Syncing permissions between a Database project and a database using Visual studio - database

I have a database project in visual studio (2008) that I am using to keep my database structure in a version control system (Git). I use the data schema compare tool in VS to maintain this database project. The issue that I'm encountering is that I keep losing my permissions for new objects.
So how do I:
Capture these permissions using the schema compare tool.
Apply these permissions to a server using the schema compare tool.

The easiest method to capture and apply the permissions that I have found is to go into tools -> options -> database tools -> schema compare and uncheck the ignore permissions checkbox. Then run the schema comparision and apply updates.
Note: That this will update every object with permissions in your schema. I have been capturing the permission after I sync my schema changes and then resetting the ignore permissions checkbox

Related

Why doesn't user in SSIS database role db_ssisoperator see any projects in the Integration Services Catalog?

I am trying to give a user (AD Group) the ability to list all Integration Services Catalog projects and packages, execute all packages, and read the package logs. I DO NOT want them to be able to upload or modify Integration Services Catalog projects or packages.
This is on SQL Server 2016 using SSIS Project Deployment.
Based on this document (https://learn.microsoft.com/en-us/sql/integration-services/security/integration-services-roles-ssis-service?view=sql-server-2016) I have granted the group with the following roles:
msdb.db_datareader
msdb.db_ssisoperator
SSISDB.db_datareader
SSISDB.ssis_logreader
When the user expands Integration Services Catalog, they can see the "SSISDB" catalog, but nothing within it.
I have tried giving the user the SSISDB.ssis_admin role, and this allows them to enumerate the projects and packages, but it also seems to give them INSERT/UPDATE/DELETE/MODIFY permissions which is not acceptable.
Note that this SSISDB catalog does include projects when viewed by users in the msdb.db_ssisadmin and SSISDB.ssis_admin database roles.
Here is what an SSIS Admin sees compare with the new Operator:
After rereading the documentation several times, I finally caught this note in the first paragraph of the page:
The available roles are different depending on whether you're saving
packages in the SSIS Catalog database (SSISDB) or in the msdb
database.
Since our packages are all in SSISDB, the msdb roles don't matter in our case. This explained why no matter what I did with the msdb roles, nothing changed in Integration Services.
I also realized that the [SSISDB].[ssis_logreader] database role only allows access to the SSISDB Reports by default, but doesn't allow navigation of the folder/project/package structure.
In order to allow navigation of the structure, permission must be manually granted at the folder and project level by a ssis_admin or sysadmin user. However, I found that at the Project level (at least in our environment) the "public" role has full permissions, which seems odd.
screenshot: public permissions at the project level

Redgate SQL Source Control: ignoring Database Roles

I'm using Redgate Source Control to changetrack a database. I have a testing database from which I commit, and a production database which is the final target.
I want to have a different Database Role (the setting found of Database->Security->Roles->Database Roles) in the production database because of specific requirements. I have changed one database on my production server, but every time I deploy to the production database, the Database Role resets to the status it was before I changed it (even though the specific role is not synced).
I found a filter on Comparison Options for user roles and checked the Ignore: "User's permissions and role memberships" and deployed the filter, but the Database role still resets every time I deploy any change to production.
Is there a way to ignore Database roles or is there a workaround I could use?
EDIT:
Larnu's answer is correct.
I had a separate issue here which had to do with the role permissions not being defined in the role, but in the schema.sql file. So I had to commit the whole schema to get the role permissions committed.
In SQL Source Control, there is an option for ignoring roles entirely (or using a rule to ignore certain ones).
Select your source controlled database in the Object Explorer, and then click SQL Source Control in your toolbar. Go to the Setup Page, and then select "Edit filter rules".
Then simply untick Role and the Roles won't be source controlled any more, or you can add rules to exclude/include roles that meet said rule(s). Note you may need to remove the Role details from your Source Control repository as well, as otherwise the position of the role when you stopped Source Controlling it may be used (I suggest checking).

Azure Data Studio - Database Project - schema compare changes failed

I can successfully build my DB project in the Azure data studio with the SQL DB Projects extension. (not with SSDT but similar to this: https://www.sqlshack.com/two-ways-to-build-sql-database-projects-in-azure-data-studio/
When I right-click on the DB project and select "Update Project from database", it lists the delta between the online Azure SQL DB and the local db project.
The problem now is that when I either click on "Generate script" or on "apply", I receive an error.
Generate script: Performing script generation is not possible for this comparison result.
Performing script generation is not possible for this comparison result.
Apply schema compare changes: Object reference not set to an instance of an object.
Object reference not set to an instance of an object.
I already reinstalled the Azure Data Studio but with no success.
Any hint what I could do to fix this?
In our case these errors occur because it is added a Role Member to the Standard MSSQL Database Roles called db_datareader and db_datawriter. These roles (or objects as ADS calls them) do not exist in the local dacpac or ADS Database Project. It seems to map even if the roles are checked for update or not, so the Schema compare can't find the objects locally.
If the same applies to your project I will suggest checking if that user really needs to be a part of those two roles as they are not being mapped locally.
If you need the member in the role, a workaround is to exclude the Database Roles objects in the Schema Compare:
In Schema Compare, press Options.
In modal on the right, press the Include Object Types-tab
Find Database Roles and untick.
Press OK and re-compare.
I've set up an issue to the ADS-team, so hopefully the Schema Compare- and Database Project-responsibles can cook up a good solution on this problem.

DACPAC SQL Server dropping schema permissions

I am trying to use a DACPAC database project in Azure Data Studio.
So far, it works fine except for the "publishing" of the project to the actual DB.
When I generate the delta script, I see that all permissions on all schemas are being dropped.
I know that I could exclude certain objects:
SQL Server DACPAC Deployment Dropping Users/Roles/Permissions
However, I would prefer to have also the permissions of DB roles on a schema in the DB project.
Here, of course, the order is important. (Create schema, create user, create DB role, add user to DB role, grant permission for DB role on schema)
How (and to which file) can I add the schema permissions to the project and how can it be ensured that the TSQL statements that are generated are executed in the correct oder?
Thx.
At the linked QA have a look at the XML: there are separate parameters
DropPermissionsNotInSource
DropRoleMembersNotInSource
represented in sqlproj/publish.xml in a reversed way
<DoNotDropRoleMembership>True</DoNotDropRoleMembership>
<DoNotDropPermissions>True</DoNotDropPermissions>
By switching them to "do not drop" state you can avoid excluding permissions from deployment. Thus new permissions (defined in project but missing on target server) would be created but old ones (existing on target server but missing in the project) will not be dropped. Same goes for role membership.
Valid command order in publish script is guaranteed by the SSDT engine.
Still, permissions on target server can be lost if publishing requires object recreation. For example if you alter table-type then referencing procs will be dropped and recreated after type recreation.

Who created a database in my SQL Server instance?

I'm trying to determine who created a database in my SQL Server instance. The .trc logs seem to have been purged and I can't locate a backup of them. I know when the database was created and have found the .bak file that was used to create the database, but I can't determine WHO created it.
Any other ideas how I can figure this out? (SSMS schema history report also doesn't go back far enough)
Based on the following article:
There is no dbo concept for server scope securables. They are always owned by the login that created them, no matter of any server roles that the login might be a member of.
So by default, the database owner is the one who created the database, but you have to make sure that no one changed this property:
To check the database owner, in SQL Server management studio, Right click on the database and in the Properties window >> General Tab >> check the owner property:

Resources