We created a database and spent time loading the data. We might have accidentally changed some permissions, and now we are not longer able to access that database from the owner account (or any other). (We are both wading through the mud here)
Is there any way to restore the revoked permissions so we can access our data, or do we need to start all over?
Well, that's all in the docs:
You can reset the assigned permissions for your DB instance by
resetting the master password. For example, if you lock yourself out
of the db_owner role on your SQL Server database, you can reset the
db_owner role password by modifying the DB instance master password.
By changing the DB instance password, you can regain access to the DB
instance, access databases using the modified password for the
db_owner, and restore privileges for the db_owner role that may have
been accidentally revoked. You can change the DB instance password by
using the Amazon RDS console, the AWS CLI command modify-db-instance,
or by using the ModifyDBInstance action. For more information about
modifying a SQL Server DB instance, see Modifying a DB Instance
Running the Microsoft SQL Server Database Engine.
Source: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troubleshooting.html#CHAP_Troubleshooting.ResetPassword
Related
I need to create a login on a server that will have access to all databases on this server.
I have two azure servers: production and stage. I make a copy of a database from prod server on stage server. Then I need to do insert some test data in this new copied database.
The copying process is made on runbooks in azure automation account so every time I want to execute SQL script on a database I need to provide a login&password to a server.
If I create a login TestLogin on stage server and then copy database from prod server to stage, then this login does not have access to a new db. Thus, I need to login as administrator and create a TestUser in this new database for TestLogin.
This does not work for Azure:
GRANT CONTROL SERVER TO TestLogin;
Is there any way I can grant a TestLogin all rights so that it can have access to all the databases on server?
When you create a login in one instance of SQL Server and assign any roles to this user on a specific database, and then copy the database to another SQL Server instance, you have this user in the database, but no login for that user in the second SQL Server. This is also called an "orphaned user". Here is an article that describes how to fix that.
This does not work on Azure. You have to use ALTER USER instead.
As you said in comment, you must login with admin, then you have the permission to alter the new user in master DB, set the user as DB manager or db_owner.
If you only create new login or user and don't give it more permission, this login/user only and login the Database but can't access no database.
Fore details, please see Controlling and granting database access to SQL Database and SQL Data Warehouse.
Hope this helps.
I have created several logins in a SQL Server RDS instance, using the RDS 'master' user to create the logins. The logins have permissions to create databases. However, these new databases are inaccessible to the RDS 'master' user. I receive messages such as:
The database xxxxx is not accessible (ObjectExplorer)
and
The server principal "rdsmaster" is not able to access the database "xxxxx" under the current security context.
In order for the RDS master login to have access to these databases, is the only option to have the login that created the database explicitly grant permissions to the new DB? Or, is there a master switch somewhere that will grant the master login permissions for each new database created, regardless of who created it? e.g. parameter group, sql role?
I need the master user, or at least a "clone" of the master user, to access all databases for things like index maintenance jobs, backups to S3, etc.
Many thanks,
Andrew
Resetting the master user password in the RDS console worked for me.
Found the solution mentioned in these threads:
Master user lost it's permissions unexpectedly on SQL Server (rds instance)
Granting Access to Database RDS SQL Server
I am working in an environment which has multiple sql server instances.
In one server my user is able to access any database even after restore.
In another server my user losses access to the database after doing a restore.
What could be the difference in access for my user in both servers.
probably in your first instance, your user has sysadmin privileges. on the other hand in second SQL instance, your user have database level privileges which are overridden upon restore.
I have been trying to research this subject and have not been able to glean any solid information, but what is the default "guest" account used for and should I revoke connect privilege from this account in my Production databases?
Guest access to master database is not enabled by default on SQL Azure Database service. With on premise SQL Server you always have guest access to master database even if no user is created in it for some login you're using to connect to the server. With SQL Azure a database user should also be created on master to be able to have guest access to DMVs like sys.database_usage and sys.bandwidth_usage.
My suggestion is to create database users only since logins created on the master can be disconnected while scaling the tiers or while failovers are occurring. I don't see why a guest access should be needed for master database.
I want to manage permissions and access to a SQL Server database server on a development machine. I've created a local windows group (called DBReaderGroup) and assigned various people to it. The group was created as a SQL Server login successfully:
create login [MYMACHINE\DBReaderGroup] from windows
My goal is to grant this group read/write access to all databases (which are constantly being added and dropped). Is it possible to configure the right settings so that SQL Server manages this?
My biggest challenge is that each time a db is created, I have to update the "User Mapping" settings for this group on the new database.
Am I missing something simple?
Add the login to the Model database in the db_datawriter role, and any new database will give that login full write access by default. This won't work, however, if the databases being added are from other sources (ie restored versions).