how do I limit the user access to the database I installed to the management studio for only certain people(probably me alone) to access?
But I got a surprise when I saw the database I installed to my client pc was able to be opened using window authentication. I thought it is only able to be opened by the new user I created for that database.
so how do I remove the database from being viewed by those login using window authentication.
In the SQL management studio go to "Security". Its quite possible that you will find some Windows accounts in there. This is normal behavior and they are put there on installment of the SQL instance.
What you can do is delete the ones you don't want poking around in the DB. Make sure that you at least keep 1 db administrator.
You can also restrict their access to read_only. Read this article on creating/editing users. Goto the properties of the user you want to edit and goto "Manage Server Roles". Learn more about server roles here
Related
I have a (S:\) drive with permissions for only myself and the SYSTEM user.
I just downloaded SQL SERVER EXPRESS 2017, and when I go to create a new database, it cannot see that drive as a place to create the database.
I tried giving the Everyone group full permissions on the drive, and then it showed up as a place to make the new database.
I am wondering what user I need to actually give permissions too, as it is clearly not running under my user, since my user has full control on the drive, and it's not running as SYSTEM, since that user has full control of the drive. I don't want to give "Everyone" permissions to the drive.
Note: Doing a bit more experiments, after removing the Everyone permissions, I went looking through my users list (in the Security tab of the Drive properties), and the only user that looks to have anything to do with SQL is SQLServer2005SQLBrowserUser${myUserName}, but giving this user full control did not allow SSMS to see the drive again.
Run this query:
SELECT * FROM sys.dm_server_services
And you will see current available services on your SQL Server instance and the account mapped to each one. Add permissions to the one that's below the servicename: SQL Server (MSSQLSERVER), it will be most likely NT Service\MSSQLSERVER.
If you use Jobs on the Agent, you will need to give permissions to that account also.
How do I set up a database so that one does not have access to it? Even with installing SQL Server Management Studio on local machine.
In SQL Server with Windows user or sa can access all databases. How do you limit the access DB of the users?
For assuming that SQL Server is installed on the local machine, not on the server
You can try Single User Mode.
From the linked MSDN article:
Single-user mode specifies that only one user at a time can access the database and is generally used for maintenance actions.
Edit: You edited your question. Now it sounds more like you're asking about Security instead of how to limit the database to one user.
You can edit a user's security in SQL Server Management Studio by drilling down into Security > Logins. There you will see all logins to your instance. You can right click these entries and select Properties to made updates. The easiest way to completely bar a user from accessing any of the databases on the server is by selecting "Disabled" from the "Status" tab.
Well, if you really want to limit this to just one user, there is a simple way (but a bit risky).
Your Windows user is included in the group BuiltinAdministrators. If you really want to remove your Windows user, rerun the installation process and during the setup just change the users in those group.
But beware, you should provide another user, which has access to your database otherwise you end up with a database server without access to it.
Ater that, setup a database login and grant him access to the database you desire.
In the end, you can disable the sa login. This will prevent access with the sa account. But you should have a user which can manage logins and more. Otherwise you have no chance to recreate the password or any other administrative tasks.
I am a Caché admin so I have have all access to the system managment portal. I would like to use Caché studio but my login doesn't seem to be setup properly for that. I am new to Caché, only been using it for 2 months now, I am learning the Jargon. So things may be flying over my head as I sift through manuals.
Is it possible for me to create the credentials in the system management portal so that I may access Caché Studio?
I'm using Caché 2010.2 and I have Caché Studio and Terminal installed.
From my research, I have gathered:
To log in to Studio, you need to use a user who holds the following privileges: %Development:Use and %Service_Object:Use
My system management portal (SMP) Id has %all privileges and I added in those 2 privledges for the heck of it to no avail.
You can only connect to a namespace that you have R/W permission to in the default database.
Our database is used by one application. I already have R/W for the application database. When I open up Studio, the only namespace that I see is: CACHE (localhost(1972)). I assume that it's the whole system database. I then granted my Id R/W access to it to no avail. Also everything is happening locally, I am doing all of this on the db server.
I tried the default logins (leaving Username and Password blank) and the default system login, to no avail.
I am the only one at my organization administering this database.
I would like to gain access to our own Caché studio.
Try this:
Caché cube -> Preferred server -> Add/Edit
Add the server with the System Management Portal (SMP) here. Give it any name, copy the IP.
Set ports to 1972(1973), 23, 57772(57773), authentication to password, everything else blank.
If I'm right, you have the SMP address in browser's bookmarks, not the Caché cube. When you do this, you should be able to open Studio from Caché cube and SMP or Terminal, too.
If the ports differ, try to find the right ports in the SMP. The portal changed a lot, so I can't really say where you should look for it, I have Ensemble 2012 on my work PC.
Predefined User Accounts
use
login: _SYSTEM
pass: SYS
I believe you are trying to connect to a wrong server. localhost:1972 is your local computer. To add a new server to that list, go to cache cube -> Remote access -> add/delete... and add your real server.
Or, just press "connect..." button in that Studio dialogue and enter server info there.
click in the bottom of windows bar next to hour. And then you will see Studio in the context menu
welcome !
I have found an answer (there may be more).
I had no Caché studio and terminal access because these services in the System Management Portal (SMP) under "Home>Security Management>Services" were set to delegated only: %Service_Bindings and %Service_Console. %Service_Bindings is the service that controlled access to caché studio. My caché admin account is not a delegated account. The default account _SYSTEM is not enabled (Home>Security Management>Users). I have tried enabling the account but something in the background seems to lock it after I do that - I have yet to find out what that is (new to Caché). It's probably not a good idea to have the default account enabled anyways.
Now, after editing the definition for service %Service_Bindings to allow a password authentication method, I can now use my Caché admin credentials to get into Caché Studio.
To edit service defintions through the SMP, follow these menu breadcrumbs: "Home>Security Management>Services" then click on the service that you wish to edit. In Caché 2010.2, there's 3 authentication methods that you can use for each serivce: unauthenticated, password, delegated.
If anyone has a better solution please inform!
Sorry for my English. When installed, the program asks for a password, write to the SYS. Then you can go without a shed under the account "Admin"
when I deploy adventure works cube it fails, and i get: user does not have permission to create a new object in 'GARY-PC', or the object does not exist.
trying to process cube from adventureworks DW and having what seem like permissions issues (?).
took following steps (i am using sql server 2008 R2 developer edition and VS 2008):
1 downloaded and successfully created adventureworksDW (2008R2) database from
2 successfully created Datasource and DSV for a cube with 2 fact tables and several dimensions.
3 Click deploy
I see the following 2 prompts
Login: greyed out, can’t type anything here
the password is required for the impersonation account of data source Adventure Works DW.
Now, Whether I enter a password or not, I get:
Error 3 Either the 'Gary-PC\Gary' user does not have permission to create a new object in 'GARY-PC', or the object does not exist. 0 0
what objects is SSAS trying to create? are these objects in the relational database?
You have to add your user account as an administrator in the Analysis Services portion of the SQL server.
For some reason the database and the analysis services portion of the server do not share login information. The user you run Visual Studio under needs to have administrative access to the Analysis Services engine; this is the reason running as administrator works. The account you use to access the Database Engine is arbitrary.
Right-click on the SQL Server Management Studio icon and then select "Run as Administrator"
Select "Analysis Services" from the "Server type:" drop-down list in the "Connect to Server" dialog box, then click connect.
Right-click on the localhost definition in the Object Explorer panel and select Properties.
Click on Security in the left panel of the Analysis Server Properties.
Click the Add... button and type your user name and click the Check Names button to make sure you typed it right. Then click OK.
Click OK.
Note: This may not the most secure solution, but it enables not running Visual Studio as administrator every time and possibly opening up yourself to attack.
The Error message is:
"domain\user does not have permission to alter object 'mf20'..................."
I gone through the work around and found the solution as below:
Open Services, go to Analysis services--->right click on it -->
Properties-->LogOn --> select This Account -->give server and your
user name here. confirm it is your user, click ok.
Stop the service and again start the service. check the service Log On As in your user name.
That's it. save your cube in BIDS and close and reopen the cube, then deploy the cube. it will deploy and process it.
I hope this will help.
I had the same exact issue, but I was using the Adventure Works DW 2012. The problem is not on the database end but how your trying to deploy. When you run BIDS (or SQL Data Tools 2012 or Visual Studio 2010) use the "Run as Administrator" menu option. It will then ask you to authenticate, but the authentication should be accepted.
The user account you're using to deploy the SSAS database must have appropriate access to the SSAS instance in order to create the database and objects inside. Since this is a dev-setup, you could try adding your user account to the Server Admins.
In SSMS, log into the SSAS instance and right click on it (in the object explorer) and select properties. The last option in the left-pane is security and here is where you can add admin users.
are you talking about the " impersonation information" tab when you double click on the data source ? You should set it to "use service account"
In BIDS Solution Explorer → select the (in my case xx=08) Data Source and double-click on it. From the Data Source Designer screen click on the “Impersonation Information” tab, and enter the username and password of the user who has access for that remote data base or data source, and click OK.
I'm running an IIS 7 Website with an AppPool of Integrated Pipeline Mode.
The AppPools does NOT run under NetworkService, etc.. identity (by purpose), but uses its own AppPool Identitiy (IIS AppPool\MyAppPool).
This is a so called service account or virtual account.
(a user account, which is not a full account...)
I'd like to give this service account (IIS AppPool\MyAppPool) permissions to connect to my SQL Server 2008 Express (running in Mixed Auth. Mode).
While SQL Server can add any normal user account, the IIS AppPool\MyAppPool virtual account cannot be added to the valid logons (SQL Server says, that the account cannot be found).
Is there any trick, anything I need to enable to make the virtual accounts work?
(the w3wp.exe process runs under this identity according to taskmgr, but I cannot use the account in NTFS security either...)
Thanks for your help!
The "IIS APPPOOL\AppPoolName" will work, but as mentioned previously, it does not appear to be a valid AD name so when you search for it in the "Select User or Group" dialog box, it won't show up (actually, it will find it, but it will think its an actual system account, and it will try to treat it as such...which won't work, and will give you the error message about it not being found).
How I've gotten it to work is:
In SQL Server Management Studio, look for the Security folder (the security folder at the same level as the Databases, Server Objects, etc. folders...not the security folder within each individual database)
Right click logins and select "New Login"
In the Login name field, type IIS APPPOOL\YourAppPoolName - do not click search
Fill whatever other values you like (i.e., authentication type, default database, etc.)
Click OK
As long as the AppPool name actually exists, the login should now be created.
CREATE LOGIN [IIS APPPOOL\MyAppPool] FROM WINDOWS;
CREATE USER MyAppPoolUser FOR LOGIN [IIS APPPOOL\MyAppPool];
You can solve like this,
Open "Applications Pools",
You should right click that you have choosed application pool. Then choose
"Advanced Settings".
Click three point on the Identity tab then you should choose "LocalSystem" from field of "Built-in-account"
If you do this way, you don't need to create a user in database.
If you're going across machines, you either need to be using NETWORK SERVICE, LOCAL SYSTEM, a domain account, or a SQL 2008 R2 (if you have it) Managed Service Account (which is my preference if you had such an infrastructure). You can not use an account which is not visible to the Active Directory domain.
As a side note processes that uses virtual accounts (NT Service\MyService and IIS AppPool\MyAppPool) are still running under the "NETWORK SERVICE" account as this post suggests http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx. The only difference is that these processes are members of the "NT Service\MyService" or "IIS AppPool\MyAppPool" groups (as these are actually groups and not users). This is also the reason why the processes authenticate at the network as the machine the same way NETWORK SERVICE account does.
The way to secure access is not to depend upon this accounts not having NETWORK SERVICE privileges but to grant more permissions specifically to "NT Service\MyService" or "IIS AppPool\MyAppPool" and to remove permissions for "Users" if necessary.
If anyone has more accurate or contradictional information please post.
Look at: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
USE master
GO
sp_grantlogin 'IIS APPPOOL\<AppPoolName>'
USE <yourdb>
GO
sp_grantdbaccess 'IIS APPPOOL\<AppPoolName>', '<AppPoolName>'
sp_addrolemember 'aspnet_Membership_FullAccess', '<AppPoolName>'
sp_addrolemember 'aspnet_Roles_FullAccess', '<AppPoolName>'
This may be what you are looking for...
http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
I would also advise longer term to consider a limited rights domain user, what you are trying works fine in a silo machine scenario but you are going to have to make changes if you move to another machine for the DB server.
I figured it out through trial and error... the real chink in the armor was a little known setting in IIS in the Configuration Editor for the website in
Section: system.webServer/security/authentication/windowsAuthentication
From: ApplicationHost.config <locationpath='ServerName/SiteName' />
called useAppPoolCredentials (which is set to False by default. Set this to True and life becomes great again!!! Hope this saves pain for the next guy....
In my case the problem was that I started to create an MVC Alloy sample project from scratch in using Visual Studio/Episerver extension and it worked fine when executed using local Visual studio iis express.
However by default it points the sql database to LocalDB and when I deployed the site to local IIS it started giving errors some of the initial errors I resolved by:
1.adding the local site url binding to C:/Windows/System32/drivers/etc/hosts
2. Then by editing the application.config found the file location by right clicking on IIS express in botton right corner of the screen when running site using Visual studio and added binding there for local iis url.
3. Finally I was stuck with "unable to access database errors" for which I created a blank new DB in Sql express and changed connection string in web config to point to my new DB and then in package manager console (using Visual Studio) executed Episerver DB commands like -
1. initialize-epidatabase
2. update-epidatabase
3. Convert-EPiDatabaseToUtc
For the ApplicationPoolIdentity, add a login/user in MSSQL as IIS_IUSRS which is corresponding to the default pool.