I'm not sure how to even ask this question. We are running SQL Server 2008 R2. I'm not the admin, but a programmer. I need to write an application that updates some database stuff at night. I'm going to set a flag to disable logins to the database, but I want to make a particular database unavailable to anyone except me, even if someone is already logged in to the database. My program will run nightly, as a batch file, presumably with admin privileges.
I'm expecting to produce something like a script of SQL commands. I could take the database offline, except I need to make modifications to it myself. Not sure the best way to handle this.
You can basically just set the database to "single-user" mode and use it exclusively - this T-SQL will do this:
USE master;
GO
ALTER DATABASE AdventureWorks2012
SET SINGLE_USER
WITH ROLLBACK IMMEDIATE;
GO
(of course - replace AdventureWorks2012 with your own database name!)
This will make the database "single-user", e.g. only you have access to it, and it will boot off any users that's currently online, and will rollback all open transactions.
Read more about single user mode on MSDN!
This example sets the database to SINGLE_USER mode to obtain exclusive access. The termination option WITH ROLLBACK IMMEDIATE is specified in the first ALTER DATABASE statement. This will cause all incomplete transactions to be rolled back and any other connections to the AdventureWorks2012 database to be immediately disconnected.
Since you are using an administrative account to perform the updates, I'll assume the account is in one of these roles: db_owner, dbcreator, sysadmin. Use the ALTER DATABASE SET ... syntax to control database access during the DML operations.
The assumption is that database users you want to lock out aren't in the above mentioned roles.
USE master;
-- only allow members of db_owner, dbcreator, or sysadmin roles to access
-- database, allowing current transactions time to complete. if you want to
-- drop access immediately, add WITH ROLLBACK IMMEDIATE
ALTER DATABASE SET RESTRICTED_USER;
-- data load
-- return database to normal operating state
ALTER DATABASE SET MULTI_USER;
Related
I would like to somehow protect databases on my SQL Server from being deleted without entering a password, even by someone with administrative access. There are times where a database has been deleted accidentally (for example, when two databases have similar names) and I'd like to prevent this from being an easy mistake to make.
I'm also open to any suggestions or alternative ideas on how to handle this. Thank you!
Create a Server Level Trigger that Rolls back any attempt to delete a database.
The Trigger will need to be disabled then re-enabled to perform any legitimate deletions.
USE [master]
GO
CREATE TRIGGER [Trig_Prevent_Drop_Database] ON ALL SERVER
FOR DROP_DATABASE
AS
RAISERROR('Dropping of databases has been disabled on this server.', 16,1);
ROLLBACK;
GO
DISABLE TRIGGER [Trig_Prevent_Drop_Database] ON ALL SERVER
GO
Or as a process:
Create a single-column, one row table in Master that will hold a database name.
Insert the name of the database in the Table.
Add an If statement to the trigger to check if the Database being dropped is identical to the Database in the table created in step 1. Otherwise Roll-back.
In this case you wouldn't need to disable the Trigger. But you're creating 2 points in the process where you define the database name.
Capturing the Database Name in a Server Level Trigger should be possible with:
SELECT CAST(eventdata().query('/EVENT_INSTANCE/DatabaseName[1]/text()') as NVarchar(128))
I need lock functionality on db to some user, while sa making changes on this db.
Example:
user create some databases:
database1
database2
database3
As sa i want to restrict user to making changes in database1, but user can still make changes in database2-3.
ALTER DATABASE database1 SET SINGLE_USER WITH ROLLBACK IMMEDIATE
isn't an option.
upd. Why isn't an option? Because:
I execute ALTER DATABASE database1 SET SINGLE_USER WITH ROLLBACK IMMEDIATE from java code using hibernate -> i got lock, ok. But when transaction commits other user can connect to database. I want do something like:
1. acquire lock
2. do anything, even restart my java application
3. release lock
I would like to disconnect all users from SQL Server except sa.
The need for this is:
I wrote a db maintenance utility for my ERP. Before running it I need to ask all users to logoff.
So somehow I would like to give them a message (through ERP) "disconnecting in 5 minutes, please save your work and logoff or you'll be kicked out" and then after 5 minutes run the command on the server that disconnects all people.
I want "sa" or anyway "1 specific user" not to be disconnected, since the db maintenance utilty will use that user for db connection.
I found this:
use master
alter database MyDatabase set offline with rollback immediate
but how to say "one specific user is an exception"?
Use single_user instead of offline:
alter database [DatabaseName] set single_user with rollback immediate
The initial "single user" will be the one issuing the alter database command. You could then proceed to only allow specific users to log on:
alter login [LoginName] disable
What is the best way to prevent changes to a database or verify the integrity of this, so that it can not be altered from an application created for this database.
assuming you have a username and password to access the database permits reading - writing.
requirements:
The user has write permissions
Do not depend on a particular system like (MySQL, Oracle, SQL Server)
solution I'm looking for is not based on the user's permissions on the database
Most modern databases allow you to grant reading and writing permissions but while disallowing DDL commands like ALTER TABLE.
Do not give users that should not alter the DB structure permission to execute DDL.
If by "Alter" you mean change any data rows, rather than the database structure, you can grant the user only SELECT rights.
The user or account that your application uses must be granted permissions from the database server. Typically permissions include things like:
Select
Insert
Update
Delete
Alter
Drop
Only give the user account the permissions needed; in other words, don't grant Alter permission, and the application (or anyone using the same login) won't be able to alter tables.
Two strategies: 1) if you are running SQL Server, Oracle, DB2, etc, you can configure permissions so users are reader/writer by default (which means no alter permissions). 2) you can periodically check to see if someone has changed the data structure or even set up a DB trigger to detect changes and record who/when, etc (depends on your DB platform)
I'd like to setup an SQL Auth user in MS SQL 2005 that can restore some, but not all, databases in a particular instance.
I'm not sure if I should use Server Roles for this, since they would seem to apply to all databases, but Database Role membership doesn't seem right either (I don't want the SQL user to potentially 'lose' their restore ability if they restored a backup that didn't contain their database role membership).
How can I accomplish this?
You can't set up a user as such. This permissions sits above database/users at the server/login level
The login could have "dbcreator" which says:
...and can alter and restore their own
databases.
Even using GRANT would be tricky if not impossible, say, to "GRANT CREATE ANY DATABASE"
Restore is, in a way, a drop and create. Or simply a create.
I'd suggest the best solution (but probably not what you want to hear...) would be to create your own stored proc in master that checks rights and issue the RESTORE command if the login is set up as a user in that DB
Example: sp_checkandrestore 'dbname', 'backupfile'