I have 3 databases on the same SQL Server 2012:
- erpCountry1
- erpCountry2
- erpWeb
erpWeb database was built to allow a special user (webUser) to read some data from outside. It is mostly a few views like this (simplified version):
create view erpWeb.dbo.vwClients
as
SELECT 'XX' as Region, IdClient, Nom, Adress
FROM erpCountry1.dbo.Clients
UNION ALL
SELECT 'YY' as Region, IdClient, Nom, Adress
FROM erpCountry2.dbo.Clients
Currently the user webUser must be mapped to erpCountry1 and erpCountry2 databases, otherwise view erpWeb.dbo.vwClients does not work for him.
My question is: what should I do to allow webUser to see the result of vwClients WITHOUT mapping webUser as datareader for erpCountry1 and erpCountry2 ? (since this allows webUser to see all data of those databases)
Edit: in Access, you can define a query to run with owner's permissions (instead of user's). Isn't there anything equivalent in SQL Server ?
Related
In the Security/Users folder in my database, I have a bunch of security groups, include "MyApplication Users". I need to check if I am (or another user is) in this group, but I have no idea how to query for it or where I could see this information. I tried looking in the properties, but couldn't find anything. Any ideas?
Checking yourself or the current user:
SELECT IS_MEMBER('[group or role]')
A result of 1 = yes,0 = no, and null = the group or role queried is not valid.
To get a list of the users, try xp_logininfo if extended procs are enabled and the group in question is a windows group :
EXEC master..xp_logininfo
#acctname = '[group]',
#option = 'members'
For a quick view of which groups / roles the current user is a member of;
select
[principal_id]
, [name]
, [type_desc]
, is_member(name) as [is_member]
from [sys].[database_principals]
where [type] in ('R','G')
order by [is_member] desc,[type],[name]
To find the AD Group members in the Instance, we can use below query:
xp_logininfo 'DomainName\AD_GroupName', 'members'
By using this query, we can find the below states.
account name, type, privilege, mapped login name, permission path
Accepted answer from DeanG is the preferred solution for getting this info within SQL Server
You can use Active Directory tools for this. I like Active Directory Users and Computers that is part of the Remote Server Administration Tools. Follow the link to download and install the tools on Windows 7.
Once installed, you can search for a specific group name:
Then you can see group membership using the Members tab:
If you don't want to use the AD browser packaged with RSA tools, there are several others available.
You don't.
Instead you use the users and groups to grant/deny privileges, and let the engine enforce them appropiately. Attempting to roll your own security will get you nowhere fast. A banal example is when you will fail to honor the 'one deny trumps all grants' rule. And you will fail to navigate the intricacies of EXECUTE AS. Not to mention security based on module signatures.
For the record: users, roles and groups are exposed in the sys.database_principals catalog view. sys.fn_my_permissions will return the current context permissions on a specific securable.
The code that is provided on the Microsoft page here works for me, every time.
SELECT DP1.name AS DatabaseRoleName,
isnull (DP2.name, 'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
LEFT OUTER JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = 'R'
ORDER BY DP1.name;
Please let me know if this works for you!
I'm currently using a free DB2 warehouse on cloud provided by IBM. What I'm trying to do is to create a new table in the database. However, an error message pops up saying that
To resolve this, I open the web console and run the following command: create tablespace mytablespace pagesize 4096. Then, another error message pops up:
Based on what I have googled, it looks like I need to grant administrator role for the user "DASH******". So I do this by adding an optional parameter to the credentials:
But it doesn't work. Is there any way to workaround this?
EDIT1: I create the table using the following command:
Users are not allowed to create their own tablespaces in free DB2WoC systems, since they don't have the SYSCTRL or SYSADM authorities there. You have to use existing tablespaces where you are allowed to create your tables.
Run the following statement from your DASH*** user.
This statement returns all the tablespaces, where your user is allowed to create tables.
If it doesn't return any rows, then this means, that you should open a ticket to the IBM support. Support should create it for you and grant your user the USE privilege on this tablespace.
SELECT
T.DATATYPE
--, P.PRIVILEGE
--, P.OBJECTTYPE
--, P.OBJECTSCHEMA
, P.OBJECTNAME
, U.AUTHID, U.AUTHIDTYPE
FROM SYSIBMADM.PRIVILEGES P
CROSS JOIN TABLE(VALUES USER) A (AUTHID)
JOIN TABLE (
SELECT GROUP, 'G' FROM table(AUTH_LIST_GROUPS_FOR_AUTHID(A.AUTHID))
UNION ALL
select ROLENAME, 'R' from table(AUTH_LIST_ROLES_FOR_AUTHID(A.AUTHID, 'U'))
UNION ALL
SELECT * FROM TABLE(VALUES ('PUBLIC', 'G'), (A.AUTHID, 'U')) T (AUTHID, AUTHIDTYPE)
) U (AUTHID, AUTHIDTYPE) ON U.AUTHID=P.AUTHID AND U.AUTHIDTYPE=P.AUTHIDTYPE
JOIN SYSCAT.TABLESPACES T ON T.TBSPACE=P.OBJECTNAME
WHERE P.OBJECTTYPE='TABLESPACE' AND T.DATATYPE IN ('A', 'L')
We license our software by number of workstations.
I have a query that I have used for years to get an accurate count of the workstations logged in to my SQL Server database. For simplicity, all users use the same login name/password. This is built in to the script that attaches to the DB. They have access only to that DB with the exception of
USE [Master] GRANT VIEW SERVER STATE to MyUser
The query that has been working is below:
SELECT COUNT(Users) AS UserCount FROM (SELECT COUNT(Master.dbo.sysprocesses.hostname) AS Users FROM Master.dbo.sysprocesses LEFT OUTER JOIN Master.dbo.sysdatabases ON Master.dbo.sysdatabases.dbid = Master.dbo.sysprocesses.dbid WHERE (Master.dbo.sysdatabases.name = 'MyDatabase') GROUP BY Master.dbo.sysprocesses.net_address) AS UserCount_1
Basically this relies on the mac address (Master.dbo.sysprocesses.net_address), since both Workstation names and ip addresses can be duplicated.
Recently this has stopped working at a number of customers. Suddenly individual workstations are showing multiple net addresses for the same workstation causing a substantial overcount of users. This may be related to SQL Server 2012 - not sure.
What I need is a very reliable way to get a count of workstations logged in to my database.
If anyone can tell me why I am suddenly getting multiple net_addresses for each workstation and how to prevent that that would be one possible solution.
Otherwise if anyone can give me a rock solid way to get a workstation count other than the above that would be great. Our largest customer is 50 users by the way.
HERE IS AN EXAMPLE:
SELECT Master.dbo.sysprocesses.hostname AS Users, Master.dbo.sysprocesses.net_address FROM Master.dbo.sysprocesses
LEFT OUTER JOIN Master.dbo.sysdatabases ON Master.dbo.sysdatabases.dbid = Master.dbo.sysprocesses.dbid
WHERE Master.dbo.sysdatabases.name = 'mydb' GROUP BY Master.dbo.sysprocesses.hostname, Master.dbo.sysprocesses.net_address
RETURNS:
DAVID-PC 001CC490239E
FLOOR1 001CC41D8012
FLOOR2 CB8FEE6C5856
FLOOR3 A50B18FF1516
KER-PC7 6C626DEA68CC
LIZ-PC A4E553460E35
LIZ-PC EFE3F0E20260
LIZ-PC FD32F7B30360
PAP 9D35A704C29C
PAP CFB724BA1183
PAP D1A58A8878E6
PAP E9B116CA34B8
PAP F38B335A7AE6
Thanks in advance for any help.
You can get an accurate count of the users logged in to SQL Server database by the following query:
SELECT
DB_NAME(dbid) as DB
COUNT(dbid) as Numb
loginame as LoginNa
FROM
sys.sysprocesses
WHERE
dbid > 0
GROUP BY
dbid, loginame
Also you can get full details of connected users by this:
sp_who2 'Active'
Here is a way that will give you the number of IPs or MAC addresses connected to a given database. I'd go with IP as you might have multiple NICs/MACs in a given high end workstation.
SELECT COUNT(DISTINCT c.client_net_address) as DistinctIPCount,
COUNT(DISTINCT p.net_address) as DistinctMACCount
FROM sys.dm_exec_connections c INNER JOIN sys.dm_exec_sessions s ON c.session_id = s.session_id
INNER JOIN sysprocesses p ON s.session_id = p.spid
WHERE s.is_user_process = 1
AND p.dbid = DB_ID('yourdbnamehere')
I am trying to recover some group membership information from an old TFS 2010 server for which the application tier is no longer available (but the SQL back-end has not yet been deleted). I know there are command line programs to get security information but I am wondering if it is possible to get security information (specifically group membership) given only the database tables/views.
Here's a query I use to list all users and memberships within a TFS Collection.
Select Object1.DisplayName as Name,
Object2.DisplayName as Membership
From ADObjectMemberships Member1,
ADObjects Object1,
ADObjects Object2
Where Object1.ObjectSID = Member1.MemberObjectSID and
Object2.ObjectSID = Member1.ObjectSID
Order By Membership, Name
After poking around and some trial-and-error, I found that the following SQL seems to work
USE MyCollection;
SELECT
--grp.[SamAccountName] 'group_name',
member.SamAccountName 'member_name'
FROM
[ADObjects] grp
JOIN ADObjectMemberships om ON om.ObjectSID = grp.ObjectSID
JOIN ADObjects member ON om.MemberObjectSID = member.ObjectSID
WHERE
grp.SamAccountName = 'MyGroup'
I'm trying to build an XE in order to find out which of our internal apps (that don't have app names and thus show up as .Net SQLClient Data Provider) are hitting particular servers. Ideally, I'd like to get the name of the Client and Database , but not sure if I can do that in one XE.
I figured for ease of use, I'd use a histogram/asynchronous_bucketizer, and save counts of what's trying to hit and how often. However, I can't seem to get it work on 2012, much less 2008. If I use sqlserver.existing_connection it works, but only gives me the count when it connects. I want to get counts during the day and see how often it occurs from each server, so I tried preconnect_completed. Is this the right event?
Also, and part of the reason I'm using XE, is that those servers can get thousands of calls a minute.
Here's what I've come up with thus far, which works but only gives me current SSMS connections that match - obviously, I'll change that to the .Net SQLClient Data Provider.
CREATE EVENT SESSION UnknownAppHosts
ON SERVER
ADD EVENT sqlserver.existing_connection(
ACTION(sqlserver.client_hostname)
WHERE ([sqlserver].[client_app_name] LIKE 'Microsoft SQL Server Management%')
)
ADD TARGET package0.histogram
( SET slots = 50,
filtering_event_name='sqlserver.existing_connection',
source_type=1,
source='sqlserver.client_hostname'
)
WITH(MAX_DISPATCH_LATENCY =1SECONDS);
GO
Aha! It's login, not preconnect_starting or preconnect_completed.
CREATE EVENT SESSION UnknownAppHosts
ON SERVER
ADD EVENT sqlserver.login(
ACTION(sqlserver.client_hostname)
WHERE ([sqlserver].[client_app_name] LIKE 'Microsoft SQL Server Management%')
)
ADD TARGET package0.histogram
( SET slots = 50,
filtering_event_name='sqlserver.login',
source_type=1,
source='sqlserver.client_hostname'
)
WITH(MAX_DISPATCH_LATENCY =1SECONDS);
GO
Then to query it, some awesome code I made horrid:
-- Parse the session data to determine the databases being used.
SELECT slot.value('./#count', 'int') AS [Count] ,
slot.query('./value').value('.', 'varchar(20)')
FROM
(
SELECT CAST(target_data AS XML) AS target_data
FROM sys.dm_xe_session_targets AS t
INNER JOIN sys.dm_xe_sessions AS s
ON t.event_session_address = s.address
WHERE s.name = 'UnknownAppHosts'
AND t.target_name = 'Histogram') AS tgt(target_data)
CROSS APPLY target_data.nodes('/HistogramTarget/Slot') AS bucket(slot)
ORDER BY slot.value('./#count', 'int') DESC