Accessing Windows Users Assigned To A Database Role
Mar 3, 2006
Is
there a way to find a list of Windows User accounts that are directly
or indirectly (through Windows Group membership) assigned to a database
role?
I could put work in to CLR programming or using a Linked Server to
Active Directory, but if there is a sys.* view available that can
provide me this
information directly it would be much easier.
I'll be looking into this further myself anyway and posting an answer
if I can find one, but if anyone has suggestions... well, thanks!
Can anyone help me with this? The objective is to allow an application user (with db_datareader & db_datawriter database roles assigned) to be able to create tables in the assigned schema (dbo) via a new role.
-- Create User
use master
go
create login DBA with password='xx', CHECK_EXPIRATION=ON, CHECK_POLICY=ON
use AdventureWorks
go
create user dba from login DBA alter user dba with DEFAULT_SCHEMA=dbo
go
-- Create Role
use AdventureWorks
go
create role sp_ddl_role AUTHORIZATION dbo
grant CREATE TABLE to sp_ddl_role
-- assign user to Role
use AdventureWorks
go
exec sp_addrolemember sp_ddl_role, dba
go
-- Create Table statement then run with following error Error:
Msg 2760, Level 16, State 1, Line 1
The specified schema name "dbo" either does not exist or you do not have permission to use it.
Remedy: Grant ALTER on schema::dbo to sp_ddl_role
My problem is that I want to restrict user permissions via this role to just the CREATE TABLE and granting ALTER on a SCHEMA will open up a whole lot more permissions from a security standpoint.
Question: How do I restirct this role to just the CREATE TABLE within a SCHEMA?
In SQL2000, when the Guest account was assigned into a role, such as db_datareader, then querying across databases worked just fine.
Specifically: I have a Report Writer application that connects to the SQL Server with a login (ReportRunner) that actually has very limited permissions on a database. The connection is then set (sp_setapprole) to use an Application role (App_RR) that has the necessary permissions. The report-writer app calls a Stored Procedure that gathers data from several other databases (on the same SQL instance). In SQL 2000, accessing these other databases was done through Guest - we assigned Guest to the db_datareader role. All worked fine.
We've just upgraded to SQL2005: reports started failing. It seems that although guest is assigned to the db_datareader role, the permissions for Guest don't allow selecting from tables via the db_datareader role: we've had to GRANT SELECT TO Guest specifically on the tables necessary for the report.
Is anyone aware of a design change withing SQL Server such that the Guest principal's roles are disregarded when assessing permission? Is there a new and better way to structure the permissions?
When I restore DB from testing to production, we want to remove extra access rights granted to public group. Is there a simple way to query to find out for which objects (table, view, sp, fn) that public group were granted select, delete, update insert, or execute rights?
My objective is to write a sp to remove all user assigned rights to public group (role), but not to deny any rights. How to do it?
After upgrading my database from SQL2000 to SQL2005 I have noticed a change in behavior of sp_helprolemember.
In SQL2000 I could connect as 'user1' and use sp_helprolemember to find all users that belong to a certain role.
In SQL2005 sp_helprolemember seems to only show me the roles that connected user belongs to. For example, if I connect as 'user1' I only see the roles that 'user1' belongs to.
Any advice on how to duplicate the behavior from SQL2000?
Hi, In SQL Server Express Edition, what are the rights that are assigned to a Normal Windows User and PowerUser by default ? When I install SQL Express on a clean machine and login as Power User I can add/edit/delete data but when I login as Normal Windows User I can see the data but not change it. Please help me in this regard.
I need a way to automatically generate a daily report of user names, time of access, and type of access (login, select, insert, update, delete, etc.) to a database.
We need to audit all accesses from all accounts to find out who is accessing the payroll system. We have already defined the security to be as tight as possible - however we need to monitor all Administrator accounts to ensure they are not being used to obtain sensitive information.
I have looked for some software to read the live SQL Transaction Logs, but none of the tools I have seen can do exactly what we require. For example, I've tried Lumigent Log Explorer (http://www.lumigent.com/products/le_sql.html), but it's not automated and the report output is just garble to our payroll staff.
I have looked up all Microsoft SQL Server partners but their software is all about data recovery and data reporting. We need Security Reporting.
I have created a general SQL Profiler trace that may suffice if everything else fails, but I still have no way of automating it - it relies on Real-Time monitoring which I can't trust (admin can turn this off, do their stuff, turn it back on). Also this is dependant on someone turning it off, save the log, turn it back on, every day - this person would be the Administrator - what admin would monitor themselves?
- SQL Trace seems like a good idea, how do I read the trace log file? How do I automate a trace?
- Can we automate the SQL Profiler to read the transaction log to find all accesses to a database?
- Does anyone know what we can do to automatically audit accesses to a database? What format can the report come in (pdf, xls, dbf, html etc.)
- Recommended software to try?
- Ideas for alternatives to try?
- Any companies/developers out there who know of a tool or are developing a tool to provide this sort of report?
- Is there a spec somewhere to let us write our own software to query the live transaction log?
Thanks, I appreciate any help. Kind Regards James Payne
Geekz, My problem is that , I had setup blog on server say, blog.xyz.com [I am using blogengine.net, which is in ASP.Net]. It is using sql server2005 as a backend for storing its blog's posts. After settingup blog, i tried to access its database through my windows application. But while development I was getting error that "An error has occured while establishing a onnection to the server. When connecting to SQL server 2005, this failure may be caused by the fact that under the defaukt settings SQL server doesnot allow remote connections.(Provider Named Pipes, error :40 - Could not open a connection to SQL Server)" I am using [String ConnectionString = "Data Source=sql-v123.mesa11.1Server.net; Initial Catalog=abc; User ID=xyz; Password=xyz123";] Then I decided to created a webservice that will access the data from databse blog and store it somewhere in datatable and using windows application i will retrieve those data for end user. So I want to to know that whether i can access the datatable of webservice holding the blog data from windows application or not. if answer is Yes, then please provide me with source or some great links. Or if There is any other option so that I can access my database directly from windows application, then it would be better. Looking for your answers. Thanks and regards
I have been using the software, and it has been working fine (on windows user A). Now, I have created another windows user (User B), and would like to use the same software/database. The software launches fine (User B), but cannot access the created SQL database (created with user A)
How do I setup the database to allow access from all users on the same PC?
SQL Database in my application with windows authentication rejects accessing after deploying and remote access 1- My web applications databese access is windows authentication 2- In developing area there is no problem for accessing database 3- After deploying to another server there is problem accessing database: Cannot open user default database. Login failed.Login failed for user 'BRCK231ASPNET'. How can I solve this problem? Thanks.
In SQL Server 2005, you must have the VIEW SERVER STATE permission in order to access sys.syslockinfo (http://msdn2.microsoft.com/en-us/library/ms189497).
Hello, We have 700+ databases on SQL server 2005, and we constantly adding more db.. I know, this is not the best... I have the same group of people who needs to have identical permissions on all existing and newly created databases... How can I acchieve that in efficient way? Ideally I would like to create new database role which has read and write access to all objects in all databases, and add users to this new role. Do those users need to be added to each database? How can I assure that new database will have role and users already added after the creation? Can I add it to the model and all other dbs will have it?
I want to programmatically, using C#, provide BuiltInPower Users permission to a database. That is, I want any user who is logged into the computer where they belong to the Windows Power Users group to be able to log into Sql Server and to a database. I am able to do this nicely in the English version of Windows XP and Sql; however, the same procedure, for example, in the German version fails due to a change in spelling of 'Power Users' in german. In C# one is able to use the enum WindowsBuiltInRole.PowerUser which helps application specific permission issues, but how does one do this when using international XP versions connecting to Sql server. That is, how does one establish BuiltInPower Users permissions for SQL when using international versions of the operating system. Or maybe I am approaching this the wrong way.
Hi folks, i create a procedure in master db that kill users spids. Giving EXECUTE permission on the procedure to users without giving processadmin role doesn't work! Any guidelines?
I have a need to add all the users listed in the sysxlogins table to the db_datawriter role. I wrote a proc that does this. It indicates that each user is successfully added to the role, but they aren't. If I look at the user in EM, they don't have that role checked. I've tried all the obvious stuff like close EM and re-open, etc...it doesn't help.
Here is the proc CREATE proc sp_MyProc @DBName varchar(256) As
Declare UID_Cursor Cursor For Select Name from master..sysxlogins Where Len(Name) = 7 Order By Name
Open UID_Cursor Declare @Name as varchar(256) Declare @TempString as varchar(8000)
[dbo].[PortalUser]( [PortalUserID] [bigint] IDENTITY(1,1) NOT NULL,
...
[dbo].[Role]( [RoleID] [bigint] IDENTITY(1,1) NOT NULL, [Name] [nvarchar](250) NOT NULL, [IsActive] [bit] NOT NULL CONSTRAINT [DF_Roles_IsActive] DEFAULT ((1)) ...
[dbo].[PortalUserRole]( [PortalUserRoleID] [bigint] IDENTITY(1,1) NOT NULL, [PortalUserID] [bigint] NOT NULL, [RoleID] [bigint] NOT NULL, [IsActive] [bit] NOT NULL CONSTRAINT [DF_PortalUserRole_IsActive] DEFAULT ((1))
I'm asking to get a list of portalUsers that do not have a PortalUserRole records for the rolename I'm checking against. And don't ask me why the person who coded this is searching on rolename not ID. But this is how we're doing it for now.
I have user which is a member of the db_securityadmin database role. It has no other permissions applied to it. When I login with this user, and try to add some other database users to the db_securityadmin role, I receive an error stating that I don't have the permissions to do this:
User does not have permission to perform this action. (Microsoft SQL Server, Error: 15247)
Is this the normal behaviour, or is there something wrong ? I am using SQL Server 2005. From what I know, this works fine with SQL Server 2000, but it doesn't work as I expected with SQL Server 2005.
In sql server 2000, I created some custom database roles called ProjectLeader and Developer. I would make these roles a member in the fixed database roles so that I would only have to add the user to the ProjectLeader or Developer role once and they would presto-magico have the security I wanted them to have with no unecessary mouse clicking. I'm not sure how to repeat this process in 2005? Management Studio doesn't seem to allow you to add a role as a member in another role. Is there a work around or solution for this?
Ive been reading over the documentation and some stuff online, but I still dont really understand what the difference is and when you would use one vs the other. Can someone put it in simple terms for this dummy (me) ?
I would like a report to display the number of users and the reports accessed for a certain duration of time[being able to go back and check for previous years as well].
I read on the msdn that 60 days worth of report log is kept,and the rest gets wipped off.Any suggestions on how I would be able to get user access list for the past year as well.
I am working on the security model for an application that will be used by 100s of users with a dedicated SQL 2005 database for this application and access via SQL XML Web Services.
The client has asked to make it "open" during alpha testing such that anyone can access the web services without having to set them up first. Is there a way to do this? The best I can figure is to use mixed mode security and hard code a login and password. Any method using Windows authentication would require that I add every user at a minimum to the database.
In production, all users will have an active directory role specified that determines if they should have access to the web services or not. However, it is my understanding that to use Windows authentication, I would still need to add each individual user at a minimum as a Login to the SQL Server, and under best practices also as database users with permissions granted to the endpoint.
Am I correct in the above, or is there a more efficient way to achieve these results?
When I create logins for SQL Server 2012, something strange happens. When I assign the sysadmin role to a login, the login loses the access to the network drives (for example when creating or attaching databases). The only possible place is the c:drive of the computer that is running SQL Server.
In SQL Server 2000 we had a view that would show the user credentials and the password hash. The reason we need this is that we use SQL Server authentication on the database. To test users, we have a login with little access, and it should be able to see the view and compare the password supplied against what is in the database, and then let the code handle a graceful exit if the password is invalid. I am trying to do this with SQL Server 2005, and I am running into trouble. I am trying to do this with a function, since there I can set the EXECUTE AS clause (in theory) and leverage the privlidges of a specific user in the database. Here is an example function:
CREATE FUNCTION check_acct.fn_allusers (@test int) RETURNS @users table (username varchar(50), passwd varbinary(256)) WITH EXECUTE AS caller AS BEGIN INSERT @users select name, password_hash from sys.sql_logins RETURN END GO GRANT SELECT ON fn_allusers TO user_acct
I cannot get to all rows in the sys.sql_logins table unless I first:
GRANT VIEW ANY DEFINITION TO CHECK_ACCT
then when I call this function from CHECK_ACCT, I am able to see the data. If I change the WITH EXECUTE AS 'CHECK_ACCT' and execute thsi function from USER_ACCT, I do not get the same results. Do functions not inherit VIEW DEFINITION proivlidges? Any suggestions on how to do this but limit access to these secure objects to this one function?
I restored a sql server database today. There is a problem though. In SQL server, right next to the name of the database are the words "Restricted User". Their seem to be some limitations on my access to this database now as I am not able to run some of my C# code against the database. How can I fix this in SQL server so that I am not a Restriced user.
Example of what I am talking about. In SQL server my database is named Gorlaz. Just to the left of this is a yellow Icon that represents the database "Gorlaz". For illustration purposes I will use the character "$" to substitute for the yellow database icon. So this is how it reads in SQL server management studio. $Gorlaz(Restricted User)
Based on our database infrastructure, we need to secure our SQL databases. The security issue concerns on allowing a limited number of Domain Admin users to access the SQL databases. We tried certain ways, based on the documents in the Microsoft web site, but we couldn€™t reach to the point of preventing the Domain Admin users accessing the SQL databases.
I'm trying to extract all the users and their membership to groups, and the membership of groups to groups from active directory though a link to server.
I can get the users. I can get the groups.... individually.
I can't get the info of what user is a member of or who are members of a group.
Anyone know how to do this or am I going to have to right a vb app? (Anyone already got the code...)
I want to load this data into tables for reporting in my Data Warehouse.
My company has a Windows 2008 R2 server which is running SQL Server v11.0.5058. Â This server was previously running SQL Server 2008 and was recently upgraded. Â Since the upgrade I have noticed that when I connect to this server using SSMS and Windows authentication it seems as though I have a limited user context as I cannot see SQL Agent in the server tree at all and underneath the server security > logins folder I can only see the sa and SQL Server Windows service accounts (there are many more).
If I connect to the server using SSMS and the sa credential then I can see everything I expect to be able to see as a sysadmin.
I tried connecting as sa, then deleting my Windows AD account from the security > logins folder and reading my Windows AD account with the sysadmin role however this yielded the same result, when I connect using Windows authentication I still appear to be in a limited user context.
We have several other SQL 2008 / 2012 servers within our organization and all of them appear to be working fine / none of them exhibit this problem.
I am running a vb.net application that is using the Web Service to issue Update Snapshot. There is a Windows account we are using as a Service account that has the proper permissions to Generate Events. The application is running on AutoSys on a 2003 server. I have confirmed that it will run under this users credentials manually by logging into the server as the user and firing the app. It works without a problem. This was using Default Credentials.
The AutoSys job is configured to run under this user's credentials. There are three ways I have executed this application
>>Through AutoSys running as the user with the proper permissions (this is in place of a Local Service account which is default for AutoSys. This windows user has local admin permissions on the AutoSys server as well as Generate Event permission as confirmed before) >>By logging into the server as Administrator and executing the app with "Run As..." set to the Windows ID >>By switching to new.NetworkCredentials and passing the hardcoded username/pass/domain
For all of the above scenarios - it fails
The ONLY time it successfully issues UpdateSnapshot is when I am logged in to the server as the user in question. In ALL other instances detailed above it fails and the following comes out of the event log
"Line 1: Incorrect syntax near 'MyDomainName'.
I have no idea why it is choking on the Domain Name in all three of those scenarios.
Do I need to impersonate that user through code when passing the Web Service credentials??
PLEASE PLEASE PLEASE help - I need to wrap this up. ANY HELP WOULD BE GREATLY APPRECIATED
Writing to tables created by regular users on MSSQL2005
I have users creating tables through an application, I gave them ddl_admin, datareader, datawriter. They can create tables but cannot insert/update data (to their own tables), I cannot insert data either using Access or any other application to those tables created by them (under dbo schema) Is there something I am missing with permissions? Thank you very much
