cannot do that (put the user in the BulkAdmin role) you may want to use SSIS to create the spreadsheet.
You are experiencing the "double hop problem". You need to enable impersonation so that the server hosting the share will accept impersonated credentials from the SQL Server. Here is an excerpt from the security considerations section of this page: Import Bulk Data by Using BULK INSERT or OPENROWSET(BULK...) (SQL Server)
SQL Server and Microsoft Windows can be configured to enable an
instance of SQL Server to connect to another instance of SQL Server by
forwarding the credentials of an authenticated Windows user. This
arrangement is known as impersonation or delegation. Understanding how
SQL Server version handle security for user impersonation is important
when you use BULK INSERT or OPENROWSET. User impersonation allows the
data file to reside on a different computer than either the SQL Server
process or the user. For example, if a user on Computer_A has access
to a data file on Computer_B, and the delegation of credentials has
been set appropriately, the user can connect to an instance of SQL
Server that is running on Computer_C, access the data file on
Computer_B, and bulk import data from that file into a table on
Computer_C.
This page might help you get started: Kerberos Constrained Delegation Overview
I have an environment where a cloud based server is hosting a SQL Database. Users connect directly to this in order to run queries and download data.
Rather than setting up user logins and assigning them to roles manually I'd like to inherit these from the company Active Directory account. I can get LDAP credentials on the remote SQL Database but I'm unclear on how I can use this to provide login access for the users (and to correctly assign them to roles).
Many thanks.
You can do it with the help of SSIS. Please check the below link for the same.
Importing data from Active Directory Using SSIS
What should I do? I could disable UAC to access the database. Is there a way I could copy the my database but strip the account control informations attached to it? Many thanks.
Read this article for possible options. Excerpt: `After the SQL Server Instance starts in single-user mode, the Windows Administrator account is able to connect to SQL Server using the sqlcmd utility using Windows authentication. You can use Transact-SQL commands such as "sp_addsrvrolemember" to add an existing login (or a newly created one) to the sysadmin server role.
I have a .NET application which connects to SQL Server 2008 for storing some data. I use SQL Server authenthication providing an sq username and a password to my end-user in app.config file. If something more needs to be changed I give to the end-user some other credentials.
How can I limit the sql user to only have permission to read/write data and executing existing stored procedures and everything else to be forbidden?
What is the best practice for setting permisions for a sql user that an application is using to connect to a database? Can I prevent somehow the user from logging in Management Studio and mess with my data?
I'm not searching for the perfect 100% reliable solution, but the best existing practice to do this. Thank you very much in advance.
Update: I work on a shared hosting SQL Server environment.
You'll need to create a new SQL user, something like 'LimitedUser'. To do this in SSMS, select the Security Folder of the server you are using, right-click, select New, select Login.
Select your authentication type (SQL server authentication is easily managed), and set the Default database to your database.
You'll need to set Server Roles so this new user only maps to your DB, and in the last page (Status), set Login to false so they cannot use these credentials to login to SSMS and 'mess with your data'.
Click OK, and you're done creating your limited user.
Assign it to your database, and then in SSMS, right-click on your db, select Properties, Permissions.
Select your user or role, and in the permission grid below, switch on only what need to be switched on.
As I see, your question is fully concerned with SQL server security.
You can limit user permissions on server, database or object scope, using GRANT statement, server or database roles. For example, you can assign db_datareader role for user, and then grant EXECUTE permission to this user for some stored procedures (or for entire database).
The current practice in my organization is to create the database roles (e.g. application admin, operator, and so on), adding the appropriate permissions to these roles and then assign these roles to database users.
I'm not completelly sure that you can prevent login into SQL Server Managent studio (SSMS), but SSMS wll not display information that must be invisible for user with user current permissions.
Shared SQL Server hosting where a single instance is shared among multiple customers is not compatible with with typical client-server applications. You are expected to perform all operations through a middle tier server such a WCF Data Service and maintain user accounts within your database in a table with Forms Authentication etc.
For your client-server application you need VPS hosting with your own instance of SQL server where you can create server-level logins. Without creating server-level logins there is no method to secure a client-server application. Any workarounds are just pseudo-security.