In SQL Server MNGT Studio 2012, we have a database that we only want to grant a specific user read-only access.
So me (being an admin), login into the server.. for arguments sake, the database name is SQLSERVER01
Then once logged in I see Databases, Security, Server Objects, Replication, Management, and SQL Server Agent. I go into the Security tab and go to Logins. The user that we want to give read-only access to already has a login. So I double click on their login. I go to User Mapping. Find the database that I want to give them read-only access to. I click the checkbox next to the database name, and below I give the user db_datareader and public.
So, I call the user and they're able to see the tables within the database, but if they were to right-click on a table name, they can still see the option that says Edit Top 200 Rows, and click it and see the editing gui for that table. Now I didn't test out entering data to see if they could actually edit or add data, because it's too risky.
So my question is, did I give this user the right access? If so, how do I grey out the option to 'Edit Top 200 Rows'? If not, what do I need to do?
Any help is appreciated.
SSMS does not query permissions to determine a user's capabilities or UI options. For example, you may not have DDL modification privileges, but it will let you attempt to script alter/create statements. You can't take away the edit rows option, but if they don't have the permission then the commit will fail when they try to move focus off the row they have edited.
If you want to see the effective permission you can use this function to view the resulting layers of grant/denies:
https://learn.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql
Generally, make sure the user's login has minimal permissions, then use roles at the DB level that have been previously reviewed/tested.
Related
What harm can a user with GRANT SELECT ON database.dbo.view TO User access can do? The user can see Security folder in SSMS, roles and can also see master database, roles, etc.? Is there a way we can restrict the user to not see or modify any security roles/groups but can see only a view?
Many Thanks!
In SSMS, a new user will not see the database tables/views without proper roles/permission provided to them but they can see the database objects like Security Users, schema or Roles etc., however they still cannot perform any actions on them if they don't have proper permissions granted to them. As an example if you created a new user and granted a select for a single view, that user will just be able to Select from the view and not able to do anything else on it like altering/deleting the view. Also same user can see the security objects but cannot make any changes on them as well.
We can hide the databases from user in SSMS by using below statement but this is going to hide all the database(even the database in which user has access to see the view).
DENY VIEW ANY DATABASE TO <login name>
Suppose I have a login metamanager\test which shows when I execute T-SQL, but it is not there when when I expand Security -> Login in SSMS.
Same with a database user.
I try to replicate but failed
use master
select * from sys.syslogins is used for login
use DB
select * from sys.sysusers is used for database user
A LOGIN and a USER are completely different objects.
A LOGIN is a server object, and appear in sys.syslogins, as you see.
A USER is a database object, and for a LOGIN to have access to a database, it needs to have a USER mapped to the LOGIN in that database. A LOGIN with no mapped logins in any databases, and without any server level roles, will be unable to access any of the database on the instance, apart from those that the public roles has in tempdb and master.
It appears, here, you need to create the user in the database, and then give it the appropriate permissions. You can create the USER with the following:
USE {YourDatabase};
GO
CREATE USER 'metamanager\test' FOR LOGIN 'metamanager\test';
You'll need to give it the appropriate permissions afterwards.
Also, after you have created the user, ensure you have refreshed your object explorer. Object explorer doesn't automatically refresh after you create an object.
Not sure if you explaining it correctly, but syslogins and server_principals are about the same. Only the difference that server_principals include "Roles".
As far as I know it is impossible to have something in syslogins, which does not exist in server_principals.
I am looking for a way to guarantee read and write permissions to my database to another user in my network.
I know Microsoft SQL Server Management lets my add users by right clicking on the user section
here
and filling this
form.
Still, I am not sure what my Login name should be. For example, If I want to guarantee permission to the Administrator of a computer named GOR-PC, what should I enter?
Many Thanks.
You should use GOR-PC\Administrator.
However, adding local users to your SQL Server is generally a bad idea.
Ideally, you should use Active Directory users (in the form DomainName\UserName). This guarantees that the permissions you grant are independent of the existing of a PC or server.
First you should create a user or group for the administrator on the server level that is under the general "Security" tab below the dabases: Security->Login->create.
After tahat you can use the same login name you just created under the specific databse and Beowse the user and after that give the user read and write permission.
Hope that helps.
So, I've created a user in Plesk 11, and assigned him a role (custom role that a created for him) with only database access.
But this new user has access to all my databases, I want to restrict his access to a specific one.
How can I do this please ?
Thank you.
Unfortunately it's impossible(at least I don't know how) in scope of one subscription(even through direct url), it's possible to just bind this user to one exact subscription and move all other databases in another subscription.
You can add this as feature request to https://plesk.uservoice.com/forums/184549-feature-suggestions
Roles give administrative rights to users so Plesk is doing exactly what it was told to do.
Granting administrative DB permissions however does not create a mysql user but a panel user who can manage the databases of the subscriptions you gave him access to ("all" or individually selected).
If you see all databases in phpMyAdmin you are not logged in as this user but clicked a "webadmin" link from within plesk which uses a login-token for the matching db user created for this subscription/database or even the admin (Tools & Settings-> Applications & Databases -> Database Servers -> Servername -> Databases) -> "Webadmin" in "Tools" section.
If you see all databases of all subscriptions in Plesk Panel you selected "all" in the "access subscriptions" field when creating the user.
Defining a custom role as an approach for giving access to only one database does not make sense as there is no need for administrative rights (he only could delete his database).
If your intention was to create just a mysql user for a specific database in a specific subscription open subscriber's control panel when logged in as admin user, click "databases", select tab "users", click "add new database user" and select which databases this new user should have access to. done.
Unfortunately for me it is not clear
where your user sees all the databases
if "all" really is all of them (like system dbs, too)
if "access" means control panel or mysql/phpmyadmin
However, I hope i covered all contingencies.
I want a user to log-in to SQL server and only see one database. This user can not be the database owner.
I have tried doing DENY VIEW ANY DATABASE TO [username]
and i would now like to GRANT to view a single database to [username]
is this possible? how do i do this?
Thank you.
edit: to clarify what i mean, i dont want the user to even see that other databases exist, not just that they cant go into the database.
thanks!
I assume you are talking about SQL Server Management Studio here. In short, if you are unable to grant DBO to the user (which is perfectly understandable) then there is NOT currently a way to accomplish what you want.
You've gotten as close as you'll get by issuing
DENY VIEW ANY DATABASE TO <customerlogin>
effectively hiding all databases from the user. Without making the user a DBO there is no way to open view ability back up to only one. This is not a feature that has ever been added per Mike Hotek well known SQL Expert.
You can see a much longer and more detailed discussion regarding this desire on this MSDN thread.
http://social.msdn.microsoft.com/Forums/en/sqlsecurity/thread/a989ca87-660d-41c4-9dac-70b29a83ddfb
After you deny view to any database to a specific user:
DENY VIEW ANY DATABASE TO <customerlogin>
If you make this user a db_owner for the specific database:
USE <customdatabase>
exec SP_changedbowner <customerlogin>
It will only be able to see and use the chosen database.
More details:
https://www.mssqltips.com/sqlservertip/2995/how-to-hide-sql-server-user-databases-in-sql-server-management-studio/