I need a working example on how to assign a fixed server role to a user in Azure SQL database. It seems I can't even access Roles collection:
$DBServerBulkRole = $DBServer.Roles | where {$_.Name -eq 'bulkadmin'};
$DBServerBulkRole.AddMember($DBLoginName);
This generates
The following exception occurred while trying to enumerate the collection: "Operation not supported on version 12.0.600 SqlAzureDatabase."
https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-addrolemember-transact-sql
This states: "This feature will be removed in a future version of Microsoft SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use this feature. Use ALTER ROLE instead."
I recommend you basically rewrite a function in powershell to perform the same call but utlizing the alter role command. This should resolve your problem. Azure's implementation of SQL is slightly different and there are certain commands that are not available. Also, as seen in the documentation I believe this is now a deprecated procedure.
-- Syntax for SQL Server (starting with 2012) and Azure SQL Database
ALTER ROLE role_name
{
ADD MEMBER database_principal
| DROP MEMBER database_principal
| WITH NAME = new_name
}
[;]
From:
https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-role-transact-sql
Hope this helps!
Related
I'm doing some ETL, using the standard "Pre-Load" partition pattern: Load the data into a dated partition of a loading table, then SWITCH that partition into the live table.
I found these options for the SWITCH command:
ALTER TABLE [myLoadingTable] SWITCH PARTITION #partNum TO [myLiveTable] PARTITION #partNum -- Move the New Data in.
WITH ( WAIT_AT_LOW_PRIORITY ( MAX_DURATION = 1 MINUTES, ABORT_AFTER_WAIT = BLOCKERS ))
Those options seem like valuable things to define (even if they wouldn't be needed during normal operation).
Unfortunately, when I try to run that, I get:
Sql error number: 11423.
Error Message: User does not have permission to use the ABORT_AFTER_WAIT = BLOCKERS option.
Further reading confirms that this is appropriate: (link)
BLOCKERS
Kill all user transactions that currently block the SWITCH or online index rebuild DDL operation so that the operation can continue.
Requires ALTER ANY CONNECTION permission.
But when I try to GRANT the relevant user that permission I get an error:
GRANT ALTER ANY CONNECTION TO [myAdfUser]
Securable class 'server' not supported in this version of SQL Server.
I'm using (AFAIK) a normal Azure SQL Server database.
Is there any work around for this? Or is it just not possible for me to use these options on this Database?
Looks the question was solved by #Larnu's comment, just add it as an answer to close the question.
If you are using Azure SQL Database, then what the error is telling you is true. Azure SQL Databases are what are known as Partially Contained databases; things like their USER objects have their own Password and the LOGIN objects on the server aren't used for connections. The CONNECTION permission is a server level permission, and thus not supported in Azure SQL Databases.
We are in the process of moving a database from on-premise into Azure SQL. The software that will consume this database has a database username and password hard coded, so we are unable to change it. Unfortunately the hard coded password does not meet the password policy for Azure SQL.
I have looked around and found the CHECK_POICY option I can add to the query, however I receive an error telling me that option is not supported in this version of SQL.
Keyword or statement option 'check_policy' is not supported in this version of SQL Server.
I am also unable to find any documentation that specifically says "You cannot change the password policy in Azure SQL" - Does anyone know how I can either disable the password policy, or find documentation stating that we are unable to do so?
Azure sql database doesn't support CHECK_POICY. So you could not set CHECK_POLICY = ON or OFF.
For more details, please see: Syntax for Azure SQL Database and Azure SQL Data Warehouse:
ALTER LOGIN login_name
{
<status_option>
| WITH <set_option> [ ,.. .n ]
}
[;]
<status_option> ::=
ENABLE | DISABLE
<set_option> ::=
PASSWORD ='password'
[
OLD_PASSWORD ='oldpassword'
]
| NAME = login_name
Only local SQL server and Azure SQL managed instance support set CHECK_POLICY.
You also can get this from Password Policy.
SQL Database enforces password complexity. The password expiration and policy enforcement sections do not apply to SQL Database.
Hope this helps.
I need to create a script that will go through and list the logins that have no server-wide privs AND have no access to databases.
I have a lot of logins that were generated on my SQL Server 2005 instance and are no longer used. I want to quickly find and delete these logins.
Thanks,
Niko
Re-phrased my question and got a response:
Is there a SQL Server Utility that generates a big list of all Server Logins and an overview of their access?
The script provided can be used to compare to the list of Server Logins and then if a Login does not appear in the results then it should be investigated for deletion
In my personal opinion, this is not something that should be done quickly. It is also nothing that I would trust a script to do. I would analyze each account, and I would make sure myself that the account does not have any permissions. I'd manually delete them and document the accounts that were removed.
I'm logging in to create a new database from CMD through sqlcmd with SA account. Its response is a message: CREATE DATABASE permission denied in database 'master'.
I'm using Windows server 2003 and SQL 2008. Please help me. Thanks in advance.
It doesn't sound like you're actually using the sa account, or else perhaps you haven't set up your service account properly using SQL config mgr. If you used Computer Manager | Services, then the service might not have permission to create the database files.
...Run As Administrator should do the trick.
Typically the user you're using to run the SQL Server service will not have access to certain folders, which is likely why you're getting this error.
Consider one of these alternatives:
change the credentials used for the service (ick!)
use runas /u:... or Run as...
add permission for the service to access those folders
move the database to a location that the service can access
I would check whether the user you are using indeed has CREATE DATABASE permission though. You can check what server roles it belongs to, because it seems it is not a sysadmin role.
You can use this query for example.
select suser_name(role_principal_id) [login ...],
suser_name(member_principal_id) [... belongs to]
from sys.server_role_members
Regards
Piotr
I recently did an import of database from a sql server 2000 database to a sql server 2005 database. I've gone through and setup what I thought were the same login credentials and owner permissions that I had previously setup in my old database.
All of the code base I'm working has stored procedures listed simply by stored procedure name.
In order to make sure I have the proper logins created, I am logging into the SQL Server Management studio with the connection information my application is using (i.e. using the username "licensemgr" and it's associated password). I can see all the tables, stored procedures, etc... in my database when I log in with combination. When I try to run a stored procedure, Sql Server Management Studio uses the following syntax to execute it:
EXEC: #return_value = [licensemgr].[Stored_Procedure_Name]
and it executes without error.
If I try to remove the [licensemgr]. from before the [Stored_Procedure_Name], however I get the error "Cannot find stored procedure: Stored_Procedure_Name". This is the same error I get when running my application off this database. I changed one stored procedure call in my application to have "licensemgr." in front of the stored procedure name and that seemed to correct the problem, however, I don't want to do that for each and every stored procedure call in my application. I am therefore wondering what type of setup / permissions type issue I might be missing in my SQL Server instance so that even when I'm logged into the database as licensemgr, I cannot see the stored procedure which is in the schema "licensemgr".
In SQL server 2000 the [licensemgr] referred to the owner of the table. So when you are logged in as [licensemgr] you do not need the prefix.
In SQL Server 2005 this has been changed to the schema, therefore it must be specified. See:
http://msdn.microsoft.com/en-us/library/ms190387.aspx
EDIT
There are two things that you need to watch out for:
If the user is in the sysadmin role, he will always default to the dbo schema, therefore you need to prefix
If your user needs to run code that is in different schemas you will need to prefix
If none of the two above it should work by setting the default schema for the user
When you created your user, did you specify DEFAULT_SCHEMA?
CREATE USER ... WITH DEFAULT_SCHEMA = "licensemgr"
If not, you may need to use ALTER USER to fix this for your user in the new system.