How to understand that a user gets database access in SQL Server - sql-server

I have been tasked with auditing security on my SQL Server. But, when I look at a login in SQL Server Management Studio, I don't see a checkbox beside the master db for that login. How can I determine what databases a login has access to?

ther is a useful system store procedure to list all mapping user of SQL login account.
Syntax:
sp_msloginmappings #Loginname , #Flags
#loginname: the login account name, If loginname is not specified, results are returned for the login account(current login name)
#Flags: value can be 0 and 1, by default 0. 0 means show mapping user in all databases. 1 indicates how mapping user in current
database context.
e.g
here is sample:
sp_msloginmappings 'sa'
show mapping user account info in all databases for login account 'sa'
sp_msloginmappings 'sa', 1
show mapping user account info in current databases context for login account 'sa'

If you see a login match up to a user in this manner, then the login has access to the database.
SELECT sp.name AS 'Login', dp.name AS 'User'
FROM sys.database_principals dp
JOIN sys.server_principals sp
ON dp.sid = sp.sid
ORDER BY sp.name, dp.name;
you can do it in SQL Server 2005/2008

Related

User can't connect to Azure SQL Instance

I created my first database (let's call it MyDB) on Azure and created a user that I want to use to query the DB from my applications. I only wanted to give that user db_datawriter and db_datareader because I think that is all this user needs to do from the application.
When I run this on MyDB:
SELECT DP1.name AS DatabaseRoleName,
isnull (DP2.name, 'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
LEFT OUTER JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = 'R'
ORDER BY DP1.name;
I get this back:
db_accessadmin No members
db_backupoperator No members
db_datareader MyDBUser
db_datawriter MyDBUser
db_ddladmin No members
db_denydatareader No members
db_denydatawriter No members
db_owner dbo
db_securityadmin No members
public No members
so that seemed to work. The problem is - I have to give this user also Permission to connect to the DB in the first place, because when I try to connect to the server, I get this:
===================================
Cannot connect to abc.database.windows.net.
===================================
The server principal "MyDBUser" is not able to access the database "master" under the current security context.
Cannot open user default database. Login failed.
Login failed for user 'MyDBUser'. (.Net SqlClient Data Provider)
I think this is probably, because my new user can't connect to master DB, as the errormessage suggests. However, when I look at the properties of MyDB, "Connect" was granted for the user by dbo
How can I let my user connect to the Azure DB Instance, preferably with as less permission as possible, I would only like for him to select, update, insert etc. on MyDB
I tried to change default DB with this command, so I don't need to do anything on masterDB, but the stored procedure wasn't found:
Exec sp_defaultdb #loginame='MyDBUser', #defdb='MyDB'
Edit: That's how I created the Login / User in SSMS
First (on instance):
CREATE LOGIN MyDBUser
WITH PASSWORD = '******'
GO
Then (on MyDB):
CREATE USER MyDBUser
FOR LOGIN MyDBUser
WITH DEFAULT_SCHEMA = dbo
GO
-- Add user to the database owner role
EXEC sp_addrolemember N'db_datawriter', N'MyDBUser'
GO
You have created a LOGIN and then created a USER for the LOGIN but only in the database you want them to connect to but not in master.
SQL Azure Databases are contained databases, so there is no need to create a LOGIN; the databases use their own scoped credentials.
First DROP the USER and LOGIN you created. Connect to MyDB and DROP the user first:
DROP USER MyDBUser;
Then connect to master and DROP the LOGIN:
DROP LOGIN MyDBUser;
Now connect to MyDB again and CREATE the USER with the needed credentials:
CREATE USER MyDBUser WITH PASSWORD = N'Your Secure Password', DEFAULT_SCHEMA = N'dbo';
Then you can give it the needed database roles. Don't use sp_addrolemember; it has been deprecated for ~10 years.
ALTER ROLE db_datareader ADD MEMBER MyDBUser;
ALTER ROLE db_datawriter ADD MEMBER MyDBUser;
I've had a similar error message when connecting to Azure SQL DB with SSMS. The solution there was to identify the database, hence the message "access the database "master"". You probably have entered the DB server name already.
You do not mention how you are trying to connect to the DB, but in case of SSMS, enter the name of the database on the tab "Connection properties" (available behind the "Options>>>" button on "Connect to Server" screen).

How do I determine the user when my SQL Server Login is a AD group?

Consider this example:
If I have a security group on Active Directory (let's call it MyGroup) which has 5 users in it (MYDOMAIN\User1 - MYDOMAIN\User5)
If I create a SQL Server Login and User for my database like this:
CREATE LOGIN [MYDOMAIN\MyGroup] FROM WINDOWS;
CREATE USER [MyGroup] FOR LOGIN [MYDOMAIN\MyGroup];
If MYDOMAIN\User4 connects to the database, is there a SQL query I can use to tell which user of MyGroup has connected to the database?
The function SUSER_SNAME will return the current login, when called without a parameter.
Example
SELECT
SUSER_SNAME()
;

Unable to delete the database user as the user is already logged in currently. error 15434

I have created the user sagar in SQL Server 2012 database and mapped it to the XYZ database. After some time I deleted the XYZ database and now I don't need the existing user sagar also. But when I try to delete the user from SQL Srever Management Studio. I am getting the following exception
Could not drop login 'sagar' as the user is currently logged in. error:15434
User can be deleted after killing the session by identifying the session_id of the user.
SELECT session_id
FROM sys.dm_exec_sessions
WHERE login_name = 'sagar'
KILL 51 --51 is session_id here, you may get different id
Now you can delete the login simply by executing the below query (or) by using sql server management studio options.
DROP LOGIN 'sagar'
How to delete yourself as a Login. E.g. You may want to do this when the hostname changed so that Sql Server records your Login under the old hosthame.
Login to SSMS. Select the 'sa' account and change the password to something you will remember.
Close down SSMS, start it up again but login as 'sa' this time. Select the Login you wish to delete, right click for Delete.
You will probably be told that Login owns one or more databases.
Login 'hostname\The Login' owns one or more database(s).
Change the owner of the databases before dropping the logon. [MS Sql Server Error 15174]
To list the owner of every database:
select suser_sname(owner_sid) from sys.databases
To change the owner of every database to 'sa'
EXEC sp_MSforeachdb 'EXEC [?]..sp_changedbowner ''sa'' '
<-- This sp_MSforeachdb will probably fail for one or two, as it did for me. In my case because that database was single user. Changing the rogue database to multi-user fixed that. Then I just ran EXEC sp_MSforeachdb ... again.
To check, run
select suser_sname(owner_sid) from sys.databases
again to ensure the Login is gone
Now delete that login.

What is the difference between SYSTEM_USER and USER in SQL server?

I am very new to databases and confused between the keywords SYSTEM_USER and USER in MSSQL. The definitions say that they return the username in the current context. but the instance I have running returns 'dbo' for USER and 'sa' for system user.
Can somebody highlight the exact difference between the two?
SYSTEM_USER: returns Server Login name that was used to login to the instance (either SQL Server login or AD/Domain/Windows user-name).
USER, CURRENT_USER, USER_NAME(), or SESSION_USER: these all return Database User principal, which is (by default) dbo if you are db-owner or logged in as a sysadmin or sa (not to be confused with the dbo schema or the DB_Owner of current database in use).
Examples:
SELECT SYSTEM_USER --> myDomain\user.name
----------------------------------------------
SELECT USER --> dbo
SELECT CURRENT_USER --> dbo
SELECT USER_NAME() --> dbo
SELECT SESSION_USER --> dbo
----------------------------------------------
Note: USER_NAME([user_id]) can additionally take an int-user-id, default arg is 1, i.e.: USER_NAME(1) would be same as USER_NAME().
SYSTEM_USER to return the current system user name.
USER to return the database user name.
According to difference between SYSTEM_USER and USER:
If the current user is logged in to Microsoft® SQL ServerT using
Windows Authentication, SYSTEM_USER returns the Windows 2000 or
Windows NT 4.0 login identification name
for example, DOMAIN\user_login_name.
However, if the current user is logged in to SQL Server using SQL
Server Authentication, SYSTEM_USER returns the SQL Server login
identification name,
for example, sa for a user logged in as sa

Sql Server 2005 how to change dbo login name

I have a database with user 'dbo' that has a login name "domain\xzy". How do I change it from "domain\xzy" to "domain\abc".
I figured it out. Within SQL Management Studio you have to right-click on the database -> Properties -> Files -> Owner field. Change this field to the login name/account that you want associated with the "dbo" username for that database. Please keep in mind that the login name/account you choose must already be setup in the sql server under Security -> Logins
If you are trying to remap a login to a db user you can use sp_change_user_login
exec sp_change_user_login 'Update_One', 'user', 'login'
PhantomTypist gives a good answer using the GUI. For achieving the same result with TSQL, you can use this code:
USE [My_Database_Name]
GO
EXEC dbo.sp_changedbowner #loginame = N'domain\abc', #map = false
GO
This is a Windows login, not a SQL Server login, so you cannot 'change' the login name since it is linked to the user account in Active Directory.
Create a new Server Login (Windows) mapped to the new windows user (and remove the old one if necessary). Then in login's Security > User Mapping, permission that login to the appropriate database as user 'dbo' (or assign to the db_owner role)

Resources