I want to map login user (i.e. TestUser) to already created database (i.e. JIRADB), but after executing below query no user is added in JIRADB.
Refer the image link provided, I want JIRADB to be checked after execution of the query.
Can someone help me with the exact query to achieve this task?
Here is the code, which I currently tried:-
USE [JIRADB]
GO
CREATE LOGIN TestUser WITH PASSWORD="sauser123', DEFAULT_DATABASE=[JIRADB], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
GO
Just creating a login isn't enough, that login needs a user in the database as well that is mapped to the login.
USE [master]
GO
CREATE LOGIN TestUser WITH PASSWORD="sauser123', DEFAULT_DATABASE=[JIRADB], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
GO
USE [JIRADB]
GO
CREATE USER [TestUser] FOR LOGIN [TestUser]
GO
--Optional, add the user to database roles if required
ALTER ROLE db_datareader ADD MEMBER [TestUser]
GO
You will notice I also have an alter role statement in there as well, as if you just create a user in a database, it will just be a member of the public role, if you need any other permissions you must either add the user to a database role, or explicitly assign permissions to them.
Related
I dont want to give sa or windows auth account to Entity Framework. What i want is a limited login and user for CRUD operations and whatever Entity Framework needs else. Thanks for any help.
Here is my snippet.
USE [master];
GO
CREATE LOGIN [yourUser]
WITH PASSWORD='yourPassword';
GO
USE [yourDB]
GO
CREATE USER [yourUser]
FROM LOGIN [yourUser]
WITH DEFAULT_SCHEMA=yourShema;
GO
ALTER ROLE db_datareader ADD MEMBER [yourUser];
GO
ALTER ROLE db_datawriter ADD MEMBER [yourUser];
GO
Result:
I am trying to create a user and then alter it in SQL Server. So far I have:
CREATE LOGIN bob1 WITH PASSWORD = '!abcd1234'
GO
ALTER USER bob1 WITH DEFAULT_SCHEMA = dbo;
GO
The first statement works, but then for the second I get:
Msg 15151, Level 16, State 1, Line 6
Cannot alter the user 'bob1', because it does not exist or you do not have permission.
What does that mean exactly? And why would I be able to create a user and then not be able to modify it?
It seems I'm mixing up LOGIN and USER. What is the difference between these two items?
In Azure, Login is not a user, it's used to login the Azure SQL database, you need create the user for login: CREATE USER BOB1 FOR LOGIN bob1, then run ALTER USER bob1 WITH DEFAULT_SCHEMA = dbo;. But it's not necessary, the default schema is dbo, we could not specify it.
Create login to log in the Server/database, then mapping the user to login.
After that you need alter the user enough permission/role to access the database, for example:
ALTER ROLE db_owner ADD MEMBER 'bob1'
Please ref here: Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics
I've been struggling my way through create a new DB user for an Azure SQL database. Here are the three statements I'm doing:
Create a new Azure login:
CREATE LOGIN [bobby] WITH PASSWORD = 'Password1'
Create a new DB user within the Azure login:
CREATE USER bobby FOR LOGIN bobby;
ALTER USER bobby with DEFAULT_SCHEMA = 'newschema';
To add a user to a DB group for that database — note, it is only for that database (whatever is in the current USE command):
EXEC sp_addrolemember 'db_owner', 'bobby'
For the life of me I couldn't figure out how to do GRANTs for step three. Every time I would try a statement it would give me some flavor of "permission denied" even though I am the one (and only) admin user in Azure. Is this the only way to add roles in Azure? Or am I totally missing something here?
In Azure SQL database, the whole step should be this:
1. Run the command in master DB:
CREATE LOGIN [bobby] WITH PASSWORD = 'Password1'
2. Go to the user database, run the command bellow:
CREATE USER bobby FOR LOGIN bobby;
ALTER USER bobby with DEFAULT_SCHEMA = 'newschema';
ALTER ROLE db_owner ADD MEMBER [bobby];
Please use server admin to create the login or user firstly.
Ref document here: ALTER ROLE (Transact-SQL)
How do I create a MS SQL server user that only allowed to read certain views of a particular database?
Here's a script that creates a new user and gives him select only permissions on a specific view.
USE [master]
GO
CREATE LOGIN [LimitedUser] WITH PASSWORD=N'testPass',
DEFAULT_DATABASE=[master],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
USE [TestDB]
GO
CREATE USER [LimitedUser] FOR LOGIN [LimitedUser]
GO
use [TestDB]
GO
GRANT SELECT ON [dbo].[myView] TO [LimitedUser]
GO
Edit
Instead of doing this for a specific user you might want to consider using Roles instead.
USE [TestDB]
GO
CREATE ROLE [LimitedRole]
GO
GRANT SELECT ON [dbo].[TestView] TO [LimitedRole]
GO
EXEC sp_addrolemember N'LimitedRole', N'LimitedUser'
GO
This way if you have multiple users for example in a Windows Authenitcation Mode you might have many users, all can be granted access to this role. This way as you add / remove views you don't have to touch every user.
The trick to doing this is to not give any explicit permissions to the Public role. Every user is irrevocably a member of that role so there is no way to prevent any user of the DB from having any rights you give to Public.
Aside from that, you just add the user to the appropriate DB and only give them rights to the objects you are interested in.
I am trying to create a SQL server login and database user from within my application, along with a custom application user row. I want these users to be able to create other users - i.e. the application will control who can/can't create users but I need all users to have permissions for creating SQL server logins and database users.
I have got the server login permissions working - i.e. an existing user/login can create a new login - by adding the logins to the 'securityadmin' server role - which grants the 'ALTER ANY LOGIN' privilege.
I tried to do the same with the database users - adding them to the 'db_accessadmin' database role - which supposedly grants the ALTER ANY USER privilege, which is required for CREATE USER.
However any time I try to create a new database user using a user with the above privileges I get a permissions exception.
I have tried manually granting the ALTER ANY USER permission to a particular user (GRANT ALTER ANY USER TO demouser) but this doesn't work either.
Technically, yes. Whether it's right or wrong... no comment.
Anyway, database security is split into 2 functions:
db_accessadmin to manage users (or "ALTER ANY USER" permission as you mentioned)
db_securityadmin allows you to manage roles memberships and object permissions (or "ALTER ANY ROLE permission)
This is mentioned for sp_addrolemember.
You are actually changing the role, not the user, by running sp_addrolemember so "ALTER ANY ROLE" is enough without having full db_owner rights.
My bad - I have found the issue - it was not the CREATE USER that was failing, but a subsequent call to 'sp_addrolemember'. This requires further permissions that I wasn't assigning.
In particular I needed to add my users to the db_owner database role in order to allow them to assign other/new users to fixed database roles.
Is there a cleaner way to allow me to achieve what I am trying to do here - i.e. create users that are allowed to create other users?
This seems very dangerous, easily becoming a security nightmare. Not knowing anything about why you think this is the best solution to accomplish your objective I can't really tell you not to do it this way, but wow!! - I would think long and hard about whether this really is necessary. The spider-webbing of users just seems like it could quickly be impossible to manage from a DBA perspective.
Would you not be able to just have one SQL account that has the permissions to add users, and the application uses that every time to add new users? Those users then would not need the ability to add other users. Maybe this won't work for your specific objective, but surely there is some other way.
But having said all that ... no, there is not really a cleaner way. The user would have to be assigned to the correct roles in order to have the ability to later add other users.
/*
TOPIC: create a login ,who can add other logins to databases (securityadmin server role)
*/
USE MASTER
GO
Create login securityTestLogin with password = '##somepassword123'
-----add this to server , this is server level security role -------
EXEC master..sp_addsrvrolemember #loginame = N'securityTestLogin', #rolename = N'securityadmin'
--- first this login should be a user in database where we want to give other users access
USE HTDBA
GO
Create user securityTestLogin for login securityTestLogin
EXEC sp_addrolemember N'db_accessadmin', N'securityTestLogin'
-- depends on your requriemtnt you might also want this permission too
--EXEC sp_addrolemember N'db_securityadmin', N'securityTestLogin'
GO
------ Now we think about adding other users to different database roles -------------
/*
There is one gottcha , db_securityadmin role cannot add users to the fixed database roles ,only
db_owner can perform this action , but for security we don't want to give this permission .
so we need a work around
Create a role with required permission and then add users to that role.
*/
--Create user defined database role Readers
EXEC sp_addrole DBUser
-- Add this role to fixeddbroles to get database level permission
EXEC sp_addrolemember db_datareader, DBUser
EXEC sp_addrolemember db_datawriter, DBUser
GO
--------READY TO TEST --------
------ we are using this sample login for test
use master
Go
Create login testlogin1 with password='##somepassword123'
use HTDBA
go
Create user testlogin1 for login testlogin1
--- now add this user to user created DBUser role .
EXEC sp_addrolemember DBUser, testlogin1
A very good article on SQL permissions:
http://www.sqlservercentral.com/articles/Security/sqlserversecurityfixeddatabaseroles/1231/