How do I check to see if the current user has access to create a database in SQL Azure?
In regular SQL Server, I have various easy methods at my disposal to check this. Normally, I might use IS_SRVROLEMEMBER('dbcreator'). Apparently SQL Azure has a dbmanager role instead, but IS_SRVROLEMEMBER('dbmanager') does not work either.
I also tried HAS_PERMS_BY_NAME(null, null, 'CREATE ANY DATABASE') but that does not work either.
I've verified that I do indeed have access to create a database. Does anyone have suggestions?
First: the query that should get you as close as possible to what you're looking for on the server specifically:
SELECT sys.database_role_members.role_principal_id, role.name AS RoleName,
sys.database_role_members.member_principal_id, member.name AS MemberName
FROM sys.database_role_members
JOIN sys.database_principals AS role
ON sys.database_role_members.role_principal_id = role.principal_id
JOIN sys.database_principals AS member
ON sys.database_role_members.member_principal_id = member.principal_id
WHERE role.name = 'db_owner';
From the RBAC poster on SQL Server:
NOTE: CREATE DATABASE is a database level permission that can only be
granted in the master database. For SQL Database use the dbmanager role
From the CREATE DATABASE (Azure SQL Database) documentation
To create a database a login must be one of the following:
The server-level principal login
The Azure AD administrator for the local Azure SQL Server
A login that is a member of the dbmanager database role
You can edit db_owner to any role on this page - this is the azure specific role:
dbmanager Can create and delete databases. A member of the dbmanager role that creates a database, becomes the owner of that databasee which allows that user to connect to that database as the dbo user. The dbo user has all database permissions in the database. Members of the dbmanager role do not necessarily have permission to access databases that they do not own.
An important note: You may have intertwined two different Role Based Access Control levels. SQL RBAC and Azure RBAC both have some relationship to SQL Server/SQL DB. In that way, they are related, certainly, but are not the same thing. For example: Being able to create a DB via the portal is different than being able to create a DB while connected to the server; it is possible to give an Azure user the ability to create a database while that user has no valid login to connect to the server. (Which would not be true if Azure RBAC and SQL RBAC were identical.)
Users with SQL DB Contributor or SQL Server Contributor roles will be able to create a database without ever connecting to the database. I examined enumerating these roles in a partially related question here.
You'll be able to audit the RBAC of Azure most easily through this powershell command:
Get-AzureRmRoleAssignment -ResourceGroupName <your resource group name>
-ResourceType Microsoft.Sql/servers -ResourceName <your server name>
-IncludeClassicAdministrators
I believe this should do what you are looking for. It will return "1" if the current login has the dbmanager role. You need to execute this in the master database.
SELECT 1 AS DatabaseManager
FROM sys.database_role_members rm
JOIN sys.database_principals r
ON rm.role_principal_id = r.principal_id
JOIN sys.database_principals m
ON rm.member_principal_id = m.principal_id
WHERE r.name = 'dbmanager' and m.name = CURRENT_USER;
Related
I've been trying for a few days to get end-to-end AD authenticated access established for the Azure Synapse Serverless SQL Pool with some progress but no end-to-end workable solution until today.
I tried creating a SQL Server login for an AD security group using its domain, e.g.
CREATE LOGIN [UG-DataAccess-Confidential-RO#domain.com] FROM EXTERNAL PROVIDER;
and received the error
Principal 'UG-DataAccess-Confidential-RO#domain.com' could not be
found or this principal type is not supported.
Today, I fortunately ran across [this helpful article]: https://www.mssqltips.com/sqlservertip/6702/sql-server-windows-authentication-with-users-and-groups/
Which led to the following configuration that works great with Azure Synapse SQL Pool and I imagine SQL Server more generally:
AD Security Group: UG-DataAccess-Confidential-RO
Use master;
go
-- Step 1: Create a login for the desired security group that should align with the
-- sensitivity of the data being accessed
--
-- NOTE: logins to SQL Server that use AD security groups only need the
-- DISPLAY NAME of the group and should not contain the domain. I assume
-- that the domain is left off since authentication is against user accounts
-- while authorization checks group membership. Since authentication occurs first,
-- the domain is already known by the time authorization happens.
CREATE LOGIN [UG-DataAccess-Confidential-RO] FROM EXTERNAL PROVIDER;
GO
-- Step 2: Create a custom server role in the master DB (standard roles cannot be modified with
-- Azure Serverless SQL) and grant the required SQL privileges to it in order to ensure that
-- users who are members of the security group will have these privileges once the
-- security group has been added as a member of this new role in SQL Server
CREATE SERVER ROLE [custom_role_reader]
GO
-- Note: these grants are too liberal and need to be reduced further for tighter security
GRANT CONNECT ANY DATABASE TO [custom_role_reader]
GRANT CONNECT SQL TO [custom_role_reader]
GRANT VIEW ANY DATABASE TO [custom_role_reader]
GRANT VIEW ANY DEFINITION TO [custom_role_reader]
GRANT VIEW SERVER STATE TO [custom_role_reader]
GO
-- Step 3. Add the security group to the new server role to enable login for ANY users who are
-- members of the AD security group
ALTER SERVER ROLE [custom_role_reader] ADD MEMBER [UG-DataAccess-Confidential-RO]
GO
-- Step 4. Change to the database of interest - in this example, we use a demo database
use demoDB;
GO
-- Step 5. Create a demo database user for the demo database that maps to the SQL login associated with the AD security group
drop user [SqlReader]
GO
CREATE USER [SqlReader] FOR LOGIN [UG-DataAccess-Confidential-RO]
GO
-- Step 6. Create a demo database role and grant the required minimum privileges to it.
-- Then add the new demo db user as a member of the new demo db database role
drop role [db_sql_reader]
go
CREATE ROLE [db_sql_reader]
GO
GRANT SELECT ON SCHEMA::curated TO [db_sql_reader]
GO
alter role [db_sql_reader] add member [SqlReader]
GO
-- Step 7. FOR AZURE SYNAPSE ANALYTICS ONLY
-- Ensure Gen2 Storage of data lake ACLs provide read access to the AD security group for all files that are backing external table definitions. Ensure the security group has read/execute on all Gen2 directories in the data lake from the container all the way down to the files in the data lake, e.g. parquet, CSVs, etc.
--
-- Users who are members of the AD security group should now be able to login
-- to serverless SQL and execute queries against the tables in the demo DB
Note that this solution doesn't require any special Azure RBAC roles for members of the AD security group, only proper ACL management within the data lake and the SQL permissions described above. This prevents us from having to deal with creating scoped database credentials and it also aligns with MS security best practices for Synapse from what I can tell from the MS docs.
I have a customer who has created SQL azure database and trying to give access to his on-premise Security group account in database. The challenge that we are facing is that the on-premise group is named as 'group account' i.e. there is a space between the words. This account is synched with Azure AD.
Two questions
1) How do you provide access to a security group on SQL Azure Database? I know that you will say to use syntax like below but that doesn't work in my case i) There is empty space between the words in name ii) this is not a mail enabled group therefore there is no corresponding #domain.com in Azure AD for this group
CREATE USER [name#domain.com]
FROM EXTERNAL PROVIDER
Firstly, you should login your Azure database with your AD admin account.
Then run this query(same with juunas provided) to add on-premise Security group to Azure SQL database.
CREATE USER [<Security Group Display Name>] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = [<schema>];
As you said, there is a space in your 'group account' name, I tried to the same operation and it work ok with no error.
For example, I login my Azure SQL database with my AD admin, ran this query to create a group accout 'test gp'.
CREATE USER [test gp] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = [dbo];
Running SELECT * FROM SYS.DATABASE_PRINCIPALS we could see that the group has been created in Azure SQL Database
I executed the TSQL: EXEC sp_addrolemember 'db_owner', 'test gp';
It seems everything is ok but when disconnect my SQL database and try to login with group account 'test gp#****.com'
There is an error happened:
You can also reference these blogs:
Unable to add Azure AD group with ':' in display name to Azure SQL, am I missing something?
Naming conventions in Active Directory for computers, domains,
sites, and OUs
I think Azure SQL database doesn't support using Security group name with special character to login the database, such as white space (blank).
Hope this helps.
I've used CREATE USER [Group Name] FROM EXTERNAL PROVIDER before and it has worked.
I'm a newbie on SQL, I'd like to know how to grant select and other permissions to a specify user in Azure Sql Server.
I'm trying to use AUMC to do this, I've created a new login as well as a new user test and grant all permissions I can select on AUMC. (for master database, I've assigned roles loginmanager and dbmanager to test, for other database, I've assigned permissions db_owner, db_securityadmin, db_accessadmin, db_backupoperator, db_ddladmin, db_datawriter, db_datareader, db_denydatawriter, db_denydatareader to test).
After the setting, I'm trying to login to the Azure SQL Server via ssms. The login is success, but I cannot find any tables on the database except the System Tables.
And when I execute SELECT TOP 1 * FROM <a_table>, it returns The SELECT permission was denied on the object <a_table>, database <the database>, schema dbo.
The problem is likely that you are adding your test user to the db_denydatawriter and db_denydatareader roles. These roles prevent the user from reading or writing in the database, overriding the permissions granted by other roles like db_datawriter and db_datareader. Try removing your user from these two 'deny' roles.
For more information on the various database-level roles, see: https://msdn.microsoft.com/en-us/library/ms189121.aspx
I am granting the "View any database" permission when creating a new server role, but realized this permission only allows the user to view the system databases.
I am trying to create a server role that is read-only and can read any database.
Is there a way to create a user-defined server role to read user databases? Or do I have to do this through user mapping per user?
So, no is the answer, you can't assign database level permissions to server level roles, you can't even add a server role to a database role, which I find really frustrating as I've tried to do the same thing as you.
The way I ended up doing this was not by using a server role at all, I did the following:
Created an AD group for each server that I wanted read only access for
Created a login on the server for the group
Assigned the login to the db_datareader role on the model database
Assigned the login to the db_datareader role on all the pre-existing databases
Added my windows users into the AD group
This way, you can simply assign (or train your servicedesk folks to assign) users who need read only access to all databases on a server to the AD group, plus, as the role is set in the model database, they will have access to all newly created databases on the server too.
There is a SQL Server 2005 database with mixed-mode authentication.
Among others, we have the following logins on the server: our-domain\developers-group-1, and our-domain\developers-group-2 which are AD groups.
The our-domain\developer-group-2 is added to the sysadmin role on the server, by virture of which all domain users of that group can access any database as SQL Server implictly maps the sysadmin role to the dbo user in each database.
There are two users our-domain\good-user and our-domain\bad-user
The issue is the following: Both the good-user and the bad-user have the exact same AD group memberships. They are both members of our-domain\developers-group-1 and our-domain\developers-group-2. The good-user is able to access all the databases, and the bad-user is not. The bad-user is able to login, but he is unable access any databases. By the way, I am the good-user.
How do I go about finding out why?
Here's what I tried so far:
When I do print current_user, I get dbo
When I do print system_user, I get my-domain\good-user
When I do select * from fn_my_permissions(NULL, 'SERVER'), I see permissions.
But if do execute as user='my-domain\good-user'; select * from fn_my_permissions(NULL, 'SERVER'), I dont see any permisisons.
And When I do, execute as user='my-domain\bad-user'; select * from fn_my_permissions(NULL, 'SERVER'), I dont see any permisisons.
Also, I was wondering if there is a sql command that will tell me, "hey! the current database user is able to access this database because he is a member such-and-such ad-group, which is a login that is mapped to such-and-such user in this database".
If you have the relevant permissions within Management Studio, this shouldn't take too long to work out. It sounds like the bad-user AD group has limited permissions within SQL Server.
You need to check the settings in Security in the GUI, and check the mappings for each of these AD groups - clicking on the databases to see what permissions they have on each database.
Is it possible that you simply have implicit permissions as the creator/owner of the objects, yet no explicit permissions have been granted on the AD groups/roles or to your user individually?