I am the database owner on my Azure Database and I confirmed that using SELECT IS_MEMBER('db_owner') (returns 1)
When I try to run the command:
ALTER DATABASE [db] MODIFY (EDITION = 'standard', SERVICE_OBJECTIVE = 'S3');
it gives me the error as follows:
User does not have permission to alter database 'db', the database does not exist, or the database is not in a state that allows access checks.
So I tried to grant myself the alter permissions on the database:
GRANT ALTER ON DATABASE:: db TO [USER_NAME]
Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
I dont know why I cant change the Azure Edition through script. I have done this through the Azure dashboard portal and it works just fine. But not through SSMS. Am I doing something wrong?
Go look at the documentation. Just because you are owner does not mean you can alter the database.
https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-database-azure-sql-database
Related
I want that a user can create a database, but when I execute this:
GRANT CREATE DATABASE TO rmedrano
I get this error:
CREATE DATABASE permission can only be granted in the master database.
How can I do this?
Members of the dbcreator fixed server role can create, alter, drop,
and restore any database.
https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles?redirectedfrom=MSDN&view=sql-server-ver15
I have restored a SQL Server 2019 database from a .BAK file to a Google Cloud SQL instance.
I can connect to the instance using Visual Studio SQL Connection. I issue the following command to check the database owner, which should be: mydb_adm
USE master;
SELECT suser_sname(owner_sid) AS 'DB Owner' FROM sys.databases WHERE name = 'mydb';
DB Owner
--------
sqlserver
The above is expected, as the restore was done while using the sqlserver account which is the default user created when the SQL instance is provisioned by Google Cloud (according to the docs).
So, I need to change the DB owner; I execute the following command:
USE mydb
EXEC sp_changedbowner 'mydb_adm'
The system displays the following error message:
Msg 15151, Level 16, State 1, Line 1
Cannot find the principal 'mydb_adm', because it does not exist or you do not have permission.
The same message is displayed for:
ALTER AUTHORIZATION ON DATABASE::mydb TO mydb_adm;
However, the "mydb_adm" principal DOES exist, i.e.:
SELECT name, sid FROM sys.server_principals WHERE name = 'mydb_adm';
name sid
---- ---
mydb_adm 0xD81398C7DB0D724BB2738A2EC59BB554
.. so it must be a permission problem with the sqlserver account. When I query the DB, it appears the "sqlserver" user does NOT have ALTER permissions, i.e.:
UserName Permission Type Permission State
-------- --------------- ----------------
sqlserver ALTER DENY
... So how can I change the database owner or issue any ALTER commands using the "sqlserver" account? (There seems to be no way to grant the ALTER permission to the sqlserver user).
Any help / advice would be appreciated.
Thank-you to #DanGuzman for providing a "work-around", i.e.: while connected to the SQL instance using the "sqlserver" user, the following commands were used:
USE mydb;
CREATE USER mydb_adm;
ALTER ROLE db_owner ADD member mydb_adm;
After some additional digging, I also found the following in the Google Cloud docs at https://cloud.google.com/sql/docs/sqlserver/users, which states:
Cloud SQL for SQL Server is a managed service, so it restricts access
to certain system stored procedures and tables that require advanced
privileges. In Cloud SQL, you cannot create or have access to users
with superuser permissions.
Note: The sysadmin role is not supported. Therefore, you cannot run
system stored procedures that require the sysadmin role. As one of
the many examples, you cannot run the sp_OADestroy stored procedure
because it requires the sysadmin role.
As well as the following from the SQL Server docs at https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-authorization-transact-sql?view=sql-server-ver15#remarks, which state:
Requirements for the person executing the ALTER AUTHORIZATION
statement: If you are not a member of the sysadmin fixed server role,
you must have at least TAKE OWNERSHIP permission on the database, and
must have IMPERSONATE permission on the new owner login.
hence, commands such as EXEC sp_changedbowner ... or ALTER AUTHORIZATION ON DATABASE:: ... will raise the error (Msg 15151, ... you do not have permission.)
Hope that helps anyone else that may run into this type of issue.
I'm trying to set Azure SQL database to RESTRICTED_USER mode and facing the odd error I was unable to figure out myself.
Msg 5011, Level 14, State 2, Line 1
User does not have permission to alter database 'YourDB', the database does not exist, or the database is not in a state that allows access checks.
According to the documentation membership in database db_owner role should be enough. User is also given ALTER DATABASE permission.
RESTRICTED_USER allows for only members of the db_owner fixed database
role and dbcreator and sysadmin fixed server roles to connect to the
database, but does not limit their number. All connections to the
database are disconnected in the timeframe specified by the
termination clause of the ALTER DATABASE statement. After the database
has transitioned to the RESTRICTED_USER state, connection attempts by
unqualified users are refused.
https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-database-transact-sql-set-options
What else is needed to make database RESTRICTED_USER?
Code to reproduce:
CREATE LOGIN YourLogin WITH PASSWORD = 'password'
GO
-- USE YourDB;
-- switch to YourDB here, Azure SQL does not support USE statement
CREATE USER YourUser
FOR LOGIN YourLogin
WITH DEFAULT_SCHEMA = dbo
GRANT ALTER TO YourDB
EXEC sp_addrolemember N'db_owner', N'YourUser'
Then, the following statement fails.
ALTER DATABASE YourDB SET RESTRICTED_USER;
I tried to Repro the issue and only sysadmin could change the database state to restricted_user.
Also you have mentioned that documentation states membership in database db_owner role should be enough
But documentation states ,the roles which can make connection to the database ,when database is set to restricted_user mode
RESTRICTED_USER allows for only members of the db_owner fixed database role and dbcreator and sysadmin fixed server roles to connect to the database, but does not limit their number
In summary ,users having above said roles will be able to connect to database ,when it is set to restricted user,it doesn't state,that dbmanager can change the state of database to restricted user
I'm a newbie on SQL, I'd like to know how to grant select and other permissions to a specify user in Azure Sql Server.
I'm trying to use AUMC to do this, I've created a new login as well as a new user test and grant all permissions I can select on AUMC. (for master database, I've assigned roles loginmanager and dbmanager to test, for other database, I've assigned permissions db_owner, db_securityadmin, db_accessadmin, db_backupoperator, db_ddladmin, db_datawriter, db_datareader, db_denydatawriter, db_denydatareader to test).
After the setting, I'm trying to login to the Azure SQL Server via ssms. The login is success, but I cannot find any tables on the database except the System Tables.
And when I execute SELECT TOP 1 * FROM <a_table>, it returns The SELECT permission was denied on the object <a_table>, database <the database>, schema dbo.
The problem is likely that you are adding your test user to the db_denydatawriter and db_denydatareader roles. These roles prevent the user from reading or writing in the database, overriding the permissions granted by other roles like db_datawriter and db_datareader. Try removing your user from these two 'deny' roles.
For more information on the various database-level roles, see: https://msdn.microsoft.com/en-us/library/ms189121.aspx
What is the minimal permission needed on a sql server user/login for it to be able to run entity framework code first database migrations?
I naively would have thought that a user with the roles db_datareader, db_datawriter, Grant Alter on the Schema and Grant Create Table would be permissive enough.
On-Prem: SQL server with AD/sql login
you need the following permissions on the database.
[db_datareader]
[db_datawriter]
[db_ddladmin]
For full control over database use
[db_owner]
Azure Could: Azure SQL with ADD (Edit)
Please add [dbmanager] to master and user database.
Clearly it depends on what your migrations are/(will be) doing. For my use case, I ended up creating a shema, and restricting the user that the migration uses to the permissions below.
GRANT ALTER, INSERT, SELECT, DELETE, UPDATE, REFERENCES ON SCHEMA::schema_name TO migration_user
GRANT CREATE TABLE TO migration_user