Good evening, I'm admin user of a plesk 12 server with Web Pro Edition and I want to create an user to just manage database of one domain, for that I need to manage subscriptions but I'm not able where I can manage them
Could someone help me?
Many thanks.
Juan Manuel
First create subscription "User role" with "Create and Manage Databases" permission at Subscriptions > Your subscription > Users > Roles
Than create subscription user with this role and access to desired subscriptions:
Now user you have created can login into Plesk using username and password and find webadmin at "Databases" page:
Related
For my application I decided that every user that is created via application and that is added to the database table Users is automatically added as a server login and database User. I figured out that it would help me keep track of logs allow me to and use Sql password policies (like password expiration).
I can insert a row into Users table with no problem and login, user and schema is added to the server/database via trigger. When I log in as a created user, I can then select, modify, delete data and create additional logins/users.
I decided to use Application role to allow all the users to have the same permissions. It works okay, but using Application role I cannot add new logins/users, I cannot reset or change their passwords either. Sql displays
User does not have permission to perform this action.
When I create new connection and not set application role, all users can create new users/logins etc.
As I'm new to Sql security, how do I grant those permissions not to users, but to the application role?
I would be very grateful for your help.
I am using a visualstudio account in Azure. i have created a new user and given admin access to the active directory to this user. I also added this user as the owner to the subscriptions i had.
I now login as this into the new portal. I can see the subscription that i have. However i do not see the icon for Azure ActiveDirectory. Therefore i try to login to the old portal. This time I get stopped by a "No subscriptions found" prompt which does not let me for farther.
What is going on? why is there such discrepency between the two sites?
The classic (i.e. old) site only works with the old access model (service admin and co-admin), and requires at least one subscription to get into the site. The new site uses the fine-grained RBAC model (owner, contributor, etc...), and does not require any subscription just to get in to the site.
Adding a user as an 'Owner' in the new Azure portal does not make them a co-administrator, and thus, does not give them access to the classic portal:
The owners you added through the Azure portal cannot manage services in the Azure classic portal.
In order for your new user to get into the classic Azure portal, they need to have service admin or co-admin access to an Azure subscription. You can do one of the following:
Add the new user as a co-admin to your existing subscription (you would do this in the classic portal)
Make the new user the service admin for the subscription
Transfer the entire subscription to the new user (which also makes the new user the account admin)
So, I've created a user in Plesk 11, and assigned him a role (custom role that a created for him) with only database access.
But this new user has access to all my databases, I want to restrict his access to a specific one.
How can I do this please ?
Thank you.
Unfortunately it's impossible(at least I don't know how) in scope of one subscription(even through direct url), it's possible to just bind this user to one exact subscription and move all other databases in another subscription.
You can add this as feature request to https://plesk.uservoice.com/forums/184549-feature-suggestions
Roles give administrative rights to users so Plesk is doing exactly what it was told to do.
Granting administrative DB permissions however does not create a mysql user but a panel user who can manage the databases of the subscriptions you gave him access to ("all" or individually selected).
If you see all databases in phpMyAdmin you are not logged in as this user but clicked a "webadmin" link from within plesk which uses a login-token for the matching db user created for this subscription/database or even the admin (Tools & Settings-> Applications & Databases -> Database Servers -> Servername -> Databases) -> "Webadmin" in "Tools" section.
If you see all databases of all subscriptions in Plesk Panel you selected "all" in the "access subscriptions" field when creating the user.
Defining a custom role as an approach for giving access to only one database does not make sense as there is no need for administrative rights (he only could delete his database).
If your intention was to create just a mysql user for a specific database in a specific subscription open subscriber's control panel when logged in as admin user, click "databases", select tab "users", click "add new database user" and select which databases this new user should have access to. done.
Unfortunately for me it is not clear
where your user sees all the databases
if "all" really is all of them (like system dbs, too)
if "access" means control panel or mysql/phpmyadmin
However, I hope i covered all contingencies.
Let me describe the problem, my current portal is using AD login and pwd details to authenticate external users. I will have the new portal which will keep logins and pwds in SQL Server in a table. I need to migrate logins/pwds from AD domain to the sql database so external users can use their old password. Is it possible? How should i approach that?
Thank you for any help,
Rafal
Gathering the list of usernames should not be a problem. However SQL Server stores hashed versions of passwords, and presumably Active Directory does this differently. I don't see any solution except to create a bridge application under Active Directory that logs them into SQL Server under a temporary password and let's them assign a new password.
The permissions should be with the databases. Perhaps you've lost the association between the server logins and the database users. See if their SIDs are different. If so you can fix them with
ALTER USER with login =
or
exec sp_change_users_login (check books online for how to use this)
http://technet.microsoft.com/en-us/library/ms174378.aspx
I spent a long time yesterday to configure for my CouchDB instance in order to create a little app and letting CouchDB manage authentication and authorizations for me.
So I ended up with something like that :
On top of everything I've got a server admin, who basically is god on my CouchBD instance.
Then I created a database named "mydatabase" (for example) and added the role "mydatabase_dba" as admin and also the role "mydatabase_user" as reader.
I also created a database named "_users" which contains all the database admins and users with their roles and also a design document named "_auth" which manages authorizations.
Only the server admin is admin of this database, and I added users with role "mydatabase_dba" as readers. Then, for those of you who knows about it, I modified the "validate_doc_update" field o the "_auth" document so that users with role "mydatabase_dba" can only deals with users with role "mydatabase_user".
So, to summarize at this point :
server admin is still god
users with role "mydatabase_user" can connect to "mydatabase" but they are just readers
users with role "mydatabase_dba" are admins of "mydatabase"
users with role "mydatabase_dba" can connect to database "_users" where they are readers
users with role "mydatabase_dba" can only manage users of role "mydatabase_user" in "_users"
Hope this is clear :D
What I can do now is create an application that will not manage users itself, but let users connect to CouchDB directly (transparently).
The problem come when it deals with users creation/update/deletion.
Because only users with role "mydatabase_dba" can access to the "_users" database and work on users with roles "mydatabase_user", I need at some point to connect to CouchDB as this db admin.
I have two solutions :
Create a user interface into my app that will let the admin connect and do what he has to do
or
Make some more code and let the app do it automatically, this is the solution I prefer, but the problem is : I have to store the admin credentials...
Sorry for the long introduction but I had to describe the landscape first :)
I created a post yesterday about how I could secure the connection between my app and the CouchDB instance : here
The solution I was given is to use HTTP over SSL (/TLS) to secure the communication. I'm okay with that, but now I have another concern, maybe I'm paranoid, but because my app will need to connect as "mydatabase_dba", I have to store its credential somewhere.
But how to store them securely ? As said in my previous post, even if I store the hashed password instead of the plain text password, if an attacker access my app source code, he'll have my admin credentials...
An application should never have an administrative rights. It should only be given the bare minim rights it needs to function. If the application needs some administrative rights, make sure it has as few as possible. Other than that, most of the time these credentials are stored in plain text in some file that only your application can access.
Never commit this text file into your source code manager (Subversion, Git, etc.)! Placing the file into a running system must be a step in the installation procedure.