I try to give a user on SQL Server 2016 Express the permission to create tables in his schema, but he can do what he wants. And I don't know why he is unable to do this.
This is the server role:
And this is the Schema role:
This is the database role:
(I only checked "CREATE TABLE")
And this is the user:
So why can the user do INSERT, DELET, UPDATE - Statments and so on? From where did he get the permission?
I hope someone can help me?
If you already have a schema, you can grant CONTROL permissions to the user:
grant control on schema :: testschema to TestUser
You can change ownership of the schema with
alter authorization on schema::testsch to TestUser
Be aware that you can't limit CREATE TABLE permissions to just a schema, so it has to be granted at the database level, but if you don't give the user permissions in the other schemas, they can't create tables in them.
This thread, particularly Rick Byham's answer, is the source of most of this.
In my case the anwser is that a owner of Schema have all permissions to this Schema so he can do INSERT, DELETE, UPDATE Statments and so on.
Related
I want that a user can create a database, but when I execute this:
GRANT CREATE DATABASE TO rmedrano
I get this error:
CREATE DATABASE permission can only be granted in the master database.
How can I do this?
Members of the dbcreator fixed server role can create, alter, drop,
and restore any database.
https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?redirectedfrom=MSDN&view=sql-server-ver15
I tried REVOKE ALL ON DATABASE ABC FROM ROLE XYZ under ACCOUNTADMIN and got a success message.
When I switch to role XYZ I still see the ABC database but it appears empty. The database is also still in the list when running show databases under this role.
How do I make it so that this role cannot see the database at all?
By the way, this issue prevents our Mode connection to Snowflake from listing the available tables in the UI.
Create two databases : db1 and db2, for example, using the ACCOUNTADMIN role:
create database db1;
create database db2;
Then create two roles,one for database db1 and another for database db2
create role db1;
create role db2;
Now, grant usage on database db1 to role db1, similarly with role db2.
grant usage on database db1 to role db1;
grant usage on database db2 to role db2;
When you switch to role db2, you wont see db1 database and vice versa.
Also, when you run :
show databases;
say, while you set your role to db1,
you will not see database db2 in the result.
Hope this helps.
In my case, I also had usage monitoring and thus had to do revoke MONITOR USAGE on account from role XYZ. I suspect this is a very corner case not affecting many people. :(
I have a question about security in SQL Server.
Is it possible to create a login with only authorization to attach or detach databases?
I don't want it as sysadmin.
If you check the documentation, you will see that for attaching a database we need:
Requires CREATE DATABASE, CREATE ANY DATABASE, or ALTER ANY DATABASE
permission.
and for detaching:
Requires membership in the db_owner fixed database role.
If you check the security hierarchy and download the Chart of SQL Server Permissions, you can check what other permission a user will have if he has any of the above permissions.
For example, if he has ALTER ANY DATABASE:
Basically, these rights are on the top of the security hierarchy and if you allow a user the ability to attach database, ze will be able to do other operations overt it, too.
If you don't want to make the user member of sysadmin role, that's OK. You can make the user member of dbcreator role:
What is the minimal permission needed on a sql server user/login for it to be able to run entity framework code first database migrations?
I naively would have thought that a user with the roles db_datareader, db_datawriter, Grant Alter on the Schema and Grant Create Table would be permissive enough.
On-Prem: SQL server with AD/sql login
you need the following permissions on the database.
[db_datareader]
[db_datawriter]
[db_ddladmin]
For full control over database use
[db_owner]
Azure Could: Azure SQL with ADD (Edit)
Please add [dbmanager] to master and user database.
Clearly it depends on what your migrations are/(will be) doing. For my use case, I ended up creating a shema, and restricting the user that the migration uses to the permissions below.
GRANT ALTER, INSERT, SELECT, DELETE, UPDATE, REFERENCES ON SCHEMA::schema_name TO migration_user
GRANT CREATE TABLE TO migration_user
I am a complete SQL Server newbie but I have experience with Oracle and MySQL. I am using SQL Server Management Studio.
I have an existing database that I want to create views from but I want those views to reside in another database (schema?) which will be accessible by a separate user account that can connect via JDBC.
I can create the database easily enough, right click "Databases" and select "New Database". From there I am lost.
1) How do I grant select/update/delete permissions (to create and update views) on one database to the new database?
2) How do I create a new user?
3) How do I grant permissions for users?
Thanks in advance.
Like Martin said you need a new schema not a database.
CREATE SCHEMA [SchemaName] AUTHORIZATION dbo;
Create your Views under the new schema name then,
CREATE LOGIN [LoginName] {FROM WINDOWS} (If you are using an AD Group)
USE [DatabaseName];
CREATE USER [LoginName/Username]; (They can be the same)
GRANT EXECUTE, SELECT, INSERT, DELETE, VIEW DEFINITION ON Schema::[NewSchemaName] TO [LoginName/Username];
If you want to have a Role the create the role under the database and make the UserName a member of the Role and grant the permissions to the role.