I accidentally made a SQL Server user own the db_denydatareader schema. I understand that normally to remove this ownership you need to transfer it to another user.
But I don't want to transfer a "deny" schema to another user. Also I understand you can create a bogus user and transfer it but then you can't delete that user once it owns the schema right?
How do I get rid of this?
I think i just figured it out. The schema by default owns itself. so you can just go to properties of the schema and put the schema owner back to itself.
Related
The problem is our user cannot be granted permission to VIEW ANY DATABASE, nor CREATE DATABASE. So we've setup an account that is db_owner of the database and created blank database to fill.
Tested locally, above works only when we GRANT user to VIEW ANY DATABASE so won't apply in our target environment. My assumption was that EF is trying to establish whether database is already there, but since it cannot see any it'll always try to create one. Is there any way around it? Ideally - is there a setting that will tell EF that DB is there and there's no need to look for it?
This is a bug in EF6. The code makes the incorrect assumption that db_id('dbname') works without VIEW ANY DATABASE. It only works if the login running the query is the database owner. Not a mere member of the DB_OWNER fixed database role. I've reported it, and suggesed an improvement. But I'm not sure it will get fixed.
As a workaround just make the app user the real database owner. That won't prevent sysadmins from connecting as dbo. eg
alter authorization on database::AppDatabase to Appuser
You'll have to drop the database user before making the login the owner.
I really need some advice about adding roles at the server level and apply some permissions that will be applicable to each database on my server.
Basically I need to two roles read only and read write.
The read will have permissions to select and see any object
The write will have permissions to select/insert/delete and execute any object
I want to create a server role, then a login associated to this role (which can be a AD group) and after that for each database create a user that will inherits all permissions from the server role.
So on each database, I will have each user that belongs to the server role created, the problem is to clearly define the permissions, is not straight forward in my opinion.
What I can see, I cannot assign read or write to a role and then use it on each db, on the contrary on the General tab of the server role I have a bunch of permissions that is not clear which one to use for this purpose.
Maybe I'm doing it wrong but I want to have something at the server level and not define the same role on each db for that purpose. I'm using SQL server 2014.
The short answer is you can't.
Generally, server-level permissions are not propagated down to individual objects within databases. The only exception is a sysadmin role, which I would strongly encourage you not to use for this purpose, as you would essentially give up the control of the entire server instance to every member of it.
As a kind of a shorthand, you can use built-in database roles to save yourself a bit of trouble. For read-only access, a membership in db_datareader role is usually enough, unless you have stored procedures that return datasets which this role is supposed to be able to execute. There is also a similar role for modification, db_datawriter, but it doesn't cover the execute permission. So you will have to create a custom role for that:
create role [DataChanger] authorization [dbo];
go
alter role [db_datareader] add member [DataChanger];
go
alter role [db_datawriter] add member [DataChanger];
go
grant execute to [DataChanger];
go
-- Now you can add your members. Here is a reader
create user [Domain\MyUser1] from login [Domain\MyUser1];
go
alter role [db_datareader] add member [Domain\MyUser1];
go
-- Writer
create user [Domain\MyUser2] from login [Domain\MyUser2];
go
alter role [DataChanger] add member [Domain\MyUser2];
go
These permissions will automatically pick up newly created objects, without you having to explicitly add new permissions after every schema modification.
You will have to do this in the context of every user database that you want to manage in this way. You can probably create a SQL Agent job which will run periodically and introduce these changes in any user databases which don't have them already (for example, if a database has been restored from earlier backup, or brought from another server, or a new one was created). Also, since you can't loop through databases in static code, you will need to wrap it into a dynamic SQL and loop through sys.databases, or maybe via an undocumented sp_MSforeachdb system stored procedure. Oh, and don't forget to remove all these go statements from dynamic code, as they are not part of SQL, and are only recognised by SSMS and sqlcmd.
P.S. All that being said, I hope you are not going to manage any production databases in this manner. I don't even know where to start on how insecure this approach is.
What would be the best way to allow users to manage their own database restores from backup files? The reason I ask is because I have a user who is the db_owner for
a db. He loses access as soon as he restores the database from a backup file from another instance(of course because he does not have access on that instance), and
then someone with sa permissions has to restore his permissions. Is there anyway he can restore the backups, and then put back the db owner permission on the database that he already had?
Your best bet at this point is to create a custom stored procedure that does the following style pseudo code:
Take the database name, backup file name
Check to make sure the person requesting is the owner
Restore the database over the original
Set the owner back to the original in #2
Build in some logic to check and make sure people aren't trying to abuse it, give bad values, etc. Sign the procedure with a certificate and use a special account just for this purpose to lock down possible intruders/malicious people.
I want a user to log-in to SQL server and only see one database. This user can not be the database owner.
I have tried doing DENY VIEW ANY DATABASE TO [username]
and i would now like to GRANT to view a single database to [username]
is this possible? how do i do this?
Thank you.
edit: to clarify what i mean, i dont want the user to even see that other databases exist, not just that they cant go into the database.
thanks!
I assume you are talking about SQL Server Management Studio here. In short, if you are unable to grant DBO to the user (which is perfectly understandable) then there is NOT currently a way to accomplish what you want.
You've gotten as close as you'll get by issuing
DENY VIEW ANY DATABASE TO <customerlogin>
effectively hiding all databases from the user. Without making the user a DBO there is no way to open view ability back up to only one. This is not a feature that has ever been added per Mike Hotek well known SQL Expert.
You can see a much longer and more detailed discussion regarding this desire on this MSDN thread.
http://social.msdn.microsoft.com/Forums/en/sqlsecurity/thread/a989ca87-660d-41c4-9dac-70b29a83ddfb
After you deny view to any database to a specific user:
DENY VIEW ANY DATABASE TO <customerlogin>
If you make this user a db_owner for the specific database:
USE <customdatabase>
exec SP_changedbowner <customerlogin>
It will only be able to see and use the chosen database.
More details:
https://www.mssqltips.com/sqlservertip/2995/how-to-hide-sql-server-user-databases-in-sql-server-management-studio/
Here is the scenario. I have a SQL Server 2005 production database/server. It currently has developers and supporters who can connect to it. I need to create a security module that gives developers read-only access to all areas of the database. This means that a developer should be able to view all objects as well as scheduled activities/jobs only.
Is it possible to enable security in this way and if so can I be gently guided on how to achieve this. I am learning to be a DBA and creating snapshots of the databases are not an option.
Thank you all in advance.
There is permission to every object.
Create a stored procedure that grant each gruop the exact permission you need on the objects you need to protect.
I'm not quite sure I follow where this "security module" will be in the architecture. Anyhow, here's one possibility that secures it from the database end.
I'm going to assume you already have users created.
Create a new role (yourdb > security > roles > new database role), say "ReadOnlyDevelopers". Make the owner dbo or whatever makes sense. Do not select any schemas to be owned by the role. Populate the "Role Members" with your developers.
Next, open the properties page on your database. Go to the permissions page. Click Add... and add the new role. Under the permissions grid at the bottom, Grant SELECT to the role.
Now assuming your developers already belong to some other role, you'll need to go into the user properties and under Database Role Membership restrict them to just the new role. At this point they should be able to just read
I'm guessing that I'm missing a detail or two (the role may need to be grated a few additional rights to "see" the database, alter passwords, etc.) but I can't get to that level of detail without setting up the entire scenario. Hopefully this pushes you in the right direction.