XXX Schema default - sql-server

In Microsoft SQL Server, I have a schema XXX.
Q: How do I create a user XXX such that issuing the following command:
SELECT * FROM Table
is the same as
SELECT * FROM XXX.Table
Here's what I have so far:
CREATE SCHEMA XXX authorization dbo -- I think
CREATE LOGIN XXX
WITH PASSWORD = '123';
CREATE USER ItDontMatter FOR LOGIN XXX
WITH DEFAULT_SCHEMA = XXX;

Correct.
The DEFAULT_SCHEMA option is what you use
Specifies the first schema that will be searched by the server when it resolves the names of objects for this database user.
and
If DEFAULT_SCHEMA is left undefined, the database user will use dbo as its default schema. DEFAULT_SCHEMA can be set to a schema that does not currently exist in the database. DEFAULT_SCHEMA can be set before the schema that it points to is created.

As a small note to gbn's answer, the two are never exactly the same. If you do not specify the table owner, SQL Server will not cache your query because it's not sure about access rights. So for performance, always specify schema.table in your queries, procedures, functions and views.

Related

Objects being created as DBO for all users in SQL Server application

We have Windows Authentication on our SQL Server Databases.
Every object gets created as dbo which I don't mind. But we are unable to track who created what? Can someone help on how it can be managed so we can at least track who is doing what? The login names from the trace is also generic
login name - ABC\gMSA_SQL$
If I login to the server with my windows authentication and run the below command select SUSER_NAME(), I can see my username and not a generic one. So now if I create a table where can I get this username from?
The default schema of the user are set to dbo. It could be due to many reasons, as mentioned in the below msdn reference
The default schema will be the first schema that will be searched by
the server when it resolves the names of objects for this database
user. Unless otherwise specified, the default schema will be the owner
of objects created by this database user.
If the user has a default schema, that default schema will used. If
the user does not have a default schema, but the user is a member of a
group that has a default schema, the default schema of the group will
be used. If the user does not have a default schema, and is a member
of more than one group, the default schema for the user will be that
of the Windows group with the lowest principal_id and an explicitly
set default schema. (It is not possible to explicitly select one of
the available default schemas as the preferred schema.) If no default
schema can be determined for a user, the dbo schema will be used.
DEFAULT_SCHEMA can be set before the schema that it points to is
created.
DEFAULT_SCHEMA cannot be specified when you are creating a user mapped
to a certificate, or an asymmetric key.
The value of DEFAULT_SCHEMA is ignored if the user is a member of the
sysadmin fixed server role. All members of the sysadmin fixed server
role have a default schema of dbo.
You can find out the default schema of the users by running the below query. Refer to sys.database_principals
SELECT default_schema_name FROM sys.database_principals
If you want to restrict the users to only create objects on their schema, you have to do below things:
CREATE SCHEMA [userPrincipalSchema];
GO
CREATE USER [userPrincipal]
WITH PASSWORD='SUPERCOMPLEXPASSWORDHERE'
, DEFAULT_SCHEMA=[userPrincipalSchema]
GO
DENY ALTER ON SCHEMA::[dbo] to [userPrincipal]
GO
ALTER AUTHORIZATION ON SCHEMA::[userPrincipalSchema] to [userPrincipal];
GO
GRANT CREATE TABLE, CREATE VIEW, CREATE PROCEDURE TO [userPrincipal];
GO
This way, you can ensure that the [userPrincpal] is able to create objects only on their schema and you can track, the objects created by them.

Default dbo schema for user from ACL group

I have following situation
ACL group: domain\aclgroup
user account: domain\account
user account is a member of the ACL group
in the sql server ACL group is added to the server logins, mapped to the database with default schema dbo.
user account is not added to the sql server, I can log by this user account base on that ACL group
So the default schema as I though for the user account should be dbo, but it is not.
When I try to create a table without schema like: CREATE TABLE Test (id int), it creates this table in the schema: [domain\user].Test
Why it behaves like this and how I can setup it to create a table in dbo without explicitly typing CREATE TABLE dbo.Test?
I found the problem, user account was not present (deleted?) from server logins but it was present in the database users, with own schema. After deletion of the user, the default schema is dbo

SQL Server user permission on different schema

I have an SQL Azure database and there are already thousands of objects under the DBO schema.
I want to create a new user with specific access requirements
the requirement is below.
User can only see a few of the objects under the dbo schema
User can make an update/select/alter/execute..etc. any type of modifications, including adding or removing columns from the objects they are allowed to see.
User can add new objects under the dbo schema.
User should not see the objects(which they are not allowed to see) under the dbo schema in the SSMS browser.
Can you help me to setup the user with specification above?
As Dan Guzman said this would be possible without #3. Beacuse "Create table" is only a database level permission, cannot be assigned at the schema level.
A user can be defined as the schema owner. If the user has "Create Table" permissions at the database level and is a schema owner, all tables will be created in the schema he/she owns.
Create login and user in Azure SQL:
use master;
CREATE login user1 with password='SafePassword'
use userDb;
CREATE USER user1 FOR LOGIN user1;
GO
We can use following query to generate grant T-SQL script. Select the tables you want to grant to the user.
SELECT 'GRANT SELECT,INSERT,DELETE,UPDATE ON "' + TABLE_SCHEMA + '"."' + TABLE_NAME + '" TO "user1"' FROM information_schema.tables

recreate user with schema

Following code recreates a user:
-- Remove link to order schema
ALTER AUTHORIZATION ON SCHEMA::order TO dbo
-- Recreate order user without login
DROP USER order
CREATE USER order WITH DEFAULT_SCHEMA = order
-- Restore link to order schema
ALTER AUTHORIZATION ON SCHEMA::order TO order
My question is, why do we need to remove link to schema before dropping a user, and restore it back after user created?
The behavior of Schemas changed in SQL Server 2005. Schemas are no longer equivalent to database users; each schema is now a distinct namespace that exists independently of the database user who created it. In other words, a schema is simply a container of objects. A schema can be owned by any user, and its ownership is transferable.
https://msdn.microsoft.com/en-us/library/ms190387.aspx
http://basitaalishan.com/2014/05/29/the-database-principal-owns-a-schema-in-the-database-and-cannot-be-dropped/
Ok, just found why we need to temporary move the schema link to another owner before deleting a user.
It will return error if not doing so:
The database principal owns a schema in the database, and cannot be dropped.

SQL server schema and default schema

I have a schema define in my database. Except now everytime I do a sql statement I have to provide the schema ...
SELECT * FROM [myschema].table
I set the default schema for my user using management studio and also ran the
ALTER USER myUser WITH DEFAULT_SCHEMA [myschema]
and I still get the invalid object 'table' when writing a query without the schema (SELECT * FROM table)
Is there a way to write SELECT * FROM table without having to specify the schema name all the time?
It's on SQL 2005 using SQL Management Studio.
Is the user an SA, if so it will not work, according to the documentation SA users are always defaulted to the dbo schema.
The value of DEFAULT_SCHEMA is ignored
if the user is a member of the
sysadmin fixed server role. All
members of the sysadmin fixed server
role have a default schema of dbo.
Couple of options:
Is your user listed under Security > Users (in SSMS)? Check the Properties (right click the name), and see if the Default schema is set in the context of the database, rather than the instance (which is what ALTER USER is setting).
Create a synonym for the table you want to reference:
CREATE SYNONYM table_name
FOR [your_db].[your_schema].table_name
...which will affect everyone who doesn't use at least two name notation, in the context of that database. Read more about it here. But it is associated ultimately to a schema.
Check that the database selected in the "Available Databases" drop down (upper left, to the left of the Execute button) is correct.
Use three name notation when specifying table (and view) references:
SELECT *
FROM [your_db].[your_schema].table_name
If you do not want to use "full qualified" SQl names, then you need to avoid creating your tables using any account or role that's not using the "dbo" default schema assigned. Why do you need to change the default schema on the user if you don't plan on using it?

Resources