I am attempting to:
To copy your database to a new database on a different logical server
as detailed on this page:
How to: Use Database Copy (Azure SQL Database)
I have made sure I have the correct username and password for the source database and it's a dbo.
I have created a new user in the destination database in the master database with the same username and password.
The instructions say that to enable the new user to create a database it must be a member of the role "dbmanager" role.
But, there is no "dbmanager" role listed in my destination master database.
Ultimately I want to be able to run the following command:
CREATE DATABASE NewDatabase AS COPY OF abc12345.OldDatabase;
which is currently giving me the error:
CREATE DATABASE permission denied in database 'master'
Why haven't I got a "dbmanager" role please? Or should I be using some other role that does already exist.
Any help would be very much appreciated.
Thanks.
The only roles I have in the database, created through the Azure portal, are shown below...
Related
I have a SQL Server 2017 database instance that was created before I was given administration of the database and I have a Login at DB server level named "atSupervisor" which is a user in database "StaffMonitoring". I wish to clone the login and user "atSupervisor" as login and user "bcSupervisor" in database "StaffMonitoring" to have all permissions, table access, grants etc.
I have tried a few suggestions on google such as this example - https://www.mssqltips.com/sqlservertip/3589/how-to-clone-a-sql-server-login-part-1-of-3/
This seems to creates the login and user and I can then assign the database "StaffMonitoring" in User Mapping in the login's properties and login with the user. However, none of the tables are present.
Is there a way to do this please that clones everything to include grant access to tables that mirrors the original login\user?
I am trying to create a master key on a master database of my azure sql datawarehouse. But my user does not have required permissions to do so. What are the roles need to be assigned/granted to the user or login of the azure sql datawarehouse? I was able to grant control permission using GUI of SSMS to the user of sql server instance on-prem. And also I was able to create a master key with the help of that role on master database of that sql server.The Scripts I used for that are:
CREATE LOGIN LoaderRC20 WITH PASSWORD = 'a123STRONGpassword!';
CREATE USER LoaderRC20 FOR LOGIN LoaderRC20;
ALTER ROLE dbmanager ADD MEMBER [LoaderRC20];
ALTER ROLE loginmanager ADD MEMBER [LoaderRC20];
ALTER ROLE db_owner ADD MEMBER [LoaderRC20];
GRANT CONTROL ON DATABASE::[master] to LoaderRC20;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe';
But there's no direct provision to provide such access to the user on azure sql warehouse using GUI of SSMS.The scripts that I used for on-prem sql server instance are not working for azure sql datawarehouse.The GRANT CONTROL ON DATABASE::[master] to LoaderRC20; threw an error that cannot grant,deny or revoke permissions to yourself,sa,dbo,sys,etc. Is there any script to give permissions to azure sql datawarehouse's user of master db so that I am able to create a master key on it?If yes, then what are those scripts and their sequence?I have really tried hard to find answers to these questions. Please help me to find the answers
Dbmanager is intended for creating databases and loginmanager to manage logins.
To create a master key (CREATE MASTER KEY) in Azure SQL just run the following statements on the user Azure SQL Database context not on the master database. If you try to create the master key on the master database you may run into error "Msg 15247". On the context of any user database you can try:
CREATE MASTER KEY
GO
or
CREATE MASTER KEY ENCRYPTION BY PASSWORD='MyPassw0rdIsComplex.'
GO
I created a new SQL server with a database in Azure and after logging in with the admin account I added a new user that I wanted to only have access to one database.
In SSMS I right clicked on mynewdatabase database and selected New Query.
I executed
CREATE USER mynewuser WITH PASSWORD ='good password here';
ALTER ROLE db_owner ADD MEMBER mynewuser ;
Now after logging in as mynewuser I can still see the master database.
The question is how do I restrict mynewuser to only access mynewdatabase?
I'm sure this is something basic.
In SQL Server, including Azure SQL DB, all users can can see all system databases in sys.databases. This is not the same as being able to connect to them or run queries in them. This does not disclose any sensitive information as these are system databases and whether you saw them listed or not you would know they were there. See https://msdn.microsoft.com/en-us/library/ms178534.aspx#Anchor_0.
Based on the steps you describe, you have created a contained user that should not be able to connect to the master database or run queries in Azure SQL DB.
I tried to migrate a SQL Server database by Export Data-tier Application (.bacpac file) from an Amazon RDS instance to other, but import didn't succeed. So now I want to delete the database (which is empty), when I try to:
DROP DATABASE mydatabase;
I get the error:
Cannot drop the database 'mydatabase', because it does not exist or
you do not have permission
Some context:
I've tried using SQL Server Management Studio, and choosing close connections: same error.
I'm logged as master user.
I can create and drop other databases, but not this one.
I just have these effective permissions on this database: CONNECT, SHOWPLAN, VIEW DATABASE STATE, VIEW DEFINITION (don't know why or how is this possible).
Any help is greatly appreciated!
I ran into this same issue. After trying to restore a database via SSMS using a .bacpac, it fails and leaves you with a database that you appear to not have permissions to drop.
A workaround, is to use the rdsadmin rename function to rename it to something else, which then seems to fix the permission issue and allows you to drop it.
EXEC rdsadmin.dbo.rds_modify_db_name N'<OldName>', N'<NewName>'
Then just drop the DB. Hope that helps someone else in the same predicament.
This is the answer for an old thread but who knows, it might help someone having the same issue.
I ran into the same problem, but in my case, my database was in an offline mode. If the database is in offline mode, it won't allow you to drop it with the drop command. first, you should bring the database back online by running this sp and then execute the drop table command.
EXEC rdsadmin.dbo.rds_set_database_online databasename
If your database is in a Multi-AZ deployment, then you need to run this command to drop those databases:
EXECUTE msdb.dbo.rds_drop_database N'DBName'
Sounds like your not a member of the correct role.
https://msdn.microsoft.com/en-us/library/ee240822.aspx
Permissions
A DAC can only be deleted by members of the sysadmin or serveradmin fixed server roles, or by the database owner. The built-in SQL Server system administrator account named sa can also launch the wizard.
https://msdn.microsoft.com/en-us/library/ms178613.aspx
Permissions
SQL Server - Requires the CONTROL permission on the database, or ALTER ANY DATABASE permission, or membership in the db_owner fixed database role.
Azure SQL Database - Only the server-level principal login (created by the provisioning process) or members of the dbmanager database role can drop a database.
Parallel Data Warehouse - Requires the CONTROL permission on the database, or ALTER ANY DATABASE permission, or membership in the db_owner fixed database role.
I am granting the "View any database" permission when creating a new server role, but realized this permission only allows the user to view the system databases.
I am trying to create a server role that is read-only and can read any database.
Is there a way to create a user-defined server role to read user databases? Or do I have to do this through user mapping per user?
So, no is the answer, you can't assign database level permissions to server level roles, you can't even add a server role to a database role, which I find really frustrating as I've tried to do the same thing as you.
The way I ended up doing this was not by using a server role at all, I did the following:
Created an AD group for each server that I wanted read only access for
Created a login on the server for the group
Assigned the login to the db_datareader role on the model database
Assigned the login to the db_datareader role on all the pre-existing databases
Added my windows users into the AD group
This way, you can simply assign (or train your servicedesk folks to assign) users who need read only access to all databases on a server to the AD group, plus, as the role is set in the model database, they will have access to all newly created databases on the server too.