I am trying to drop one of the role in my SQL Server database. I dropped all the members from the role and when i tried to drop role i got this error message:
Msg 15138, Level 16, State 1, Line 13
The database principal owns a schema in the database, and cannot be dropped.
Does anyone know why? I checked the Owned Schema and it only had check sign in its own name.
You cannot drop a database principal that owns a schema. You have to transfer the schema ownership to some other database principal or drop the schema before you can drop the database principal.
15138 error is due to the user you are trying to delete owns a schema.
If you run the below query you will get the schema owned by the user.
USE DatabaseName;
SELECT s.name
FROM sys.schemas s
WHERE s.principal_id = USER_ID('UserName');
Let us say it returns 'db_denydatareader' schema. Then you can assign
that schema to default user 'dbo' using the below query.
ALTER AUTHORIZATION ON SCHEMA::db_denydatareader TO dbo;
Related
I have an SQL Azure database and there are already thousands of objects under the DBO schema.
I want to create a new user with specific access requirements
the requirement is below.
User can only see a few of the objects under the dbo schema
User can make an update/select/alter/execute..etc. any type of modifications, including adding or removing columns from the objects they are allowed to see.
User can add new objects under the dbo schema.
User should not see the objects(which they are not allowed to see) under the dbo schema in the SSMS browser.
Can you help me to setup the user with specification above?
As Dan Guzman said this would be possible without #3. Beacuse "Create table" is only a database level permission, cannot be assigned at the schema level.
A user can be defined as the schema owner. If the user has "Create Table" permissions at the database level and is a schema owner, all tables will be created in the schema he/she owns.
Create login and user in Azure SQL:
use master;
CREATE login user1 with password='SafePassword'
use userDb;
CREATE USER user1 FOR LOGIN user1;
GO
We can use following query to generate grant T-SQL script. Select the tables you want to grant to the user.
SELECT 'GRANT SELECT,INSERT,DELETE,UPDATE ON "' + TABLE_SCHEMA + '"."' + TABLE_NAME + '" TO "user1"' FROM information_schema.tables
I have a Sybase database and I've created a user following this video. Now I want to grant only select and get DDL permissions to the user, I've granted select permissions on all the user tables in the database to the user using grant select on tableName to user_ro query. But I'm not able to identify which permission will allow user to get DDL of all the database objects and can only read the data. What are the least privileges or roles that are needed to be granted to the user?
Queries that I ran against the database using SQL Interactive board:
//create login under master
use master
sp_addlogin user_ro, user1234
//verify user is created successfully
select name from syslogins
//add login user to mydatabase
use mydatabase
sp_adduser user_ro
//grant select on all tables one by one
grant select on tableName to user_ro
I'm quite new to Sybase, so please correct me wherever I'm wrong.
There is no specific DDL permission in ASE.
All programs that make DDL just select from system tables the definition of a certain object. So if you have access to some database and sp_help works then you can also create DDL from an object.
I created a new user in Sql Server 2012 and "by accident" I marked them as owner of multiple schemas. I meant to mark them as members of the schema but I was on the wrong tab!
Because they are now owners of the schema I can't unselect the ownership and I can't delete the user either. How can I undo my mistake?
You must transfer ownership of the schema to some other user, probably dbo, prior to removing the user:
To test this, I did the following:
Create a user to own the schema, and a test schema:
USE tempdb;
CREATE USER [testuser] WITHOUT LOGIN;
GO
CREATE SCHEMA [max] AUTHORIZATION testuser;
GO
Try to drop the user, which will fail:
DROP USER [testuser];
GO
Msg 15138, Level 16, State 1, Line 1
The database principal owns a schema in the database, and cannot be dropped.
Transfer ownership of the schema to some other user, in this case the special user, dbo, which owns the database:
ALTER AUTHORIZATION ON SCHEMA::[max] TO dbo;
GO
Now, drop the test user, which works:
DROP USER [testuser];
Following code recreates a user:
-- Remove link to order schema
ALTER AUTHORIZATION ON SCHEMA::order TO dbo
-- Recreate order user without login
DROP USER order
CREATE USER order WITH DEFAULT_SCHEMA = order
-- Restore link to order schema
ALTER AUTHORIZATION ON SCHEMA::order TO order
My question is, why do we need to remove link to schema before dropping a user, and restore it back after user created?
The behavior of Schemas changed in SQL Server 2005. Schemas are no longer equivalent to database users; each schema is now a distinct namespace that exists independently of the database user who created it. In other words, a schema is simply a container of objects. A schema can be owned by any user, and its ownership is transferable.
https://msdn.microsoft.com/en-us/library/ms190387.aspx
http://basitaalishan.com/2014/05/29/the-database-principal-owns-a-schema-in-the-database-and-cannot-be-dropped/
Ok, just found why we need to temporary move the schema link to another owner before deleting a user.
It will return error if not doing so:
The database principal owns a schema in the database, and cannot be dropped.
I have an MSSQL database and a "normal" user accessing it. When I try to use tables like sys.objects, I become a permission error:
select name from sys.objects
Msg 229, Level 14, State 5, Line 1
The SELECT permission was denied on the object 'objects', database 'mssqlsystemresource', schema 'sys'.
Why? The documentation says
In SQL Server 2005 and later versions, the visibility of the metadata
in catalog views is limited to securables that a user either owns or
on which the user has been granted some permission.
so I think I should be allowed to use sys.objects, even if it will list only the for me visible objects...
My user have been created with
CREATE LOGIN [factoryFX20_K_user] WITH PASSWORD=N'...', DEFAULT_DATABASE=[ff20121025], DEFAULT_LANGUAGE=[English], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
EXEC sys.sp_addsrvrolemember #loginame = N'factoryFX20_K_user', #rolename = N'serveradmin'
USE [ff20121025]
CREATE USER [factoryFX20_K_user] FOR LOGIN [factoryFX20_K_user] WITH DEFAULT_SCHEMA=[factoryFX20_K_user]
The problem was ideed the same as in The SELECT permission was denied on the object 'sysobjects', database 'mssqlsystemresource', schema 'sys': my user had some "denying" roles.
The solution was to remove this roles of the user:
USE [ff20121025]
EXEC sp_droprolemember N'db_denydatawriter', N'factoryFX20_K_user'
EXEC sp_droprolemember N'db_denydatareader', N'factoryFX20_K_user'
Thanks Jon!