Entity framework code first migrations, sql user permissions? - sql-server

What is the minimal permission needed on a sql server user/login for it to be able to run entity framework code first database migrations?
I naively would have thought that a user with the roles db_datareader, db_datawriter, Grant Alter on the Schema and Grant Create Table would be permissive enough.

On-Prem: SQL server with AD/sql login
you need the following permissions on the database.
[db_datareader]
[db_datawriter]
[db_ddladmin]
For full control over database use
[db_owner]
Azure Could: Azure SQL with ADD (Edit)
Please add [dbmanager] to master and user database.

Clearly it depends on what your migrations are/(will be) doing. For my use case, I ended up creating a shema, and restricting the user that the migration uses to the permissions below.
GRANT ALTER, INSERT, SELECT, DELETE, UPDATE, REFERENCES ON SCHEMA::schema_name TO migration_user
GRANT CREATE TABLE TO migration_user

Related

T-SQL grant login for attach or detach databases

I have a question about security in SQL Server.
Is it possible to create a login with only authorization to attach or detach databases?
I don't want it as sysadmin.
If you check the documentation, you will see that for attaching a database we need:
Requires CREATE DATABASE, CREATE ANY DATABASE, or ALTER ANY DATABASE
permission.
and for detaching:
Requires membership in the db_owner fixed database role.
If you check the security hierarchy and download the Chart of SQL Server Permissions, you can check what other permission a user will have if he has any of the above permissions.
For example, if he has ALTER ANY DATABASE:
Basically, these rights are on the top of the security hierarchy and if you allow a user the ability to attach database, ze will be able to do other operations overt it, too.
If you don't want to make the user member of sysadmin role, that's OK. You can make the user member of dbcreator role:

Grant privileges to specific database for the user

I am learning oracle and PL/SQL. I have created a database called "PRACTICE" and created a user called "MITHRA" by connecting as a SYS.
My question is i want to grant privileges to the user "MITHRA" for the specific database "PRACTICE". The user "MITHRA" can able to do all activities like create, drop, alter etc.. only in "PRACTICE" database.
Please suggest me how to do this.
Oracle can only host one database so what you are asking for will essentially grant root privileges to this user, including drop database. This should be avoided on production from obvious reasons.
So in order to grant full access to user mithra:
Connect as sys and run the following command -
Grant dba to mithra;
That should give the user mithra all possible privileges for that database.
You can also use the grant command the grant any distinct privileges.
Just to be sure that we speak in the same terms.
Is the "PRACTICE" database or schema? If it is DATABASE then you should grant DBA, if it is schema then Oracle does not have statements to grant rights to schemas (only system and object priveleges). Reading your question makes me think that you come from MSSQL where you can grant to a specific user gratns to specific database, in Oracle it is a little bit different - to make an analogy - you do not have databases but schemas.

sql server 2008 r2 - deny create and drop database but allow everything else

I want to create a new user 'user1' that will be able to see all databases and all tables and also execute SQL statement, procedures etc.
The only thing that I want to deny is creating/dropping or change database (rename, change properties, create new database or drop existing database).
How can I do it?
If it is a dev server, I find it easiest to create a role in MODEL database that has all the right mix of privileges and then assign that role to a user mapped to a login that you need. When you create a new database that user will automatically be assigned privileges to that database.
Two caveats here: that login must be present on the server or else you will not be able to create a new database. Another important one is that the user will have completely unnecessary privileges to read and write to model database by default - definitely NOT a good idea on a production server. On a production server just create the role in model database, but only create user for the databases that you need.
This is the script you can use to create the role:
USE [model]
GO
CREATE ROLE [db_data_read_write_execute] AUTHORIZATION [db_securityadmin]
GO
ALTER ROLE [db_datareader] ADD MEMBER [db_data_read_write_execute]
GRANT EXECUTE to [db_data_read_write_execute]
GO
CREATE USER [DML_Only_User] FOR LOGIN [DML_Only_User_Login] WITH DEFAULT_SCHEMA=[dbo]
GO
ALTER ROLE [db_data_read_write_execute] ADD MEMBER [DML_Only_User]

SQL Server 2005 - Create Database with permissions for another database

I am a complete SQL Server newbie but I have experience with Oracle and MySQL. I am using SQL Server Management Studio.
I have an existing database that I want to create views from but I want those views to reside in another database (schema?) which will be accessible by a separate user account that can connect via JDBC.
I can create the database easily enough, right click "Databases" and select "New Database". From there I am lost.
1) How do I grant select/update/delete permissions (to create and update views) on one database to the new database?
2) How do I create a new user?
3) How do I grant permissions for users?
Thanks in advance.
Like Martin said you need a new schema not a database.
CREATE SCHEMA [SchemaName] AUTHORIZATION dbo;
Create your Views under the new schema name then,
CREATE LOGIN [LoginName] {FROM WINDOWS} (If you are using an AD Group)
USE [DatabaseName];
CREATE USER [LoginName/Username]; (They can be the same)
GRANT EXECUTE, SELECT, INSERT, DELETE, VIEW DEFINITION ON Schema::[NewSchemaName] TO [LoginName/Username];
If you want to have a Role the create the role under the database and make the UserName a member of the Role and grant the permissions to the role.

Setting up a user to my database in my SQL Server

I just finished creating a new user for my database in SQL Server. I had 4 tables I wanted to grant Insert, Update, Select and delete permissions. I did this manually in the Securables area of the new user.
Is there a better way to do this that to have to touch each object? if so, how?
Thanks,
rod.
One way is use schemas such that
tables belong to a schema (let's call it data, CREATE SCHEMA)
users belong to a role (CREATE ROLE, sp_addrolemember)
permissions are assigned to the role on the schema (GRANT INSERT ON schema::data to myRole)
Now, you can add new tables or change users without losing/creating permissions
If you want finely granular control over who can do what, I don't think there's a whole lot you can do - you're doing it just fine.
gbn's approach is quite nifty - another approach for "simple" setups (when you don't need a whole lot of different permissions) is to:
grant every user (or a role) the database role db_datareader - this allows read access
(SELECT) on all tables and views
grant every user (or a role) the database role db_datawriter - this allows write access (INSERT, UPDATE, DELETE) on all tables and views
If you also need to grant execution rights on stored procedures, there's unfortunately no predefined role to use. You can however create your own database role and then grant execute permissions to that role. The great thing is: this permission to execute stored procedures also applies to all future stored procedure you might create in your database!
To define your new role, use this:
CREATE ROLE db_executor
GRANT EXECUTE TO [db_executor]
and then you can just assign db_executor to those users who need to be able to execute stored procs and stored functions in your database.

Resources