I want to create new user using admin user, however, get error doesn't have permission which probably no sysadmin roles due limitation from aws
so is there another way to create new user using my admin user?
Your account should be in securityadmin group. When you want to create new user.
Related
I am orgadmin for my organization and wanted to create new user for one of the snowflake account. In primary URL i can create new user and role but how can be created for another account under organization umbrella?
Find the URL for the account you want to create the user.
Once you log in, you have to create the user in that account.
At first there is no authentication in mongodb, so I created one for one database with readWrite role.
Now I want to create more users for other databases but as this user doesn't have the privileges to create other users I'm stuck.
The documentation clearly says:
With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.
If you haven't created such user, you cannot create it now with authentication and access rights enabled. I gues you need to restart the MongoDB server without authentication enabled, create that admin user, and restart the MongoDB server again with authentication enabled.
I highly recommend you read to complete documentation how to enable authentication first to understand the complete concept, before you follow it step by step. Otherwise it might be confusing and creating such state you are currently locked in and cannot continue with all actions.
I am using Azure SQL database with sharding (single tenant approach). So, when the application connects to DB it goes into Shard and creates a proper connection to the tenant's DB (tenant is identified by login name).
However, we've been using a server admin credentials for that on a development stage.
Now, I'd like to create a separate application user with much more limited permissions compared to server admin.
In a very general case, what I want is to have a user that can connect to the Shard Map and figure out a connection string to any of the Shards, but have different permissions for each of the shards. For example, some application user may need to be able to connect to DB_1 with full read-write permissions, to DB_2 with read-only permissions and no permissions to connect to DB_3.
In a simpler case I just need a user that doesn't have any update permissions to ShardMap and other internal databases, but has a normal read/write/execute access to all tenant databases(shards).
I was googling around and din't find any good recipe how to do that, what are the best practices, etc.
I'd appreciate if someone could answer me or point to a docs.
Thank yuo!
In each database create a role for the Application Users, and grant the minimal permissions needed for the application to run. Granting permissions on the Schema level is a good choice here, as you don't have to manage object-level permissions.
create role ApplicationUsers;
grant select, insert, update, delete, execute on schema::dbo to ApplicationUsers;
Then if you want a single identity to access all the databases, create a login with a password. Then in each Tenant database create a user mapped to that login.
--create a server-level Login
create login AppUser with Password ='asdfAds01980(*)(*)(#&$)##';
--add a user mapped to that login in each database
create user AppUser for login AppUser;
alter role ApplicationUsres add member AppUser;
Or create a user in each database with a different password or a database user mapped to an Azure Active Directory identity.
create user AppUser with Password ='asdfAds01980(*)(*)(#&$)##';
alter role ApplicationUsers add member AppUser;
or
create user [tenant123user#mydomain.onmicrosoft.com] from external provider;
alter role ApplicationUsers add member [tenant123user#mydomain.onmicrosoft.com];
I've recently created a App Service + SQL in my Azure account and I want to give access to some external user, maybe using SQL authentication with username and password. I know I must allow this user IP, but I cannot find where I can create credentials or a new user for him.
I've tried creating a new login and user using SQL statements but I can't access master database.
Is what I'm trying to do possible?
Thanks
There's no need to grant users access to Master. Instead connect to the target database as an administrator and simply add the user using CREATE USER
CREATE USER SomeUserName WITH PASSWORD = 'somestrongpassword123'
See generally Controlling and granting database access
For my application I decided that every user that is created via application and that is added to the database table Users is automatically added as a server login and database User. I figured out that it would help me keep track of logs allow me to and use Sql password policies (like password expiration).
I can insert a row into Users table with no problem and login, user and schema is added to the server/database via trigger. When I log in as a created user, I can then select, modify, delete data and create additional logins/users.
I decided to use Application role to allow all the users to have the same permissions. It works okay, but using Application role I cannot add new logins/users, I cannot reset or change their passwords either. Sql displays
User does not have permission to perform this action.
When I create new connection and not set application role, all users can create new users/logins etc.
As I'm new to Sql security, how do I grant those permissions not to users, but to the application role?
I would be very grateful for your help.