I am facing problem regarding database permissions. I have created my database named FCProject. I created a login for that database in SQL Server Management Studio. My login is working fine but all I want to restrict access to FCProject database through users who can log in to SQL Server through Windows authentication mode.
Because I want only FC login to be able to view or modify data of FC database in SQL Server Management Studio.
I have tried creating a login through Management Studio. Is there any problem in creating login? Or something else? Please help
You are mixing up two things that should be kept separate here:
A login is on the server level - it gives an account (a Windows account, or a SQL Server specific account) the permission to connect to this server
Each database can then define user for its own use - based on those logins.
So in your case, what you need to do is to:
create a number of logins on the server-level
create users in your FCLogin database for just those logins
and then you're fine - only those accounts that you've defined explicitly can access your FCLogin database and use it.
See the Stairway to SQL Server security series of articles on SQL Server Central (very well worth registering for their contents!) which explains all the ins and outs in great detail
Related
I am currently working on a project to help configure an application in GCP, been working mostly in Azure and I am a bit confused with users and rights in Cloud SQL for SQL Server. It seems that SA is not permitted and I can understand that but in their documentation it states:
You can create other SQL Server users or roles. All Users you create using Cloud SQL are granted the same database permissions as the sqlserver login. if you use a different method the user wont have the same permissions as the customer admin accounts.
My questions.
Create with cloud sql means i have to use the console to create those users and not thru TSQL inside say SQL Server Management Studio that connects to SQL Server?
If i create a login will I then be able to add that login as a user to the database?
thank you.
I'm trying to set up a connection to SSMS from SSIS project I'm working on with SQL Server Authentication.
I set up a cube_user login and gave it permission to my database transactions
Here is how I set up my cube_user:
Login Name, password. I also chose the default DB below to transactions, the appropriate DB.
Then in User Mapping tab, I gave user owner permissions and I checked in the appropriate DB
Having done all that, it seems like it should work. I then started an SSIS project and tried to connect to it like this:
As you can the drop down that is supposed to display databases, is blank. However, If i tried to connect to it using Windows Authentication, I am able to see all DBs....
Is there something wrong I'm doing. Can you not connect to SSMS using SQL Server Authentication?
Please check the following things:
In properties of cube_user - that it has at least guest rights on the RDBMS (SQL Server itself). User rights on specific DB will not give the permission to connect to SQL Server. The properties are in SSMS - Security\Logins - specific Login properties - Server Roles. See example below
On the third screenshot where you specify user name and password - specify those of cube_user, not admin.
The reason why you see list of DBs with Windows Auth - you do it under your account which presumably has DBA user rights on the SQL Server.
On my server that is hosting SQL Server 2008 R2, I open SSMS and under Security -> Logins there is a login named "SomeLoginName". When I log in to the server with this login, I am able to see all of the databases on the server.
I would like to restrict this user to only see 2 of the databases that are on the server. I've seen some solutions that say to revoke the VIEW ANY DATABASE permission for the login and then add the login as the db_owner for the databases I want "SomeLoginName" to be able to see. I don't want to have "SomeLoginName" as the db_owner for the databases that it is supposed to see.
Is there a way that I can configure "SomeLoginName" to only see 2 databases on the server without "SomeLoginName" being the db_owner for these 2 databases?
Thanks in advance.
Is there a way that I can configure "SomeLoginName" to only see 2
databases on the server without "SomeLoginName" being the db_owner for
these 2 databases?
No, as you are on SQL Server 2008 R2 there s no such a way.
Starting with SQL Server 2012 new Contained Databases were introduced.
Here is another useful article SQL Server 2012 Contained Database Feature
While looking through the new features and improvements in SQL Server
2012, we found a potentially interesting feature called Contained
Databases. A contained database basically includes all database
settings and the metadata within itself thereby resulting in no
configuration dependencies on the instance of the SQL Server Database
Engine where the database is actually installed. Users will be able to
connect to a contained database without authenticating a login at the
Database Engine level. This feature really helps to isolate the
database from the Database Engine thereby making it possible to easily
move the database from one instance of SQL Server to another. In this
tip we will take a look at how to configure and use this feature of
SQL Server 2012.
When using contained databases you don't need login (security principal at the server level), only user at the database level. It will be a database, not a server, to authenticate your user. And as the consequence, this user will not "see databases" other than the database where it was created.
This user has not to be db_owner, it's an ordinary user with any permissions or even without any permission at all.
Thanks to #sepupic , his/her answer is correct. It turns out that I actually am running MS SQL Server 2012 so I was able to implement the Contained Database concept. The steps listed on the linked pages in #sepupic 's answer didn't work for me though. I found this one and put this script together. Here's what it does:
Changes the 'contained database authentication' to 1 for the MS SQL Server instance
Runs RECONFIGURE
Creates a contained database
Creates a user for the database
Here's the script:
USE master;
GO;
EXEC sp_configure 'contained database authentication', 1;
GO;
RECONFIGURE;
GO;
CREATE DATABASE ContainedDB2
CONTAINMENT = PARTIAL;
GO;
USE ContainedDB2;
GO;
CREATE USER cduser2
WITH PASSWORD = N'Pa$$word',
DEFAULT_SCHEMA = dbo;
GO;
Then you just configure the connection to the contained database in the section that begins with
Login and Verify the User Permissions on a Contained Database
Using the script I put together and configuring the connection under the section I mentioned sets it up so you connect to the server with the user that is created and that user can only see the contained database(s) you want it to. You have to configure the user to have permissions like the db role db_datareader in the contained database but instructions on how to do these types of things are easy to come by if you search for them. Thanks again to #sepupic for getting me started on coming up with an answer.
Could somebody explain how you can have different databases/security when connecting in via Windows Authentication from when someone connects via SQL authentication?
I have a customer who had to put a computer onto their network. When they did this, the computer name changed. When connecting into SQL it now has a different server name.
The thing is if I connect using a SQL username and password, I get the databases that were installed before. However If I connect using windows authentication, I do not get the database.
I would like to know what needs to be changed in order for windows authentication to see the same as a user logging in via SQL authentication.
How can I go about changing the permissions of windows authentication?
Within SQL Server, there are Logins (at the server level) and Users (at the database level). Your SQL Server login obviously has permission to the database(s) you want to see. The logins can also be windows users and/or groups. So, if you add a named windows user as a server login, you can extend that login as users in different databases. You can do the same thing with a group. So, you could have a single login to your sql server that represents all authenticated users in your domain, etc...
So, I think you need to get into SSMS (SQL Server Management Studio) and see what logins and users are defined on your SQL Server.
I am trying to create a login system on an asp.net website which allows a user to register and log in the website. I require the registered user details to be stored on a database which I already have on Azure.
I have so far created the login system as shown here: http://msdn.microsoft.com/en-us/library/windowsazure/hh508981.aspx and the form works. However, when I log in to the azure management portal I cannot find the user's registered details. I also need to add more fields to the registration form in the database.
Does anyone know where I can view the registered users and how I can add more fields?
If you follow the same link you used to create your application you will see the schema that is used by SQL Azure to store this information as below:
Now if you want to access this database directly, what you really need is SQL Server Management Studio (SSMS) to connect with this Database and access it from your local machine. Follow this link below to download and configure SQL Azure studio locally so you can connect to SQL database and the modify the schema or look the records etc. Once you have SSMS connected with SQL Database, you can manage it like any other on-premise database.
Managing Windows Azure SQL Database using SQL Server Management Studio