Create User failed by master db on Azure - database

I create a db on azure portal. After this I connect to the azure db with my own application which i programming in dotnet. What i want is to create a new login which have the permission to also create new logins. So i connect to master db, then i create a new SQL login, then i create a new user from the login and add them to the loginmanager role. So know i can create new logins with the user but when i want create also user from login then i get an error that i have no permission to alter the the login. So what can i do?
Thanks for helping
Daniel

The problem is that the loginmanager role doesn't have the necessary permissions to create or alter users. The 'CREATE USER' statement requires the 'ALTER ANY USER' permission (details here).
So, in the first step you create a login and user in the master database that has the 'loginmanager' role.
-- connect to the master database with your 'sa' account
CREATE LOGIN login1 WITH PASSWORD='<your password>';
CREATE USER login1user FROM LOGIN login1;
EXEC sp_addrolemember 'loginmanager', 'login1user';
In the second step you need to grant this user the 'ALTER ANY USER' permission. Note that this needs to be done in the application database in which you want to have the user accounts.
-- connect to the application database with your 'sa' account
CREATE USER login1user FROM LOGIN login1;
GRANT ALTER ANY USER TO login1user;
You should now be able to create new logins and the associated users. Note that you create the logins in the master database, and you create the user in the application database.

Related

Azure user GRANTs for SQL Database

I've been struggling my way through create a new DB user for an Azure SQL database. Here are the three statements I'm doing:
Create a new Azure login:
CREATE LOGIN [bobby] WITH PASSWORD = 'Password1'
Create a new DB user within the Azure login:
CREATE USER bobby FOR LOGIN bobby;
ALTER USER bobby with DEFAULT_SCHEMA = 'newschema';
To add a user to a DB group for that database — note, it is only for that database (whatever is in the current USE command):
EXEC sp_addrolemember 'db_owner', 'bobby'
For the life of me I couldn't figure out how to do GRANTs for step three. Every time I would try a statement it would give me some flavor of "permission denied" even though I am the one (and only) admin user in Azure. Is this the only way to add roles in Azure? Or am I totally missing something here?
In Azure SQL database, the whole step should be this:
1. Run the command in master DB:
CREATE LOGIN [bobby] WITH PASSWORD = 'Password1'
2. Go to the user database, run the command bellow:
CREATE USER bobby FOR LOGIN bobby;
ALTER USER bobby with DEFAULT_SCHEMA = 'newschema';
ALTER ROLE db_owner ADD MEMBER [bobby];
Please use server admin to create the login or user firstly.
Ref document here: ALTER ROLE (Transact-SQL)

Is there a way to create a second login (with user) in the Azure PaaS database?

We have moved our database from a physical server to a Azure PaaS SQL database. The server login is used by the application to connect to the database. I need to create another login account with read-only access to the database. Can someone please help.
Things i have tried already.
CREATE LOGIN login123
WITH PASSWORD = *******
CREATE USER login123
FOR LOGIN login123
WITH DEFAULT_SCHEMA = dbo
ALTER ROLE db_datareader ADD MEMBER login123
The above was executed successfully but when the application uses this login it gets the below error.
"The server pricipal "login123" is not able to access the database "master" under the current security context. Cannot open user default database. Login failed."
When you run this query:
CREATE LOGIN login123
WITH PASSWORD = *******
CREATE USER login123
FOR LOGIN login123
WITH DEFAULT_SCHEMA = dbo
ALTER ROLE db_datareader ADD MEMBER login123
This means that the new user only have the readonly permission for the database.
Which database the query run in, the readonly permission is for which database.
The user don't have the permission to access other database or master db.
For more details, please see:
Controlling and granting database access to SQL Database and SQL
Data Warehouse
Database-Level Roles
If you want the user both have the readonly permission to more database, you should create more user(with the same) in different database. Using one Login mapping to more users.
Here the T-SQL code, I tested and it works in Azure SQL database:
USE master
CREATE LOGIN login123
WITH PASSWORD = '****'
GO
CREATE USER login123
FOR LOGIN login123
WITH DEFAULT_SCHEMA = db_datareader
GO
USE Mydatabase
CREATE USER login123
FOR LOGIN login123
WITH DEFAULT_SCHEMA = dbo
GO
ALTER ROLE db_datareader ADD MEMBER login123
GO
``````
Hope this helps.
With Azure-Sql-database You can't use a sql server login to connect to the master database
You have to put in the connection string the database that you want to access.
you can find more information on this link :
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-manage-logins#non-administrator-users

SQL Azure readonly user who cannot delete database

I've created a readonly user ala:
(in master)
CREATE LOGIN reader WITH password='YourPWD';
CREATE USER readerUser FROM LOGIN reader;
(in target db)
CREATE USER readerUser FROM LOGIN reader;
EXEC sp_addrolemember 'db_datareader', 'readerUser';
This works well in denying the user access to do anything but read from tables in the target db.
However it still allows them to delete the target db from management studio.
How can I deny them db deletion rights?
Can you clarify what you mean by DB deletion rights? Do you mean DROP the database? If so, the permission for DROP DATABASE is in master. So ensure that the login is not part of the dbmanager role.
If you meant deleting data from tables then by default users in database do not have that permission unless you add them in roles like db_datawriter or db_owner or grant DELETE permission explicitly.
You can check permissions of user by doing something like:
execute as user = 'readerUser';
select * from fn_my_permissions (NULL, 'DATABASE');
revert;
go

Security roles on master database in Azure SQL

I´m building an Azure SQL resource monitor, and I have to grant permission for a login to access the 'sys.resource_stats' on the master database of a Azure SQL 'server'. I can´t use neither loginmanager or dbmanager roles, because they grant some permission I don´t want to grant for a monitor application.
Is there another database role on the master database which i can add members?
I have recently created a special monitoring login/database user (see below) and I didn't find any reason to assign roles (I'm Azure noob thought).
Step 1
Create a login and a database user in master database:
-- in master database
-- create a login
create login <LOGIN> with password = '<PASSWORD>'
-- create a corresponding database user
create user <USER> from login <LOGIN>;
Step 2
Authorize the login to use a target database:
-- in target database
-- create a corresponding database user
create user <USER> from login <LOGIN>;
-- grant permission to view dynamic management views
grant view database state to <USER>;
In practice <LOGIN> and <USER> are the same, like foo_monitor.
See also:
Managing Databases and Logins in Azure SQL Database.
Which privileges does a user need to query used size in SQL Azure database?

How do I create a new user in a SQL Azure database?

I am trying to use the following template:
-- =================================================
-- Create User as DBO template for SQL Azure Database
-- =================================================
-- For login <login_name, sysname, login_name>, create a user in the database
CREATE USER <user_name, sysname, user_name>
FOR LOGIN <login_name, sysname, login_name>
WITH DEFAULT_SCHEMA = <default_schema, sysname, dbo>
GO
-- Add user to the database owner role
EXEC sp_addrolemember N'db_owner', N'<user_name, sysname, user_name>'
GO
I would like to create a user called user1 with a password of 'user1pass'. I connected with my default database 'authentication' and I have a query window open.
But the template does not make sense for me. For example what's sysname, where do I supply the password and what should I use as the default_schema?
The particular user needs to have the power to do everything. But how do I set it up so he can do everything, is that done if I make the user a database owner?
So far I have tried:
CREATE USER user1, sysname, user1
FOR LOGIN user1, sysname, user1
WITH DEFAULT_SCHEMA = dbo, sysname, dbo
GO
Giving:
Msg 102, Level 15, State 1, Line 1 Incorrect syntax near ','.
and:
CREATE USER user1
FOR LOGIN user1
WITH DEFAULT_SCHEMA = dbo
GO
Giving:
Msg 15007, Level 16, State 1, Line 1 'user1' i
s not a valid login or you do not have permission.
Edit - Contained User (v12 and later)
As of Sql Azure 12, databases will be created as Contained Databases which will allow users to be created directly in your database, without the need for a server login via master.
Sql (standard) User
CREATE USER [MyUser] WITH PASSWORD = 'Secret';
ALTER ROLE [db_datareader] ADD MEMBER [MyUser]; -- or sp_addrolemember
AAD linked User
CREATE USER [SomeUser#mydomain.com] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember 'db_datareader' , N'SomeUser#mydomain.com'
AAD linked Group
CREATE USER [SomeGroup] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember 'db_datareader' , N'SomeGroup'
NB! when connecting to the database when using a contained user that you must always specify the database in the connection string.
Traditional Server Login - Database User (Pre v 12)
Just to add to #Igorek's answer, you can do the following in Sql Server Management Studio:
Create the new Login on the server
In master (via the Available databases drop down in SSMS - this is because USE master doesn't work in Azure):
create the login:
CREATE LOGIN username WITH password=N'password';
Create the new User in the database
Switch to the actual database (again via the available databases drop down, or a new connection)
CREATE USER username FROM LOGIN username;
(I've assumed that you want the user and logins to tie up as username, but change if this isn't the case.)
Now add the user to the relevant security roles
EXEC sp_addrolemember N'db_owner', N'username'
GO
(Obviously an app user should have less privileges than dbo.)
Check out this link for all of the information : https://azure.microsoft.com/en-us/blog/adding-users-to-your-sql-azure-database/
First you need to create a login for SQL Azure, its syntax is as follows:
CREATE LOGIN username WITH password='password';
This command needs to run in master db. Only afterwards can you run commands to create a user in the database. The way SQL Azure or SQL Server works is that there is a login created first at the server level and then it is mapped to a user in every database.
HTH
I followed the answers here but when I tried to connect with my new user, I got an error message stating "The server principal 'newuser' is not able to access the database 'master' under the current security context".
I had to also create a new user in the master table to successfully log in with SSMS.
USE [master]
GO
CREATE LOGIN [newuser] WITH PASSWORD=N'blahpw'
GO
CREATE USER [newuser] FOR LOGIN [newuser] WITH DEFAULT_SCHEMA=[dbo]
GO
USE [MyDatabase]
CREATE USER newuser FOR LOGIN newuser WITH DEFAULT_SCHEMA = dbo
GO
EXEC sp_addrolemember N'db_owner', N'newuser'
GO
You can simply create a contained user in SQL DB V12.
Create user containeduser with password = 'Password'
Contained user login is more efficient than login to the database using the login created by master. You can find more details # http://www.sqlindepth.com/contained-users-in-sql-azure-db-v12/
I use the Azure Management console tool of CodePlex, with a very useful GUI, try it. You can save type some code.
1 Create login while connecting to the master db
(in your databaseclient open a connection to the master db)
CREATE LOGIN 'testUserLogin' WITH password='1231!#ASDF!a';
2 Create a user while connecting to your db (in your db client open a connection to your database)
CREATE USER testUserLoginFROM LOGIN testUserLogin;
Please, note, user name is the same as login. It did not work for me when I had a different username and login.
3 Add required permissions
EXEC sp_addrolemember db_datawriter, 'testUser';
You may want to add 'db_datareader' as well.
list of the roles:
https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15
I was inspired by #nthpixel answer, but it did not work for my db client DBeaver.
It did not allow me to run USE [master] and use [my-db] statements.
https://azure.microsoft.com/en-us/blog/adding-users-to-your-sql-azure-database/
How to test your user?
Run the query bellow in the master database connection.
SELECT A.name as userName, B.name as login, B.Type_desc, default_database_name, B.*
FROM sys.sysusers A
FULL OUTER JOIN sys.sql_logins B
ON A.sid = B.sid
WHERE islogin = 1 and A.sid is not null
List of all users in Azure SQL
create a user and then add user to a specific role:
CREATE USER [test] WITH PASSWORD=N'<strong password>'
go
ALTER ROLE [db_datareader] ADD MEMBER [test]
go
I found this link very helpful:
https://azure.microsoft.com/en-gb/documentation/articles/sql-database-manage-logins/
It details things like:
- Azure SQL Database subscriber account
- Using Azure Active Directory users to access the database
- Server-level principal accounts (unrestricted access)
- Adding users to the dbmanager database role
I used this and Stuart's answer to do the following:
On the master database (see link as to who has permissions on this):
CREATE LOGIN [MyAdmin] with password='ReallySecurePassword'
And then on the database in question:
CREATE USER [MyAdmin] FROM LOGIN [MyAdmin]
ALTER ROLE db_owner ADD MEMBER [MyAdmin]
You can also create users like this, according to the link:
CREATE USER [mike#contoso.com] FROM EXTERNAL PROVIDER;
I think the templates use the following notation: variable name, variable type, default value.
Sysname is a built-in data type which can hold the names of system objects.
It is limited to 128 Unicode character.
-- same as sysname type
declare #my_sysname nvarchar(128);

Resources