Related
I have created a user with database roles db_datareader, db_datawriter and public. Also I have configured with server roles as public.
Now this user cannot view the list of stored procedure when clicking on stored procedures node in objects explorer. How can I assign permission to see and execute all the stored procedures? I want to do this through SSMS without launching any command.
I am using SQL Server 2012 and below versions:
Microsoft SQL Server Management Studio 11.0.2100.60
Microsoft Data Access Components (MDAC) 10.0.17763.1
Microsoft MSXML 3.0 4.0 5.0 6.0
Microsoft Internet Explorer 9.11.17763.0
Microsoft .NET Framework 4.0.30319.42000
Sistema operativo 6.3.17763
Looks like you can do this, though not as "simple" as you would expect.
I would, personally create a database role to do this. Go to your database in the Object explorer, and expand the Security Folder. Then right click Roles and Select New -> New Database Role.
Give the Role a name (I'll use db_executor) on the General Pane and then go to the Securables Pane. Click Search... at the top and select the radio option Specific Objects... and click OK. Click Object Types... and then tick Databases and then OK. Now click Browse... and tick the database you are adding the role to, then click OK and then OK.
In the datagrid at the bottom locate the Permission Execute, and tick the box in the column Grant. Then OK. This will run the below SQL on your instance:
USE [YourDatabase]
GO
CREATE ROLE [db_executor]
GO
use [YourDatabase]
GO
GRANT EXECUTE To [db_executor]
GO
Yes, Microsoft really is inconsistent with the casing of USE for that statement, and it omits the ; in it's commands.
Now you have created the role, locate the user you want to give access to in the object explorer in the Users folder. Right Click them and select Properties. Go to the Membership Pane and tick the box next to db_executor. Then click OK. This will run the below SQL on your instance:
USE [YourDatabase]
GO
ALTER ROLE [db_executor] ADD MEMBER [YourUser]
GO
Of course, why you wouldn't just run the 2 above commands, which is far quicker, I do not know.
I don't think there's a graphical way of doing this within the UI, but you can create a new query window in SSMS and execute one of these queries.
For a particular role you can:
/* GRANT EXECUTE TO THE ROLE */
GRANT EXECUTE TO role_what_needs_permissions
For a user
USE [the_database]
GO
GRANT EXECUTE TO [the_user]
I tried to create a database diagramm with SQL Server 2008, but an error occurs:
Database diagram support objects
cannot be installed because this
database does not have a valid owner.
To continue, first use the Files page
of the Database Properties dialog box
or the ALTER AUTHORIZATION statement
to set the database owner to a valid
login, then add the database diagram
support objects.
Then I tried the following:
EXEC sp_dbcmptlevel 'Ariha', '90';
GO
ALTER AUTHORIZATION ON DATABASE::Ariha TO [WIN-NDKPHUPPNFL\Administrator]
GO
USE Ariha
GO
EXECUTE AS USER = N'dbo' REVERT
GO
Next erorr pops up:
Msg 15404, Level 16, State 11, Line 1
Could not obtain information about
Windows NT group/user
'WIN-NDKPHUPPNFL\Administrator', error
code 0x534.
The Problem is the name of the PC has changed into "DevPC" I also changed this in the update script, but still the same error 15404.
What can I do to fix this annoying error?
In SQL Server Management Studio do the following:
Right Click on your database, choose properties
Go to the Options Page
In the Drop down at right labeled "Compatibility Level" choose "SQL Server 2005(90)"
3-1. choose "SQL Server 2008" if you receive a comparability error.
Go to the Files Page
Enter "sa" in the owner textbox.
5-1 or click on the ellipses(...) and choose a rightful owner.
Hit OK
after doing this, You will now be able to access the Database Diagrams.
You should consider SQL authentication account for database ownership; then you don't have to worry about accounts coming and going, databases or instances moving to different servers, and your next PC name change. I have several systems where we use:
ALTER AUTHORIZATION ON DATABASE::Ariha TO [sa];
Or if you want to change the owner to that local Administrator account, then it should be:
ALTER AUTHORIZATION ON DATABASE::Ariha TO [DevPC\Administrator];
Because renaming the machine to DevPC has eliminated the local account that used to be named WIN-ND...\Administrator and this has also invalidated the current owner of the database.
If SELECT ##SERVERNAME; is not accurate (it should say DevPC), then in order to ensure that your server rename has taken hold within SQL Server, you may also want to issue the following:
EXEC sys.sp_dropserver #server = N'old server name';
GO
EXEC sys.sp_addserver #server = N'DevPC', #local = N'local';
GO
USE [ECMIS]
GO
EXEC dbo.sp_changedbowner #loginame = N'sa', #map = false
GO
It works.
Enter "SA" instead of "sa" in the owner textbox. This worked for me.
I had the same problem.
I wanted to view my diagram, which I created the same day at work, at home. But I couldn't because of this message.
I found out that the owner of the database was the user of my computer -as expected. but since the computer is in the company's domain, and I am not connected to the company's network, the database couldn't resolve the owner.
So what I did is change the owner to a local user and it worked!!
Hope this helps someone.
You change the user by right-click on the database, properties, files, owner
Select your database - Right Click - Select Properties
Select FILE in left side of page
In the OWNER box, select button which has three dots (…) in it
Now select user ‘sa and Click OK
This fixed it for me. It sets the owner found under the 'files' section of the database properties window, and is as scripted by management studio.
USE [your_db_name]
GO
EXEC dbo.sp_changedbowner #loginame = N'sa', #map = false
GO
According to the sp_changedbowner documentation this is deprecated now.
Based on Israel's answer. Aaron's answer is the non-deprecated variation of this.
I just experienced this. I had read the suggestions on this page, as well as the SQL Authority suggestions (which is the same thing) and none of the above worked.
In the end, I removed the account and recreated (with the same username/password). Just like that, all the issues went away.
Sadly, this means I don't know what went wrong so I can't share any thing else.
1.Right click on your Database ,
2.Then select properties .
3.Select the option in compatibility levels choose sql 2008[100] if you are working with Microsoft sql 2008.
4.Then select the file and write ( sa ) in owner`s textbox
100% works for me.
An easier way to solve this issues would be to right click the name of your database, choose "New Query", type " exec sp_changedbowner 'sa' " and execute the query. Then you'll be good to go.
you must enter as administrator right click to microsofft sql server management studio and run as admin
Only need to execute it in query editor
ALTER AUTHORIZATION ON DATABASE::YourDatabase TO [domain\account];
The real problem is that the default owner(dbo) doesn't have a login mapped to it at all.As I tried to map the sa login to the database owner I received another error stating "User,group, or role 'dbo' already exists...".However if you try this code it will actually works :
EXEC sp_dbcmptlevel 'yourDB', '90';
go
ALTER AUTHORIZATION ON DATABASE::yourDB TO "yourLogin"
go
use [yourDB]
go
EXECUTE AS USER = N'dbo' REVERT
go
right click on your Database , then select properties .
select the option in compatibility levels choose sql 2005[90] instead of 2008 if you are working with Microsoft sql 2008.
then select the file and write ( sa ) in owner`s textbox.
it will work probably
Is there a way to prevent users from getting into SQL Server Management Studio so that they can't just edit table rows manually? They still need to access the tables by running my application.
You can use the DENY VIEW ANY DATABASE command for the particular user(s). This is a new feature available in SQL Server 2008.
It prevents the user from seeing the system catalog (sys.databases, sys.sysdatabases, etc.) and therefore makes the DB invisible to them in SQL Management Studio (SSMS).
Run this command from the Master Database:
DENY VIEW ANY DATABASE TO 'loginName'
The user is still able to access the database through your application. However, if they log in through SSMS, your database will not show up in the list of databases and if they open a query window, your database will not appear in the dropdown.
However, this is not fool-proof. If the user is smart enough to run the Query Command:
USE <YourDatabaseName>
Then they will see the database in the Query Analyzer.
Since this solution is taking you 90% there, I would give the database some obscure name not let the users know the name of the database.
You DO NOT need to worry about them having access to the tool. Simply make sure they do not know any of the SQL logins for the specific Databases that have read/write permissions, if they do, change the password. If they have access to the DB via Windows Authentication, make sure that they are in a datareader role. You can use roles to manage what the users can do in SQL.
You can use a trigger.
CREATE TRIGGER [TR_LOGON_APP]
ON ALL SERVER
FOR LOGON
AS
BEGIN
DECLARE #program_name nvarchar(128)
DECLARE #host_name nvarchar(128)
SELECT #program_name = program_name,
#host_name = host_name
FROM sys.dm_exec_sessions AS c
WHERE c.session_id = ##spid
IF ORIGINAL_LOGIN() IN('YOUR_APP_LOGIN_NAME')
AND #program_name LIKE '%Management%Studio%'
BEGIN
RAISERROR('This login is for application use only.',16,1)
ROLLBACK;
END
END;
https://www.sqlservercentral.com/Forums/1236514/How-to-prevent-user-login-to-SQL-Management-Studio-#bm1236562
I would suggest you lock down the database and give appropriate read-only (or other) rights to the user. That way the user can still use management studio to run select queries and such.
If you don't want the user to have any rights at all then you could do that as well.
If your application is running as a service/user account then only that account requires access to the database. The individual users' account do not require any access to the database and therefore they won't even have read access. Your app will be the gateway to the data.
If the users are running the application under their user accounts then grant them read-only permission. You can simply add them to the db_datareader role.
Hope this helps!
You can deny 'Users' access rights to the ssms.exe executable file, while granting the relevant users/administrators rights to it.
If your application only used stored procedures to modify the data, you could give the end users access to run the stored procs, but deny them access to modify the tables.
Don't let them know what the database login is.
If you can't restrict the login, use stored procedures exclusively for updates and disable any CREATE,DELETE,INSERT, or UPDATE permissions for that user.
An Application Role will allow you to secure database objects to your application instead of the logged on user.
I agree with Jon Erickson as a general rule
do not allow any users access to the tables, but only allow access through stored procs
do not allow general user accounts access to stored procs, but only the account your app runs under (whether it's an integrated login or SQL login)
Make well usage of Database Roles, if Users should only have SELECT (read) access assign them the db_datareader Role. Even if they login using SSMS they will can execute only SELECT statements.
How can you hide databases you do not have access rights to when logging into SQL Server 2005 / 2008?
Currently if a user connects, they see all the databases on the server, meaning they have to scan though the list to find their database.
After hours of trying to figure out how to create a user account which only has access to 1 DB, and can only see that DB. I think i figured it out!!!!
Create a user account ( make sure its not mapped to any Database, otherwise you will get the final error Msg 15110, Level 16, State 1 and note proposed solution)
USE [master]
GO
CREATE LOGIN [us4]
WITH PASSWORD=N'123',
DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF,
CHECK_POLICY=OFF
Right Click on the upper section of the SQL (SQLSERVER Name)>Properties>Permissions>Click on the user account, and select Deny to view databases.
use [master]
GO
DENY VIEW ANY DATABASE TO [us4]
Right Click on the newly created DB, Properties,Files, and change the Owner to the newly created account.(important note: ALTER ROLE [db_owner] ADD MEMBER [us4] does not work)
USE [dbname]
GO
EXEC dbo.sp_changedbowner #loginame = N'us4', #map = false
At this point, once the user logs in he will see the Master,tempdb and will also see the new DB which he is a DB Owner of..You may want to go to Tools>Option and enabled the option to hide system objects so that you don't show the master,tempdb,etc. You may also need SP1 if this option does not work
Msg 15110, Level 16, State 1, Line 1
The proposed new database owner is already a user or aliased in the database.
proposed solution to Msg 15110: to resolve above error simply delete the user from database security node and try again
Hope that helps...
Nikhil
This actually won't work the way that makes sense or that you might expect that it would.
You REVOKE VIEW ANY DATABASE from the public role, but then the user has to be the database owner of the database or it can't be seen, but it still can be accessed.
The problem is a Database Engine Security shortcoming and not likely to be fixed in the current or future release of SQL Server.
Erland Sommarskog opened the following connect item for this a while ago, and it recently was discussed on twitter and with Microsoft by the SQL MVP's.
Vote for the connect and help make it more of a priority for Microsoft to fix:
Connect Feedback
Basically the permissions are stored at the database level, so it would require enumerating each database to determine if the user has connect rights to display the database in the object explorer, which is an expensive task to perform and how the older EM used to do things.
The proposes solution is for this information to be maintained at the server level as well, which is a major change.
You would need to revoke the permission 'VIEW ANY DATABASE' from the role PUBLIC (SQL SERVER 2005 onwards)
Add user to DB as Db owner after removing VIEW ANY DATABASE rights
This will show only the database owned by the login in SSMS.
USE master; GO
DENY VIEW ANY DATABASE TO [loginname]; GO
USE [your db]; GO
DROP USER [loginname]; GO
USE master; GO
ALTER AUTHORIZATION ON DATABASE::[your db]TO [loginname]; GO
Note: this requires the login to exists already
There appears to be a server-side setting on MS SQL 2005 and 2008 to restrict the databases a user may see. I found the following text at sql-server-performance.com
In SQL Server 2005 it is possible with a new server side role that has been created. VIEW ANY DATABASE permission is a new, server-level permission. A login that is granted with this permission can see metadata that describes all databases, regardless of whether the login owns or can actually use a particular database. Please note By default, the VIEW ANY DATABASE permission is granted to the public role. Therefore, by default, every user that connects to an instance of SQL Server 2005 can see all databases in the instance.
I need to give sp_helptext permission to the developers so that they can check the store procedures. Can somebody please, let me know how can i do it.
Thanks,
Christine
I think grant execute on sp_helptext is totally the wrong approach. As stated here by Jesus Lopez, if you want to give a user permissions to see all objects definitions, you must use
GRANT VIEW DEFINITION TO your_database_user
or if you want to let a user see object definition for a particular object, you must use
GRANT VIEW DEFINITION ON dbo.YourProcedure TO your_database_user.
Notice that firstly you must add an existing server login as a new user in the database. Then, you will be able to select the target database where the new user has been created, and then grant him/her permissions with GRANT VIEW DEFINITION statement.
The syntax is
Grant Execute on sp_helptext to user
and must be executed with master as the current database.
You can also do it through the GUI by right clicking on the user or the proc and going to properties. The exact steps depend on whether you are using enterprise manager or sql management studio.
Alternately add them to a role that has permissions on it already, public is the minimum required.
exec sp_addrolemember 'public', 'user'
The format of the command needs to be
grant execute on sp_helptext to [DomainName\UserName] ;
I'm not a sql guru but I would imagine the developers would also need read/execute permission to the stored procedure they are getting the text for.