I am creating an SSIS package using Change Data Capture. I have created the package, but I get the error below while executing it:
[CDC Control Task] Error: "Only members of the sysadmin fixed server
role or db_owner fixed database role can perform this operation.
Contact an administrator with sufficient permissions to perform this
operation.".
The error says sysadmin/db_owner role is required. However, is this really required or I am doing something wrong?
I depends on what you are trying to do in SSIS..Here is what MSDN lists out. and what privilege you need to have..
Access Authorization to Change Data:
Trickle-feed update packages need access to SQL Server 2016 CDC functions. Such access is granted, by default, to members of the db_owner fixed database role. Because the db_owner is a powerful role, when defining capture instances within SQL Server 2016 it is recommended to associate a gating security role to each capture instance that allows the SSIS CDC package to use a much more restricted user for processing the changes.
Access to CDC Database Current LSN:
The CDC Control task operations for marking the start LSN for change processing must be able to find the CDC Database current LSN. This is done using the procedure sp_replincrementlsn from the master database. Execute permission on this procedure must be given to the login used for connecting to the SQL Server 2016 CDC database.
Access to CDC States Table:
The CDC States table is used for automatically persisting CDC States that need to be updatable by the login used for connecting to the SQL Server 2016 CDC database. As this table is created by the SSIS developer, set the SQL Server 2016 system administrator as a user who is authorized to create SQL Server 2016 databases and perform administrative and maintenance tasks. In addition, a SQL Server 2016 system administrator who works with CDC enabled databases must be knowledgeable about SQL Server 2016 CDC technology and implementation.
Related
On my server that is hosting SQL Server 2008 R2, I open SSMS and under Security -> Logins there is a login named "SomeLoginName". When I log in to the server with this login, I am able to see all of the databases on the server.
I would like to restrict this user to only see 2 of the databases that are on the server. I've seen some solutions that say to revoke the VIEW ANY DATABASE permission for the login and then add the login as the db_owner for the databases I want "SomeLoginName" to be able to see. I don't want to have "SomeLoginName" as the db_owner for the databases that it is supposed to see.
Is there a way that I can configure "SomeLoginName" to only see 2 databases on the server without "SomeLoginName" being the db_owner for these 2 databases?
Thanks in advance.
Is there a way that I can configure "SomeLoginName" to only see 2
databases on the server without "SomeLoginName" being the db_owner for
these 2 databases?
No, as you are on SQL Server 2008 R2 there s no such a way.
Starting with SQL Server 2012 new Contained Databases were introduced.
Here is another useful article SQL Server 2012 Contained Database Feature
While looking through the new features and improvements in SQL Server
2012, we found a potentially interesting feature called Contained
Databases. A contained database basically includes all database
settings and the metadata within itself thereby resulting in no
configuration dependencies on the instance of the SQL Server Database
Engine where the database is actually installed. Users will be able to
connect to a contained database without authenticating a login at the
Database Engine level. This feature really helps to isolate the
database from the Database Engine thereby making it possible to easily
move the database from one instance of SQL Server to another. In this
tip we will take a look at how to configure and use this feature of
SQL Server 2012.
When using contained databases you don't need login (security principal at the server level), only user at the database level. It will be a database, not a server, to authenticate your user. And as the consequence, this user will not "see databases" other than the database where it was created.
This user has not to be db_owner, it's an ordinary user with any permissions or even without any permission at all.
Thanks to #sepupic , his/her answer is correct. It turns out that I actually am running MS SQL Server 2012 so I was able to implement the Contained Database concept. The steps listed on the linked pages in #sepupic 's answer didn't work for me though. I found this one and put this script together. Here's what it does:
Changes the 'contained database authentication' to 1 for the MS SQL Server instance
Runs RECONFIGURE
Creates a contained database
Creates a user for the database
Here's the script:
USE master;
GO;
EXEC sp_configure 'contained database authentication', 1;
GO;
RECONFIGURE;
GO;
CREATE DATABASE ContainedDB2
CONTAINMENT = PARTIAL;
GO;
USE ContainedDB2;
GO;
CREATE USER cduser2
WITH PASSWORD = N'Pa$$word',
DEFAULT_SCHEMA = dbo;
GO;
Then you just configure the connection to the contained database in the section that begins with
Login and Verify the User Permissions on a Contained Database
Using the script I put together and configuring the connection under the section I mentioned sets it up so you connect to the server with the user that is created and that user can only see the contained database(s) you want it to. You have to configure the user to have permissions like the db role db_datareader in the contained database but instructions on how to do these types of things are easy to come by if you search for them. Thanks again to #sepupic for getting me started on coming up with an answer.
I'm using the Telegraf input plugin for SQL Server (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/sqlserver) to gather metrics and report to InfluxDB. It works well for SQL Server, but though it supports Azure SQL Database the documentation is a bit sparse.
The database user should be created like this:
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
GRANT VIEW SERVER STATE TO [telegraf];
GRANT VIEW ANY DEFINITION TO [telegraf];
That works on SQL Server, but in Azure it fails:
Securable class 'server' not supported in this version of SQL Server.
I wonder what I need to grant instead in order to solve this in the best possible way. We have a large number of databases running on the same server in an elastic pool, so if it is possible I would like to use a single user that logs in to the master and collects metrics for all the databases at once (the way it works with SQL Server). If that is impossible I can configure multiple logins and process one database at a time.
Perhaps I can grant VIEW DEFINITION at the database level, but VIEW SERVER STATE does not seem to be supported at all.
So, how should I configure the SQL Database login(s) for Telegraf with the SQL Server plugin to make it work?
EDIT:
Running as the super user for the server works without errors, but only produces metrics for master and tempdb. I need metrics for the many application databases and they are missing. Plus running as the super user is less than ideal.
Running as the super user for the server but connecting to a specific application database (add database in connection string) crashes with a nil pointer dereference and the log complains about VIEW DATABASE STATE permission denied in database master (the super user has access, but apparently not when connecting to a spefic database).
Granting VIEW DATABASE and VIEW DEFINITION to telegraf in an application database and connecting directly to that database as telegraf crashes with a nil pointer dereference and the log says the connection was closed.
EDIT 2:
Created bug report https://github.com/influxdata/telegraf/issues/4222.
EDIT 3:
As of the latest release the plugin works if the server admin account is used, so the issue has been solved. There is still no way to run with a less privileged account in Azure DB.
The answer:
GRANT VIEW SERVER STATE is not supported in Azure SQL Database.
On SQL Database Premium Tiers requires the VIEW DATABASE STATE
permission in the database. Permissions can not be granted in Master,
but the views can be queried in user databases. On SQL Database
Standard and Basic Tiers requires the SQL Database server admin
account due to security requirements following from multi tenancy of
those tiers.
Reason:
SQL Azure SQL is PaaS solution, therefore the most "server" specific features, DMVs, settings are blocked by purpose
References:
Grant View Server State - is it possible for a none SA user to have in Azure SQL?
SQL Azure VIEW DATABASE STATE permission denied in database 'master'
Possible workaround: (which is, anyway does not work in ewramner case)
CREATE LOGIN [telegraf] WITH PASSWORD = N'password';
USE [yourDB]
GRANT VIEW DEFINITION TO [telegraf];
GRANT VIEW DATABASE STATE TO [telegraf];
Therefore, (IMHO), there is no way to make such application working in SQL Azure without changing application code
I am trying to set-up/test SQL Server row-level security for my database. I want to use row-level security for SSRS reports and Power BI. The database is set up on my test PC using SQL Server Express with SSMS.
On my test PC I have set up a separate account -- separate from the user under which I established the SQL Server and database. I believe I have set-up the SQL Server level permissions and database level permissions appropriately(?) for the separate user.
I go into the separate user account and continually get the
Server principal **** is not able to access under current permissions
message in SSMS and cannot access the data in the SSRS localhost website.
Is the separate user, established on the same PC, not considered to be in the same domain as the PC user who established the database? Is that what is causing the problem? If so, how can that be overcome? If not, any ideas what my problem might be? Is there some constraint in SQL Server Express that I need to establish the database using a SQL Server Developer edition?
I prefer not to wait until the database is established on the system test server to determine how this will work. Many thanks for any thoughts or suggestions.
Trying to understand if SSMS can be configured to only query data from server tables and not alter the tables themselves. In short, can the flow of info be restricted to only one way...from the server to SQL Server Management Studio?
Your best bet is to put the users that you want only to query data in a group that has only rights to query data.
Permissions should be configured so that only the properly authorized users can alter the table schema. If your organization is currently using one database login for everything, that needs to stop. Typically, you'll have a level of read-only users, a level of read-write users, a level of read-write-execute (for stored procedures) users, and Administrative users. Trying to make the UI application restrict functions by itself won't work, as more than just Sql Server Management Studio can connect to SQL Server. Basic users should be set up as read-only. Applications should have whatever permissions group they need, though never Admin and each application should have its own specialized login.
Recently, I have deployed the sample version of Adventure Works 2014 Multidimensional-EE using SQL Server Data Tools.The initial deployment did not cause any troubles, however I haven't been able to create any mining structures since then due to the following error:
OLE DB error: OLE DB or ODBC error: Login failed for user 'XYZ8'.; 28000.
In SSDT, the impersonation information is set to: Service Account
Nonetheless, what is interesting is that SSMS displays "Default" Instead:
1
Any help would be appreciated?
Have you checked the permissions on the service account?
There is an article on MSDN describing the required permissions. I've taken the following extract:
Granting permission to
read database metadata also grants permission to read the metadata of
all objects in the database. We suggest that you include the Read
Definition permission at the database level whenever you are setting
up roles for dedicated processing. Having Read Definition allows
non-administrators to view a model's object hierarchy in SQL Server
Management Studio and navigate to individual objects for subsequent
processing. In SQL Server Management Studio, connect to the instance
of Analysis Services, expand Roles for the appropriate database in
Object Explorer, and then click a database role (or create a new
database role). On the General tab, select the Read Definition option.
In the Membership pane, enter the Windows user and group accounts that
connect to Analysis Services using this role. Click OK to finish
creating the role.