Hi All,
I would like to disable a user account from logging to the database. I would like to know the difference between deny connect to sql permission and disabling an account by alter login disable. Please advice. Thanks
I want to set up a database role so that users can use sp_readerrorlog through SSMS. It does a check on membership in the securityadmin role.
I have tested it and can see you can grant execute on xp_readerrorlog but the SSMS GUI uses sp_readerrorlog.
I thought I could create a user/certificate and add the signature to sp_readerrorlog but it's not permitted (likely because it's not a normal database object).
So the other solution is to add the users to the securityadmin role but then explicitly deny alter any login (best done with a custom server role in 2012+ but otherwise just manually in 2008). I tested this out and it works, I'm not able to alter any logins or increase my own permissions, I also did a check of what's reported from fn_my_permissions(null, null) and it shows minimal permissions like I'd expect.
I tried asking the same question in other forum but couldn't get an answer.
I used exactly the following SQL to create a login with sa account in SQL2k5 Management Studio:
Create Login yy With Password='yy123Z'
Without granting any permission, straight away, i log out sa and login as yy in management studio, yy somehow can access one of my ApplicationDatabase! So i check with the following SQL in my ApplicationDatabase:
IS_MEMBER('db_owner')
and it returns me 1, meaning yy is db_owner. I then quickly login as sa and double check on the security|login|yy|properties|User Mapping, NONE of the database is mapped! and i also ensure "Guest account enabled for: ApplicationDatabase" is unchecked.
What could be the problem i am facing? the purpose i create yy is to ONLY allow it to have connect permission on my SQL Endpoint. Please HELP!!
Any one can help me, below error messages for reference, thanks!
Exception Details: System.Data.SqlClient.SqlException: EXECUTE permission denied on object 'sp_insertspend', database 'master', owner 'dbo'.Source Error:
Line 96: cmdMid.Connection = conMid;
Line 97: cmdMid.CommandText = "exec sp_insertspend '" + uid + "','" + Mid + "','" + status + "','" + spend + "'";
Line 98: cmdMid.ExecuteNonQuery();
Line 99: conMid.Close();
Line 100:Source File: f:Microsoft Visual Studio 8WebSoccermain.aspx.cs Line: 98 Stack Trace:
[SqlException (0x80131904): EXECUTE permission denied on object 'sp_insertspend', database 'master', owner 'dbo'.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +857322
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +734934
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +188
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +1838
System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async) +192
System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) +380
System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +135
_Default.btnbet_Click(Object sender, EventArgs e) in f:Microsoft Visual Studio 8WebSoccermain.aspx.cs:98
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5102
Can any body tell me how can I restrict a user who has Sa previlages, from droping a table. He should be able to do everything except droping the table.
Thanx in advance.
Ram
Dear All,
This is my first post to this forum.
I would like to know if there is any way to restrict users from creating temp tables.
Problem: I am facing problems with lots of temporary objects getting created in my database. The users have read-only access to the database for adhoc-querying purpose through QA. Yet they are able to create temporary tables in tempdb database taking lot of resources on tempdb disk causing abnormally high growth of tempdb.
Thanks in advance.
Best Regards,
Chetan Jain
I create a new user who will have a read only permission on TestDB.
I want to give only select permission on TestDB and also I don't want that the new user will not see any other database.
DENY VIEW ANY DATABASE to user_readonly
ALTER AUTHORIZATION ON DATABASE :: TestDB TO user_readonly
but when I am using the above query then the new user is the owner of the testdb. i don't want that. I want that the user will have only select permission on the table.is there any way?
How can we deny an Object select Permission which have Sysadmin role.
View 2 Replies View RelatedWe have a generic sql login "prduser". Applications use this login. We want the login NOT to have ALTER PROCEDURE and DROP PROCEDURE permissions only on the stored procedures(there are thousands of them).
View 17 Replies View RelatedJust encountered something that I wasn't expected, in that a user who has an explicit deny on a column in a table was able to select it when referenced through a view in a schema they have the SELECT permission on. This seems to me to go against the principle that DENY overrides everything when it comes to permissions? Is this how it's meant to work?
Code is below:-
--create test user
CREATE USER TestDenyOnViewUser WITHOUT LOGIN
GO
--create test schema (authorization dbo - same owner as dbo schema so ownership chaining will apply)
CREATE SCHEMA TestDenyOnView AUTHORIZATION dbo
[Code] ......
Hello All,
I want to deny all user connections to be denied to a Database cluster. How best to do it?
As per my research I can use DENY CONNECT SQL TO instead of sp_denylogin but how can I deny login to say NORTHWIND database?
Also To kill all the connections to the database will the following command work best or should I use something else?
SELECT 'KILL' + CAST(spid AS nvarchar(10)) FROM SYSPROCESSES
Thanks
Hey folks,
Here's the skinny
I'm trying to run a stored procedure that requires triggers to be disabled in a table.
When I run the stored procedure (from the app or from the query analyzer) it works fine cause I'm setup as the owner/admin.
However, when users call the stored procedure from the application it gets executed as public which does not have alter persmissions.
I do not want to give alter permissions to public (for obvious reasons).
I was thinking of using SETUSER and SETOWNER but I don't know if it will work (I think because I cannot upgrade permissions using these just change to user of equal or lesser permissions).
Someone had mentioned to me to create a sysadmin user and just SETUSER to that then set it back to public, but again not sure if this will work because public has less permissions than the sysadmin.
I would like to have more info before I try this out and give it back to the client for testing.
Not sure if any of this will work for me, please help.
Thank you for your time.
By the way, I'm using SQL2000
SQL server job or SP to deny access to an AD login for certain period of time to SQL server instance...i.e. to deny access to login ADxyz from 12 PM to 10 PM and revoke access to same login at 10:01 PM...
View 3 Replies View RelatedI have the following requirementI am creating a login and database user 'test' on a database with dborole .I want to remove create table , alter table permisions to this user.I am able to revoke create table permission but alter table goesthrough.I gave a command deny insert,delete,update on ssycolumns to test.Still I am not able to prevent user altering schema . Alter tablesuccessfully goes throgh.I do not want to use datreader and datwriter role.since I want user 'test' to create storred procedure with dbo ownerIs there a way to achieve this ?ThanksM A Srinivas
View 1 Replies View Related
I have seen alot of comments posted about an Issue in SQL2005 that no one at microsoft could really answer. If a user would try to alter his own login, it would fail stating a permissions error.
This is what I did to get it to work .
USE my_dataBase
GO
Alter Login [my_login] WITH PASSWORD = 'newpassword' OLD_PASSWORD = 'oldpassword'
In previous examples, people were trying to do an alter login without first narrowing it to the database.
If you do not include the USE statement it will fail.
Another thing to note is that they can only change certain things....they cannot turn off check_policy or check_expiration.
Happy Coding
Hello again,
I get an error message every time I want to alter an assembly in the Management Studio. The message goes something like this:
"An error occurred in the Microsoft .NET Framework while trying to load assembly id 65610. The server may be running out of resources, or the assembly may not be trusted with PERMISSION_SET = EXTERNAL_ACCESS or UNSAFE. Run the query again, or check documentation to see how to solve the assembly trust issues."
I've already found this article on Microsoft support which mentions two possible workarounds. Could you possibly explain me, how do they work? I've tried both methods by 'registering' my windows login, with and without the domain, but none of them seemed to work. I've also set the TRUSTWORTHY property before using these workarounds.
So, do you have any ideas what could possibly went wrong? Thanks in advance for your time and help!
Without giving dbowner how can we grant permission to user to alter/create procs?
View 3 Replies View Related
HI all
Currently we have a report manager up and running (SQL Standard 2000), and every one can access to this report, since this report has been abused by some users. So I need to restrict only manager(s) user can have access to it and it should prompt a login screen for username and password as it happens only when I try to open http:\server
eports locally then I got a login screen for username and password, however when I try to open the report on different workstation remotely I don't have login screen and I am able to connect/ open the report.
Any help would be much appreciated.
Cheers
Hi,
I have few queries regarding restoriing of database..
I have database back up .bak file..I successfully restored this database back up...but when i try to connect this db to my application I am unable to connect it...
when i look into property of this DB then i found two things that please i need to clear
first thing is in DB Property
Space Available is 0.00 MB
second thing is
when i go to DB>> Security >> Users >> dbo right click property
I found :
User Name dbo
Login Name as disable and blank
But same thing i checked with other DB then
I found :
User Name dbo
Login Name sa
wheather that cause my application failed to connect???????
T.I.A
Hi,
View 4 Replies View RelatedHi, I have accidentally disabled the Administrator account in Sql Server 2005 (Douh!) on my clients server (double Dough!) & now I can login to enable it.
The <BuiltInAdministartors> account is still active, The accout i disabled was <DomainAdministrator> (forgot I was logined via Terminal server).
Any help/assistance would be much appreciate!!
Cheers,
Nez
Does anyone know how to diable the File => Connect option in Query Analyzer?
Thanks
Clarification:
The situation is that I have several users on an application that controls their access to the DB. The user ID has full rights to the DB but the application stops them from making changes to data. Now I have a user that needs to be able to create and run SELECT statements in a “Query Analyser” type of environment. I can publish a Query Analyser session with locked credentials using Citrix, but I don’t want him to be able to use the File => Connect option to reconnect with one of the application Ids thus giving him full rights in an open environment.
Any ideas?
Thanks
HI all,
I would like to ONLY allow using SQL Server authentication and restrict Windows Authentication. At the moment, i set the security to "SQL server and windows authentication". Now, even though i set the password for "sa", i can ignore the SQL Server authentication and just use Windows authentication to manipulate database objects???
can anybody give some suggestions to restrict windows authentication and allow sql server authentication?.
Thanks in Advance
Best Regards
Ihsan
In my SQL SERVER 2005, sa login is enabled, despite Windows Authentication mode being set.
When I'm trying to change it to disabled, I get the error "cannot alter 'sa' login. it doesn't exist or you don't have the permission"
How can I change the status?
The sa (system administrator) login seems to be disabled for my SQL Server 2005.
I don't have the permissions to change it from the "loging properties-tab".
And as mentioned in an earlier thread, my windows authentication doesn't work for 2005...
So, is there a way to enable the login for the sa user when your windows authentication is screwed up?
SQLCMD??
Regards,
JOHAN
I am trying to create a stored procedure to Call ALTER LOGIN based on the the username passed in. However, the Alter login statement chokes on any parameter. Is there a way I can alter sql logins from a web form ?
I try the following and it bombs
ALTER LOGIN @LoginName WITH PASSWORD = @Password
But this works
ALTER LOGIN 'TestUser' WITH PASSWORD = '123test'
I guess the alter login statement does not work with Parameters.
Any thoughts ?
Hi,
How can I alter the SQL Server user login id to a new login id globally so that the database objects which related to the old id will be tied to this new login id ?
Thanks.
Some one does have any query that can pull the
Login Name,
Databases it has access,
and Permissions on that database(Like read, insert...etc).
Any clues for writing a query on the same is appreciated.
I created a new login name. I checked 3 databases in User Mapping. I tried to mimic an existing login name. When I right clicked at the database and selected Properties. I selected the Permission tab at the left. It showed both login names under users or roles. I selected the existing login name and clicked the Effective Permissions button. The login has all permissions: Alter, Create, Select, Insert, Update, Delete, Execute, Connect, etc. When I selected the new login name and clicked the Effective Permission button, the login has only Connect. Why the new login name does not have all other permissions? And how can I assign to it?
Thanks.
DanYeung
Can the ALTER USER statement be used (without a hack like using EXEC) in a stored procedure? I know that the sp_password system stored procedure can not be. Additionally, it is being deprecated anyway. I guess what is boggling me about my attempts so far relate to the errors I am getting due to the user being specified not being in quotes in the syntax. All of the searching I have done so far have come up lame so far; the only examples I have found about it were in scripts that create other scripts for transferring users and other administrative tasks that would be run from the query window, but not from an application. To be complete as possible, here is an example of a script the returns errors:
ALTER PROC [dbo].[lbxChangePassword]
(
@loginid nvarchar(180),
@oldpassword nvarchar(40),
@newpassword nvarchar(40)
) AS BEGIN
IF @oldpassword = (SELECT password FROM contacts WHERE loginid = @loginid)
BEGIN
BEGIN TRANSACTION
UPDATE contacts
SET password = @newpassword
WHERE loginid = @loginid
ALTER LOGIN @loginid WITH PASSWORD=@newpassword OLD_PASSWORD=@oldpassword
END
ELSE
BEGIN
RAISERROR(N'The password you entered does not match your current password.', 16, 1)
RETURN
END
IF @@ERROR <> 0
BEGIN
RAISERROR(N'There was an error creating your new password.', 16, 1)
RETURN
END
COMMIT TRANSACTION
END
************
This returns:
Msg 102, Level 15, State 1, Procedure lbxChangePassword, Line 15
Incorrect syntax near '@loginid'.
Msg 319, Level 15, State 1, Procedure lbxChangePassword, Line 15
Incorrect syntax near the keyword 'with'. If this statement is a common table expression or an xmlnamespaces clause, the previous statement must be terminated with a semicolon.
************
If ALTER LOGIN isn't how to change the password, then please tell me what the correct practice of changing a password is. I want to use the CURRENT_USER keyword in my queries and want I can't finish setting that up until I have this resolved because users will need to change their own passwords through the application I am developing.
I typed the following in sqlcmd:
1> ALTER LOGIN [BUILTINAdministrators] WITH DEFAULT_DATABASE=master
2> GO
And I got this error:
Line 1: Incorrect syntax near 'LOGIN'.
Can you help me find the problem? Thanks
Hello Everyone,
I need your input. When, if ever, should programmers be given the 'sa' login. The reason that I ask is because a group of three developers have approached me asking for the 'sa' login so they could write stored procedures and do some database level tasks. I am relatively new to data admin and I am under the opinion that I should probably just alias their login to 'dbo' on the one database that they are developing their app for.
What do you guys think about this.
Thanks in Advance,
Terry
Dear All,
I need to revoke execute permission from sp_configure (SP) from a user named(a) which do not exists in master database.
Regards
Mohd sufian