Deploying SQL Server Databases for clients - sql-server

I have the following script which creates a new database, a new user and login. I have some custom software that my clients use to log into the database and create the necessary tables, SP and populate the tables with data. The databases are hosted remotely online which I have full access to.
**EDIT-> The problem I have is that I cannot open a new connection and create any tables using the new user. Its looks like a permissions issue as it works ok with sa root account login.
Ideally I would like run this single script so I can deploy a new database to a new client via SQL Server Management Studio easily with the minimal of fuss
Please see my script below:
-- SEARCH AND REPLACE THE FOLLOWING TERMS
--
-- db_TestDatabase Database name
-- TestPa$$w0rd password
-- TestUser1 username
use master
go
--create a test database
CREATE DATABASE [db_TestDatabase]
GO
--create user login
CREATE LOGIN [TestUser1] WITH PASSWORD=N'TestPa$$w0rd'
GO
--create user in database
CREATE USER [TestUser1] FOR LOGIN [TestUser1] WITH DEFAULT_SCHEMA=[test_Schema]
GO
--create role
CREATE ROLE [test_Role] AUTHORIZATION [dbo]
GO
--create schema
CREATE SCHEMA [test_Schema] AUTHORIZATION [TestUser1]
GO
--apply permissions to schemas
GRANT ALTER ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT CONTROL ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT DELETE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT INSERT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT UPDATE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT REFERENCES ON SCHEMA::[dbo] TO [test_Role]
GO
--ensure role membership is correct
EXEC sp_addrolemember N'test_Role ', N'TestUser1'
GO
--allow users to create tables in test_Schema
GRANT CREATE TABLE TO [test_Role]
GO
--Allow user to connect to database
GRANT CONNECT TO [TestUser1]
Any suggestions would be appreciated.
Thank you

It could be a User Access Control issue, try right clicking Management Studio and Run as Administrator, if you have that privilege and it may get past the issue you're seeing.
Some related reading:
User Account Control and SQL Server
User Account Control affects Microsoft SQL Server in terms of
connectivity (SQL Server login) and in limiting access to resources on
the administrators’ access control list (ACL).
In versions earlier than Windows Vista and Windows Server 2008,
members of the local administrator group do not need their own SQL
Server logins and they do not need to be granted administrator
privileges inside SQL Server. They connect to SQL Server as the
built-in server principal BUILTIN\Administrators (B\A), and they have
administrator privileges because B\A is a member of the sysadmin fixed
server role. Administrator rights are stripped away in Windows Vista
and Windows Server 2008, so administrator users cannot connect to SQL
Server instance by virtue of being B\A, unless connecting from an
elevated client application.

Related

How to grant admin permission to AAD users in Azure SQL Server

Using portal.azure.com I've created SQL Server and SQL Database. I've set myself as the SQL Server admin.
I'm able to connect with my AAD account using SSMS.
I add another AAD users to my database:
use [MyDatabase]
CREATE USER [usename_emaildomain#EXT##mydirectory.onmicrosoft.com] FROM EXTERNAL PROVIDER;
--add read permissions
EXEC sp_addrolemember 'db_datareader', [usename_emaildomain#EXT##mydirectory.onmicrosoft.com]
But how do grant him admin rights so that he has full access to all databases? I'm able to sent only one admin in Azure Portal.
I don't know why SQL Azure only allows one security principal to be designated as admin but anyway....
You can assign one user or one group. So put all of your users in a group and assign that group as the administrator

How to create new SQL Server login and assign permission to access database to it?

I need to create an vb.net console application which will access our existing SQL Server database, but the problem is that the provider didn't give us login name and password to access the database.
So is there any way by which can I create a new login with password and assign them full permission or read permission to access the database ? I have full access to the system on which the SQL Server 2008 R2 is installed.
There are a few assumptions made to this:
1) The SQL Server is set up to allow mixed authentication
2) The SQL Server is allowed to use TCP/IP or Named Pipes for logins
3) The account you say has "full access" to the system ALSO has sysadmin (aka full access) on the SQL server instance or at least permissions to do user maintenance.
Assuming all those then login to the SQL server and run something like below
CREATE LOGIN [app_usr] WITH PASSWORD=N'password', DEFAULT_DATABASE=[databaseName], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
USE [databaseName]
GO
CREATE USER [app_usr] FOR LOGIN [app_usr]
GO
/**** You can choose to only run the following statements that you want***/
-- The following gives the user the ability to read all tables in the db
USE [master]
GO
EXEC sp_addrolemember N'db_datareader', N'app_usr'
GO
-- The following gives the user the ability to write to all tables in the db
USE [master]
GO
EXEC sp_addrolemember N'db_datawriter', N'app_usr'
GO
-- The following gives the user the ability to do anything in the db
USE [master]
GO
EXEC sp_addrolemember N'db_owner', N'app_usr'
GO
Additional default roles and a better description can be found here or make your own or whatever - at this point the user is created and you should be able to access it through your application
I have full access to the system on which the SQL Server 2008 R2 is
installed.
If you are local Windows admin, you can restart SQL Server in single user mode and you'll be sysadmin at that moment:
Start SQL Server in Single-User Mode
There is another solution for SQL Server 2008 R2.
As previuosly said, you should be Windows admin on this pc.
You can access SQL Server under LocalSystem account using this program: PsExec v2.2
Just run ir with -s i.e. Run the remote process in the System account.
This way you can connect to SQL Server without restarting it at all.

Server principal already exists but doesn't show in SSMS

I have created Logins in Azure SQL via SSMS on two other environments, but on the third Azure SQL Server, the same exact SQL command creates logins but they don't show in SSMS. I am using these Logins to then users for databases. As I have stated it has worked on every other Azure SQL Server.
However, when I create my Logins, they don't show up under Security > Logins and if I try to create user for the db, I get the following error:
'myuser' is not a valid login or you do not have permission.
Here is my SQL to create the Login:
CREATE LOGIN myuser WITH PASSWORD = 'p#ssword';
Here is my SQL I run on a selected database to add the above created user with execute rights:
CREATE USER [myuser] FROM LOGIN [myuser];
GRANT EXECUTE TO [myuser]
To be clear, the Login (first SQL) said that it is created, but it doesn't show in SSMS and doesn't allow me to create Users in the DBs

Azure SQL Database v12 AD authentication, some users not able to login

Hi I have configured Azure active directory authentication on Azure SQL Server.
After that I have added contained DB users on a SQL Database by using the following queries
Created user
CREATE USER [John.Marsh#contoso.com] FROM EXTERNAL PROVIDER;
Assigned following permissions
EXEC sp_addrolemember 'db_datareader', 'John.Marsh#contoso.com';
GO
EXEC sp_addrolemember 'db_datawriter', 'John.Marsh#contoso.com';
GO
GRANT EXECUTE ON SCHEMA :: dbo TO [John.Marsh#contoso.com];
GO
GRANT ALTER ON SCHEMA :: dbo TO [John.Marsh#contoso.com];
GRANT CREATE TABLE TO [John.Marsh#contoso.com];
GRANT SELECT,DELETE,UPDATE,INSERT TO [John.Marsh#contoso.com];
GRANT VIEW ANY COLUMN MASTER KEY DEFINITION to [John.Marsh#contoso.com];
GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION to [John.Marsh#contoso.com];
Some users are able to login and access the DB but some users getting error message saying login failed for the user.
Do I need to provide more permissions?
By default, connections to Azure SQL that do not specify a specific database will attempt to log into the master database. Because AAD uses group based membership, if a user is part of a group that can access the master database, they will be able to login. Users that get denied login are typically denied because they have not been granted rights to master and no specific database was specified in the connection string.
To connect through SSMS: On the "Connect to Database Engine" dialog select the "Options" button, the "Connection Properties" tab and specify the database name in the "Connect to database:" dropdown. You'll need to know it b/c the user does may not have access to master to read the list of databases on the virtual database server.
You can get a connection string for your tech stack from the Azure Portal under the "Overview" for the database.

How to get CREATE TABLE Permission for windows authentication users in SQL Server express 2005

I recently installed SQL Server 2005 Management Studio Express. When I login to the Database server machinename\SQLEXPRESS using Windows Authentication.
I am unable to create tables or create databases. How do I grant the permissions for the users logged in as Windows Authentication to be able to create tables / databases?
You can make your user part of the sysadmin role
exec sp_addsrvrolemember 'DomainOrComputerName\UserName','sysadmin'
That will solve your problem but it is overkill and grants the users complete access to your database including the ability to delete your databases and technically they can do anything on your computer they want unless you have limited your SQL Server Service accounts rights. To allow the ability to create tables use
Grant Create Table to [domainName\userName] That will give them the ability to create a table in the database where you run that statement.

Resources