"I'll use an Access ADP" I said, "it's only a tiny project and I've got better things to do", I said, "I can build an interface really quickly in Access" I said.
</sarcasm>
Sorry for the rant, but it's Friday, I have a date in just under two hours, and I'm here late because this just isn't working - so, in despair, I turn to SO for help.
Access ADP front-end, linked to a SQL Server 2008 database
Using a SQL Server account to log into the database (for testing); this account is a member of the role, "Api"; this role has SELECT, EXECUTE, INSERT, UPDATE, DELETE access to the "Api" schema
The "Api" schema is owned by "dbo"
All tables have a corresponding view in the Api schema: e.g. dbo.Customer --> Api.Customers
The rationale is that users don't have direct table access, but can deal with views as if they were tables
I can log into SQL using my test login, and it works fine: no access to the tables, but I can select, insert, update and delete from the Api views.
In Access, I see the views, I can open them, but whenever I try to insert or update, I get the following error:
The SELECT permission was denied on the object '[Table name which the view is using]', database '[database name]', schema 'dbo'
Crazy as it sounds, Access seems to be trying to access the underlying table rather than the view.
Any ideas?
Could it be because of this: "To update a partitioned view, the user must have INSERT, UPDATE, and DELETE permissions on the member tables."
http://msdn.microsoft.com/en-us/library/ms187956.aspx
Related
I'm using cloud-based Azure SQL Server and SQL Database. To group tables within the db, I "successfully" created a new schema. However, all attempts to use the schema resulted in errors about not having permission, and I couldn't find a way to add the permission (see below). The trouble wasn't worth the troubleshooting, so I abandoned the idea and went back to my single existing schema name.
Since then, I can no longer create tables on my original schema, named qbo:
CREATE TABLE qbo.NewTable (
pkey int PRIMARY KEY,
);
Started executing query at Line 1
Msg 2760, Level 16, State 1, Line 1
The specified schema name "qbo" either does not exist or you do not have permission to use it.
Total execution time: 00:00:00.034
I can create a table without a schema specified at all (which I assume is going to dbo), or with dbo specified, but then I can't query said table because the SELECT permission was denied.
CREATE TABLE [dbo].[NewTable] (
pkey int PRIMARY KEY,
);
Started executing query at Line 1
Commands completed successfully.
Total execution time: 00:00:00.194
SELECT * FROM [dbo].[NewTable]
Started executing query at Line 1
Msg 229, Level 14, State 5, Line 1
The SELECT permission was denied on the object 'NewTable', database 'master', schema 'dbo'.
Total execution time: 00:00:00.036
When I try granting permissions:
GRANT CONTROL ON SCHEMA :: dbo TO <myUserName>
Started executing query at Line 1
Cannot grant, deny, or revoke permissions to sa, dbo, entity owner, information_schema, sys, or yourself.
Total execution time: 00:00:00.035
I'm the only db user, and the server admin with the Owner role. I haven't found a way through the Portal to change anything, and any T-SQL statements in Azure Data Studio to attempt correcting everything result in the same type of error above. I'm assuming something in creating another schema changed some backend setting. But from what I can tell, I haven't specifically revoked any of the permissions I started with since creating the database, which has been running smoothly for about 3 months with CREATE, UPDATE, DROP, etc.
At a minimum, I need to go back to fully operating on my own db and qbo schema, but extra credit for helping me understand what I messed up and if I can actually use multiple schemas. Thanks!
UPDATE: Based on your helpful comments and re-reading my own error messages, it finally clicked that I'm connected to different databases. I assumed at first that the db I created was the master db, so the comment didn't make sense. I don't know what the "master" db is yet (default?), but changing the Change Connection drop-down to my main db has cleared up most everything. Not sure how I changed it in the first place, but now I know to look there.
I'm still working on understanding the schemas, but at least I can get work done again.
Based on your helpful comments and re-reading my own error messages, it finally clicked that I'm connected to different databases. I assumed at first that the db I created was the master db, so the comment didn't make sense.
I have been working in my specifically created db up to this point without realizing there was a master db, and somehow in Azure Data Studio I was now connecting to the master. This is probably unrelated to my understanding of the schema creation; I just assumed they were related issues since they happened at the same time.
To fix, I changed the Change Connection drop-down to my main db. After that, I can create, update, drop, etc. again.
I am trying the below query against SNOWFLAKE.INFORMATION_SCHEMA from account admin but it returning an error.
Query:
Select
'databases' as category,
count(*) as found,
'3' as expected
from SNOWFLAKE.INFORMATION_SCHEMA.DATABASES
where DATABASE_NAME IN ('USDA_NUTRIENT_STDREF','LIBRARY_CARD_CATALOG','SOCIAL_MEDIA_FLOODGATES')
Error:
SQL compilation error: Database 'SNOWFLAKE' does not exist or not authorized.
Checked SNOWFLAKE database exists but it does not have any schema including INFORMATION_SCHEMA
Databases live under your account. Account is the top level object in the Snowflake object hierarchy. Databases live under account. See this link, and find the text where it says, "The top-most container is the customer account...". It's got a nice little graphic there.
When you query information_schema on the Snowflake database, you're getting the information_schema of just the snowflake database, not of your entire account. Snowflake.information_schema is kinda useless b/c it just shows the information schema of a database (Snowflake) that you have no control over - Snowflake controls it.
If you want to see all the databases in your account, you can do the following:
use role accountadmin;
show databases;
select count(*) from table(result_scan(last_query_id())) where "name" in ('USDA_NUTRIENT_STDREF','LIBRARY_CARD_CATALOG','SOCIAL_MEDIA_FLOODGATES');
Now, separately, if you're concerned about the error you're getting - that you don't have access to the snowflake database, then I'd say you're either not using the accountadmin role, or you're not using a role that has the right privileges. If you'd like to give a role privileges to the Snowlfake database, you can run the following:
GRANT IMPORTED PRIVILEGES
ON DATABASE SNOWFLAKE TO ROLE {SOME_ROLE_OF_YOURS};
Good luck!
I have a requirement for a database that is effectively a "play" area for people creating stats data for themselves and shared with others.
I have a read only database full of core data. All users have read access.
I want a second "play" database where 'n' people can query the "core" database and create there own tables, Sp's etc. I want these users to have a schema each. I want everything they create to be added to their schema by default unless they specify it explicitly (ie [dbo]) in the script. I want them all to be able to collaborate and be able to read data (and look at sp's) from other users schema but not add objects or execute sps' in the others users schema.
These users use 2014 management studio to run these queries. They all authenticate using Integrated Security (windows).
Can this be done?
I tried setting default schema on a user but by default when they add a table it goes to [dbo] because the property grid in 2014MS defaults to [dbo] and you have to edit it. If they just enter "create table Table1" I want it to go into their schema
I tried making the user the owner of the schema. I tried setting public to have select access to these user schemas. But something is not right!
I would have thought this was a common setup where developers get their own schema within a single database. Or, is it always the case that separate DB's are used to achieve this? I am sure others would appreciate a short script that sets this up for a couple of users :)
SQL Server admin is not my main area, so any guidance would be appreciated
For a test user User1, you can create a schema UserSchema1 and do the following
I want a second "play" database where 'n' people can query the "core" database
you can make the user part of the db_datareader role like this
USE [CoreDatabase]
GO
exec sp_addrolemember db_datareader, 'User1'
I want everything they create to be added to their schema by default
Create the schema and add appropriate permissions
USE [PlayDatabase]
GO
CREATE SCHEMA [UserSchema1] AUTHORIZATION dbo;
GO
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT, UPDATE, VIEW DEFINITION ON SCHEMA::UserSchema1 TO User1;
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO User1;
Make the schema default for the user
ALTER USER [User1] WITH DEFAULT_SCHEMA=[UserSchema1]
For more info refer this thread
https://dba.stackexchange.com/questions/21733/allow-user-to-do-anything-within-his-own-schema-but-not-create-or-drop-the-schem
I want them all to be able to collaborate and be able to read data (and look at sp's) from other users schema but not add objects or execute sps' in the others users schema.
Allow user to view definition of other user's objects and do SELECT's on play database
USE [PlayDatabase]
GO
GRANT VIEW Definition TO [User1]
GO
exec sp_addrolemember db_datareader, 'User1'
There is a central database which houses 'User' information. There are Target databases which are owned by 'Areas'. A user can conduct business in any of the target databases.
A sproc in the central database is being used to provide a transaction summary for the user.
It simply provides a union of DatabaseA and DatabaseB and ... records.
Works fine from SSMS but the calling code fails in the app because select permission is denied on the target Database tables.
I have tried creating new users with dbo rights representing NT SERVICE\MSSQLSERVER and xxxxx\sql-service in a target database but still get the permission error.
What is the correct way to handle this situation? (I have full control over the security of the databases)
thanks
To recap the discussion in the comments:
You need to make sure you have permissions for all underlying tables in all databases for the login you're using.
You can use cross database chaining to make permission management easier if the owner af all databases and objects is the same.
I need to set some users up to be able to create stored procedures with READ access only. Also, in production they cannot have SELECT, only EXECUTE on the procs they created. In development they would have SELECT so they could create their procedures.
I've set up a schema called Reports. The owner of that schema is a login - Report_Admin. That user has select access to tables. I then gave alter and execute on the Reports schema to my report writer account. Dbo owns the table - so it works if dbo also owns the Reporting schema - but then a delete will also work in the procedure!
We are using reporting services and would like to have all the SQL in the database for maintainability.
Thanks!
You're not going to succeed using ownership chaining, as you already discovered. A solution would be like this: report_writer must create its reports with an EXECUTE AS SELF clause so they get executed under the report_writer priviledges. Then the report_reader group will be able to leverage the EXECUTE permission on reports schema to execute said reports, and the reports will be able to read the data because of the execute as clause.
You can assign permissions to roles and users, no need for separate schema's. So I'd only use one schema: "dbo" (the default)
Create a database role for the users. Grant data_reader to that role on development. On both development and production, grant execute rights on the stored procedures. As far as I know, you'll have to grant the execute right for each stored procedure.