I have following situation: my user connects to SQL Server as a user with no privileges and then he authorises to application role. Is it possible to configure application role to allow him adding MSSQL login and database user when he is already authenticated?
The short answer seems to be no for the logins, at least without setting a trace flag. According to the documentation:
In SQL Server, application roles cannot access server-level metadata
because they are not associated with a server-level principal. To
disable this restriction and thereby allow application roles to access
server-level metadata, set the global flag 4616
I'm not sure why you want to use an application role here anyway: if you trust people enough to let them manage SQL Server security then you might as well just give them securityadmin permissions directly.
It's common practice for trusted administrators to have two Windows or SQL Server logins, e.g. SomeUser and SomeUserAdmin. Only the admin account has permissions to manage security, so they can do most of their work with a normal account without special privileges, and use their admin account only when necessary.
Related
Description
We use Azure SQL database with multiple databases on a server. It is possible to grant permissions to a single database via the user's Azure AD login by creating a group, say "DBReader". in AAD and assign the group to the role "Reader" via the server's settings in azure portal and then create a user when connected to the database as CREATE USER [DBReaders] FROM EXTERNAL PROVIDER, which will allow connecting to the single database.
Problem
We'd like to grant read access to all databases, so that the user sees all databases with a single connection and must not add them separately. Normally, you'd create a login on the server for this. However, the preview feature https://learn.microsoft.com/en-gb/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-mi-current, which would allow CREATE LOGIN ... FROM EXTERNAL PROVIDER is not available for Azure SQL database.
Question
Is there any way we did not think of to simply grant access to all databases via an AAD group?
Is there any way we did not think of to simply grant access to all databases via an AAD group?
No. Outside of Managed Instance, which requires a minimum of 4 vCores, Azure SQL Database users must be added to each database.
A suitable solution would involve the user to being able to see all databases he has permissions to at once
For Azure SQL Database, this requires the client to connect to Master to, and then reconenct to switch databases. SQL Server Management Studio does this, but other clients may not.
I have a Admin user in SQL user who is a Windows user(Windows authentication).
I have removed that user from admin group on windows and added as a Normal/Guest user.
What happens to my SQL server level privilege if I login with Windows authentication? Will it be same as earlier or it will changed as the Windows account has been downgraded and windows privileges has been reduced?
The permissions of a user AD account in the domain and the permissions the user/login itself has within SQL server are completely separate. An AD user could have the lowest permissions possible on the domain but still be a sysadmin on SQL Server, and vice versa.
You can, however, use AD roles to provide permissions on SQL Server. If the AD user has been removed from roles in the AD, which also have permissions on SQL Server, they would have those permissions revoked. Conversely if they are added to an AD group that has permissions on SQL Server, then would gain those GRANT/DENY permissions. What those permissions are is completely specific to your environment.
New to SQL Managed Instances. Currently I am testing our on-prem SQL databases in an Azure Managed Instance. There are some logging procedures in our application database which are gathering information to save in an audit trail. Some of these are referencing some of the DMVs such as sys.dm_exec_connections and sys.dm_exec_sql_text.
Accessing these using the MI administrator user works fine. However it is the AD service account which will be accessing the database. This service account does not appear to have access to those.
The service account has been added to the db_owner role within the database but I am not able to set at the server or database level the view server state and view all definitions permissions. I cannot see anything which could be the equivalent in a Managed Instance.
Does anyone know how and where to look in order to resolve this?
I have even tried with an account that is the AD Admin account of the instance.
Many thanks.
Please use sql logins instead of AAD login/users for this scenario.
In the current version of Managed Instance you can either create global AAD Admin that don't have full server admin privileges, or you can create contained AAD users as CREATE USER myusr FROM EXTERNAL_PROVIDER that cannot get server-level permissions because grant permission at server level can be given to server-level logins and not database-level users.
In the future we will have better AAD logins that are much similar to the existing Windows logins, but in the meantime, it might be painful if you try to setup this scenario with the existing AAD login/users.
We are using SQL Server 2012.
I'm granting access to some one from out side my company.
I hide all Databases except his one.
Is there any possible way to hide all users and logins?
We want him to have information as few as possible about our server at SSMS.
How can we do this?
You could deny VIEW ANY DATABASE to the public role. However, after doing that, all logins without this permission will only see the databases that they own, along with master and tempdb.
Logins in only the public role can not view other logins, so as long as you leave them out of server roles, that issue shouldn't be an issue for you either. See sys.server_principals permissions for more details.
Any login can see their own login name, the system logins, and the fixed server roles. To see other logins, requires ALTER ANY LOGIN, or a permission on the login.
I've a user account on a development SQL express on a remote server. This account has all privileges granted to it but when I use SQL express remotely then I'm not able to make changes to tables. If I log into the virtual machine and sign in with same user I can make changes.
It says I'm not database owner or system administrator. I think I may need to use ownership chaining or somehow designate my user account as administrator?
Thanks.
This is what I'm seeing:
http://fogcreek.com/FogBugz/kb/errors/SysAdminRole.html
I'm using SQL Server Authentication but I'm not the owner but have 'grant' all rights.
Got it! This explains how I can add my user to the appropriate role and that fixes the problem.
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-1061781.html?tag=mantle_skin