I need a T-SQL statement to check if a user is member of a database role in SQL Server. Specifically I need to know if the user is member of the dbo role, because then I don't have to grant additional authority to that user.
If I try to add additional authority when the user is dbo it fails, and my script fails...
IS_ROLEMEMBER?
IF IS_ROLEMEMBER ('db_owner') = 1
BEGIN
PRINT 'Is owner'
END
Or, if querying for a different user:
IF IS_ROLEMEMBER ('db_owner','other user') = 1
BEGIN
PRINT 'Is owner'
END
Here is an example from the MSDN page on the IS_MEMBER function:
-- Test membership in db_owner and print appropriate message.
IF IS_MEMBER ('db_owner') = 1
PRINT 'Current user is a member of the db_owner role'
ELSE IF IS_MEMBER ('db_owner') = 0
PRINT 'Current user is NOT a member of the db_owner role'
ELSE IF IS_MEMBER ('db_owner') IS NULL
PRINT 'ERROR: Invalid group / role specified'
This is what I ended up doing: (edit based on comment)
DECLARE #ISSYSADMIN INT
SET #ISSYSADMIN = (SELECT COUNT(1)
FROM sys.syslogins
WHERE sysadmin = 1 AND loginname = '$(ContentAccount)')
The $(ContentAccount) is of course a parametrization which has the user domain and name!
This solves my problem because when we deploy a new database we are assigning permissions manually. But in development environments where the user we try to add already is sysadmin they fail. So if we check for sysadmin membership that is enough to cover the dev server scenario.
Then I do this to check membership:
IF (#ISSYSADMIN = 0)
BEGIN
-- Add authority
END
IS_SRVROLEMEMBER is the function you want.
IF IS_SRVROLEMEMBER ('sysadmin','myuser') = 1 PRINT 'Is SysAdmin'
IF IS_SRVROLEMEMBER ('serveradmin','myuser') = 1 PRINT 'Is ServerAdmin'
Reference
Related
Using SQL Server 2016, I am trying to configure a user other than 'SA' to import a file. The code I am executing is as follows:
EXECUTE AS USER = 'DataImports';
SELECT CURRENT_USER;
EXEC xp_cmdshell 'TYPE myFileNameHere.txt'
BULK INSERT DataImports.staging_AddressBook
FROM 'myFileNameHere.txt'
WITH (DATAFILETYPE = 'char'
, FIRSTROW = 2
, FIELDTERMINATOR = ' '
, ROWTERMINATOR = '\n');
The error that I get is:
Msg 4834, Level 16, State 1, Line 20
You do not have permission to use the bulk load statement.
I have validated the following:
I do have access to the file as the user required - The cmdshell TYPE returns the rows expected. I do not appear to have a file access issue.
I have INSERT permission on the database in general.
I tested by using:
SELECT
[DatabaseUserName] = princ.[name],
[PermissionType] = perm.[permission_name],
[PermissionState] = perm.[state_desc]
FROM
sys.database_principals princ
LEFT JOIN
sys.database_permissions perm ON perm.[grantee_principal_id] = princ.[principal_id]
WHERE
princ.[name] = 'DataImports';`
I do have the bulk admin role
SELECT
r.name AS [RoleName],
m.name AS [MemberName],
CASE
WHEN m.name IS NOT NULL THEN 1 ELSE 0
END AS IsMember
FROM
sys.server_principals r
LEFT JOIN
sys.server_role_members rm ON (r.principal_id = rm.role_principal_id)
LEFT JOIN
sys.server_principals m ON (rm.member_principal_id = m.principal_id)
WHERE
r.type = 'R' AND m.name = 'Dataimports';
I have even configured the user to be a sys-admin (not part of the long term plan) but I'm still getting the error.
These are the main points that have been highlighted in the other SO tickets and general searches I have performed. I can import the table as SA but not as DataImports despite what appears to be correct configuration.
This is part of a job that is being run and currently we are having to give SA access just to read a file. Security wise this is less than ideal but I cannot work out what is missing.
Any suggestions of what else to check would be gratefully received - all the basics seem to be in place.
Any suggestions
of what else to check would be gratefully received - all the basics
seem to be in place.
Few things:
GRANT ADMINISTER BULK OPERATIONS TO Dataimports
If the destination table contains triggers or checks constraints
GRANT ALTER ON TABLE DataImports.staging_AddressBook TO Dataimports
And
ALTER DATABASE [yourDB] SET TRUSTWORTHY ON;
Because of:
For security considerations, the server-scoped permissions are
stripped down when you impersonate a database user unless the system
administrator has explicitly set SQL Server to trust the impersonated
context at the server-scope. In this case, a login with the control
server server-scoped permission has no permissions to access any
particular database. Therefore, the trigger module that is executed as
this login cannot run.
I am executing a SQL script in SQL Server Management Studio 2018. In my script I need to specify a user (including the domain - unsure if I need the server name).
So I have created a user sam, set the user type to SQL user without login and set the users role to db_datareader and db_datawriter.
I then execute my script but it gives me the error: User or role 'MHT.sam' does not exist in this database.
But I am almost certain I have added this user to the database (see my images below to double check). Is my user and domain name format correct? What do you think I am doing wrong?
Here's my domain and server:
The error is pretty obvious.
In your screen shot in the object explorer you have a user called SAM, but for sp_AddRoleMember you are using MHT.SAM user.
Your sp_addrolemember should also have only Sam something like...
Exec sp_addrolemember N'RunStoredProc' , N'Sam'
GO
Also to double check what your user type is what login it is mapped to and what really is going on, use the following query.
SELECT
d.name AS User_Name
, d.type_desc AS User_Type
, d.default_schema_name AS User_default_schema_name
, d.create_date AS User_Created_Date
, s.name AS Login_name
, s.type_desc AS Login_LoginType
, s.is_disabled AS Login_is_disabled
, s.create_date AS Login_create_date
, s.default_database_name AS Login_default_database_name
, s.default_language_name AS Login_default_language_name
FROM sys.server_principals s
INNER JOIN sys.database_principals d on s.sid = d.sid
WHERE d.name = 'Sam'
I am trying to get a better understanding of the distinction between users & logins. I know how to create them, and I understand that they are required, but I don’t yet understand how SQL Server uses this distinction.
As far as I understand, a login has access to the Server, while a user has access to a database and its objects.
If I execute the following:
CREATE LOGIN fred WITH PASSWORD='…';
USE stuff;
CREATE USER wilma FOR LOGIN fred;
USE nonsense;
CREATE USER pebbles FOR LOGIN fred;
Then I have a Login of fred with two user names associated with two databases. My guess is that these user names can be regarded as aliases for fred.
I undersand that it is common to use the same username as the login name, but clearly not necessary.
The next step is to login as fred. I cannot login as one of the users.
At this point, I don’t see what happens next. How do I become one of the users, and what would do for me?
You never authenticate as a user.You authenticate as a login, which then maps to a single user in zero or more databases.
Create the login
CREATE LOGIN fred WITH PASSWORD='fredsecret', CHECK_POLICY = OFF;
GO
Create the users
USE stuff;
CREATE USER wilma FOR LOGIN fred;
GO
USE nonsense;
CREATE USER pebbles FOR LOGIN fred;
GO
Change context so it looks like I'm fred
SELECT SUSER_SNAME() --gbn
EXECUTE AS LOGIN = 'fred'
SELECT SUSER_SNAME() --fred
Note the differences
USE stuff
SELECT SUSER_SNAME(), USER_NAME()
USE nonsense;
SELECT SUSER_SNAME(), USER_NAME()
GO
and go back to me
REVERT
The name of the login (fred in this case) is only used for authentication to SQL Server. After authentication you mostly use the sid value: which links login (server principal) and user (database principal)
SELECT name, sid FROM sys.server_principals
USE stuff
SELECT name, sid FROM sys.database_principals
USE nonsense
SELECT name, sid FROM sys.database_principals
In my case, it is 0xC7C14DE4BFDF2445A7DABE158CC399F0
Note, sid is unique in a database. This will fail
USE nonsense;
CREATE USER barney FOR LOGIN fred;
GO
Msg 15063, Level 16, State 1, Line 10
The login already has an account under a different user name.
You connect to the server under the login, on base stuff will be CURRENT_USER wilma and on nonsense CURRENT_USER = pebbles
I create the database in Management Studio. Added a SQL authenticated user to the list of users for the DB.
I set up (granted) the permissions like so:
use DjangoDB;
grant select,insert,update,alter,delete,references to django;
select
a.*,
b.name
from sys.database_permissions a
inner join sys.database_principals b
on a.grantee_principal_id = b.principal_id
and b.name = 'django'
The output of this command is:
class class_desc major_id minor_id grantee_principal_id grantor_principal_id type permission_name state state_desc name
0 DATABASE 0 0 5 1 AL ALTER G GRANT django
0 DATABASE 0 0 5 1 CO CONNECT G GRANT django
0 DATABASE 0 0 5 1 DL DELETE G GRANT django
0 DATABASE 0 0 5 1 IN INSERT G GRANT django
0 DATABASE 0 0 5 1 RF REFERENCES G GRANT django
0 DATABASE 0 0 5 1 SL SELECT G GRANT django
0 DATABASE 0 0 5 1 UP UPDATE G GRANT django
So the user appears to have the permissions (especially select which it will later claim is not a permission this user has)
Then I run python manage.py syncdb
Syncing...
Creating tables ...
Creating table auth_permission
Creating table auth_group_permissions
Creating table auth_group
Creating table auth_user_user_permissions
Creating table auth_user_groups
Creating table auth_user
...
and I (sometimes) get an error like:
File "E:\python\cloudbox\.cloudbox\lib\site-packages\sqlserver_ado\dbapi.py", line 99, in standardErrorHandler
raise errorclass(errorvalue)
DatabaseError: (-2147352567, 'Exception occurred.', (0, u'Microsoft OLE DB Provider for SQL Server', u"User 'django' does not have permission to run DBCC checkconstraints for database 'DjangoDB'.", None, 0, -2147217900), None)
Command:
DBCC CHECKCONSTRAINTS
Parameters:
[]
When I look up this error, it says:
Requires membership in the sysadmin fixed server role or the db_owner fixed database role.
I can find a whole list of roles to put this user into, but none of them are sysadmin. Where is this role hidden?
If I immediately rerun syncdb without changing anything, I get a different error though:
sqlserver_ado.dbapi.DatabaseError: (-2147352567, 'Exception occurred.', (0, u'Microsoft OLE DB Provider for SQL Server', u"The SELECT permission was denied on the object 'django_content_type', database 'DjangoDB', schema 'dbo'.", None, 0, -2147217911), None)
Command:
SELECT [django_content_type].[id], [django_content_type].[name], [django_content_type].[app_label], [django_content_type].[model] FROM [django_content_type] WHERE ([django_content_type].[model] = ? AND [django_content_type].[app_label] = ? )
Parameters:
[Name: p0, Dir.: Input, Type: adBSTR, Size: 10, Value: "permission", Precision: 0, NumericScale: 0, Name: p1, Dir.: Input, Type: adBSTR, Size: 4, Value: "auth", Precision: 0, NumericScale: 0]
Now it says the user doesn't have the SELECT privilege? But above it shows it DOES have the select privilege?
Is there some magic to granting the select privilege?
So, now the plot thickens. I make the sql user 'django' OWN the database. Now, everything will work, everything creates, no errors, south migration works.....
But I don't want my webserver user being the "owner" of the db. I want it to be able to do things like select,insert,update,alter,delete,references. But it seems like I can't just give it a limited set of permissions so it can fulfill that role. This seems a lot like running XP as administrator, something that does NOT make sense.
What am I doing wrong on permissions? Why does the webserver db user have to OWN this db?
Some Answers:
1) sysadmin is a Server Role, and not a database role like db_owner. It is much more powerful than making your user the database owner, so you definitely do not want to give it out.
2) For reasons that are something of a mystery, object-access permissions effectively must be granted to both the database (DjangoDB) and the schema (dbo). You already did the database, now you have to do the same for the schema. Here is what these commands might be in T-SQL:
GRANT DELETE ON SCHEMA::[dbo] TO [django]
GRANT EXECUTE ON SCHEMA::[dbo] TO [django]
GRANT INSERT ON SCHEMA::[dbo] TO [django]
GRANT REFERENCES ON SCHEMA::[dbo] TO [django]
GRANT SELECT ON SCHEMA::[dbo] TO [django]
GRANT UPDATE ON SCHEMA::[dbo] TO [django]
GRANT VIEW DEFINITION ON SCHEMA::[dbo] TO [django]
3) As for DBCC, it is a very powerful utility command, consequently, it requires powerful permissions. You may be able to grant your user the db_owner role instead of making them the owner of the database, but really that's not much better. Ideally, either your syncdb should only be executed by an admin instead of your app's users, or you should make a stored procedure to do the DBCC authorizing the proc with EXECUTE As OWNER, then authorize the user to that stored proc (already done if they are authorized to the schema, as above), and finally have syncdb changed to call that procedure instead of doing the DBCC directly.
sysadm is a server role.
The second error is occurring against a database called Amegy
You should not use the same user for both deployments and running the application code. They are different roles with different permission requirements.
Django's syncdb command requires the ability to enable/disable constraints and is part of its database API.
I want to unlock one account in SQL Server. Before unlocking I have to check whether that account is locked or not.
I want to unlock only if the account is locked.
Is there any SQL query or stored procedure to get the "Locked" status of SQL user?
Posting Answer on Behalf of Alex K.
SELECT LOGINPROPERTY('loginname', 'IsLocked')
Do you mean a login name that has Login: Denied ? If so you can:
SELECT is_disabled from sys.server_principals WHERE name = #loginname
Listing all logins with unlocked statuses in all Databases (active all logins on all DBs)
SELECT name, is_disabled, LOGINPROPERTY(name, N'isLocked') as is_locked,
LOGINPROPERTY(name, N'LockoutTime') as LockoutTime into #tmp_is_disabled
FROM sys.sql_logins
WHERE LOGINPROPERTY(name, N'isLocked') = 0
select * from #tmp_is_disabled where is_disabled ='false'
~~regarding~~
~~pektas~~