I Cannot Get The SQL Server 2005 Roles, Schemas, Users Correctly Setup For Proper Access

May 16, 2008

I have been struggling with this for a while and cannot get it right. I have read countless articles on the internet as well as MSDN documentation about SQL Server 2005 and no success so far.

What I want is a database with multiple SCHEMAS, DATABASE ROLES and USERS in order to have a finer grade of security to access the various objects.

My schemas are (in order to simplify the situation and provide an example of the setup):

- [dbo] the standard DBO schema which is always default. Contains public objects.
- [com] a special module integrated into the system
- [ofc] contains objects used by back-office only
- [aud] contains objects used for auditing, etc.

Each of these schemas has their fair share of tables, views, functions and stored procedures which have been created appropriately (i.e. CREATE TABLE [ofc].[Addresses]), in other words prefixed by the name of the schema to which they belong.

Then I have created various database roles (don't confuse them with SQL2005 application roles) as follows:

- PublicRole mostly used for viewing, no data alterations
- WorkerRole used by front end processes that need write access to data in [dbo] and [aud]
- OfficeRole used by back-office for dealing with backoffice data (basically [ofc], [aud] stuff)
- AdminRole used by application administrator

Each of these database roles has been defined with owner 'dbo', none of them own any schemas. And last but not least to each of these roles I have selected the above named schemas (dbo, ofc, aud) as securables and for each of those securables schemas I have then given the correct set of GRANT/DENY on the Alter, Control, Delete, Execute, Insert, References, Select, Update, Take ownership and View definition.

As an example, the PublicRole role has been given the following permissions (Y=GRANT, N=DENY):

Table #1 of Application Permissions [dbo] [com] [ofc] [aud]Alter N N N N
Control N N N N Delete N N N N Execute Y Y N Y Insert N N N Y References Y Y N Y Select Y Y N Y Update N N N Y Take ownership N N N N View definition N N N N

And I have the following minimum set of database users defined (the server login has the same name):

- upublic, assigned to PublicRole
- uworker, assigned to WorkerRole
- uoffice, assigned to OfficeRole
- uadmin, assigned to AdminRole

As I understand when I assign these users to a particular custom Database Role, the users inherit the permissions granted to THAT role thus liberating me from having to assign the permissions to each and every user account on the same role.

What I expected was that when I logged in to the database with the upublic user account I would at least be able to view (SELECT at least) ALL the objects with the exception of those in th e[ofc] schema. Unfortunately the account is not able to access ANYTHING at all, I get an error like

"The SELECT permission has been denied on object XYZ, database DB, schema 'dbo'"

So, when I use Management Studio to look at the properties I selected the PublicRole and it showed the upublic user as a member of the role (Members of this role). So far so good.

Then when I switch to the Securables page for this role it shows all the schemas I defined and for each of them the same list shown in Table #1 except it has two lines for each permission, the first for Grantor dbo and the second for Grantor upublic. The first has the same permissions I assigned to the role (as shown on Table #1) but the 2nd does not show a checkmark on either GRANT or DENY!!! For example ([x] = checked, [ ] unchecked):

Table #2 Explicit permissions for Securable
Permission Grantor Grant Grant-with Deny
Select dbo [x] [ ] [ ] Select upublic [ ] [ ] [ ]

What am I doing wrong here? Apparently I then have to repeat the whole grant/deny for EACH and EVERY USER I define when the idea was that I would grant/deny on the database role and every member of that role would inherit those permissions automatically.

View 3 Replies


ADVERTISEMENT

Schemas, Users, Logins, Database Roles, Application Roles

Mar 5, 2006

Hello,

I am new user of SQL Server. I have some problems with these words. I want to make my database works in my specified permissions. I will specify permissions with schemas and these schema wants an owner. I want this owner should be my user. When creating a user it needs a valid login. I am selecting my login and it occurs and error says this login has an different user. I am specifying permissions with roles. But i can't make association all of them. I hope i told my problem to you as well. If you explain these words to me and tell me how can i do my database's works with my own schemas, users and roles i'll be grateful. Thanks for advices.

Happy coding...

View 4 Replies View Related

Users/Roles/Schemas

Nov 27, 2006

I'm trying to find some documentation or procedures that will allow me to xfer existing users' roles, etc from sql2000 to sql2005.
When our sql 2005 database was restored on a new server (from sql2000), all of the database users were orphaned. I need to create identical server logins and then make the logins database users. It is also important to understand the significance of the new schema concept. The Microsoft SQL2005UpgradeTechRef.doc white paper does not explain any of this.
Ultimately, I would like to create a script for the above scenario once a sql2005 db is restored from a sql2000 db.
Could someone please help me out on this?

View 1 Replies View Related

Users/Roles/Schemas

Nov 27, 2006

I'm trying to find some documentation or procedures that will allow me to xfer existing users' roles, etc from sql2000 to sql2005.

When our sql 2005 database was restored on a new server (from sql2000), all of the database users were orphaned. I need to create identical server logins and then make the logins database users. It is also important to understand the significance of the new schema concept. The Microsoft SQL2005UpgradeTechRef.doc white paper does not explain any of this.

Ultimately, I would like to create a script for the above scenario once a sql2005 db is restored from a sql2000 db.

Could someone please help me out on this?

View 1 Replies View Related

Newbie Questions On Schemas, Roles, Users & Logins

Apr 5, 2008

Sql 2005
I want to grate execute permissions on my stored procedures to a role. While creating the role, it asks for "schemas owned by this role".
To me, the schema is merely a namespace that allows you to group objects, but arent schemas such as db_datawriter roles that are central to the db and only admin type users should have ownership of these, correct ?

In a nutshell, I want to:
create a new role and assign a user to that role
with a stored procedure, grant execute permissions to this role

I was confused by the sql 2005 dialog that asks me to take ownership of roles such as db_datawriter, db_datareader etc, wouldnt that mess up other things with the database ?

help ...

I think its time I review all of the above items
role
user
login
schema

View 4 Replies View Related

Asp.net SQL Server 2005 Setup. Unable To Establish Database Connection Correctly.

Feb 20, 2008

I am setting up a web server and I'm having some issues with database connections.  I am running Windows Server 2k3 and SQL Server 2005.  The error I get is when I attempt to connect to the database, it's the following:
     Cannot open database "dbReseacher" requested by the login. The login failed.     Login failed for user 'userRes'.
The following is my connection string:
    <add name="RESEARCHER" connectionString="Data Source={Sql Server}; Server=THRALL2; Database=dbReseacher; Uid=userRes; Pwd=password;"/>
In SQL Server Management Studio, the user userRes is listed under Security -> Logins, but it is not listed under Database -> dbResearcher -> Security -> Users.  Originally it was listed under both and this didn't solve the problem. 
Please let me know if you any ideas or questions that I can answer.  Thanks a lot.
                   -Richard

View 1 Replies View Related

MSSQL 2005 Schemas Vs SQL 2000 Users

Aug 20, 2007

Hello,
I think now MS SQL 2005 support packaging database object into schemas which may be granted access by any of the db users, while SQL 2000 only we could use the database creator user instead of schema. my case is i am working in a system with more than one module, e.g. HR + TaskManagemt.
Both HR and TaskManagement objects are in the same database, and there are some common objects.
I want to isolate the HR objects from the TaskManagemt objects, so i can package any module separated from the other, suppose i want to buy only the HR module, so that i want only to exctract the HR Object + the common objects but not the TaskManagement objects.
So how can i accomplish such operations using SQL 2005 schemas AND using SQL 2000 users.
P.S. i have two servers one with 2000 and the other with 2005, so i want to find solutions for both 2000 and 2005
 Thanks in advance

View 3 Replies View Related

Setup And Upgrade :: Users With Sysadmin Role Can't Access Network Drives

Oct 12, 2015

When I create logins for SQL Server 2012, something strange happens. When I assign the sysadmin role to a login, the login loses the access to the network drives (for example when creating or attaching databases). The only possible place is the c:drive of the computer that is running SQL Server.

View 11 Replies View Related

Questions On Users/Schemas

Oct 24, 2007

Hi,

I am looking for some advice on securing a sql 2005 database.

I have a database to which I want to grant 3 different users access.

The first users, who we will call 'public' should have access to a set of stored procedures, and no access to tables without using the stored procedures they have access to.

The second users have again got access to a certain set of stored procedures, along with the stored procedures for 'public'. These should be called 'moderator'.

Finally the third set of users 'admin' should have access to all stored procedures, but again no access to the database unless its through a stored procedure.

Questions :

Using SQL 2005, how do I assign access to particular stored procedures to a user?

How do I ensure that a 'user' cannot access stored procedures I don't want them to access?

Some of the stored procedure use dynamic sql within them, will this affect my setup. If I deny direct access to the tables to all three users, but allow them access the stored procedures, can the stored procedures access the tables?

If schemas are the answer, how on earth do I set them up, Ive never seen something so badly documented online in my experience! In my development environment im using sql express, so will probably working through the query analyzer.

Thanks in advance.

Conor

View 2 Replies View Related

SQL Server 2005 Security Setup For ASP.Net Web Application Data Access - HELP!

Nov 17, 2007



Here is my situation: I am creating a database driven ASP.Net web application that will be used over the internet. My ASP.Net application connects to my SQL server 2005 database/server by using a SQL server login. I am using the DPAPI API to encrypt my connection stings with a hidden entropy value for extra security. I am using the SQL login for obvious reasons, as my users will not have a windows login.

What I am trying to do: I want to limit this SQL login account to be able to just run/execute stored procedures and NOT access the tables or views directly. In my ASP.Net application I am using the MS applications data block, and I am using stored procedures for every single database access action. There is no inline SQL being executed from my web application.

What I have tried so far:


I created a new schema and made the above SQL login account owner of this schema. I then granted "Execute" permissions to the SQL login and DENY permissions to all other permissions.

I created an database role with "Execute" only permissions and DENY permissions to all other permissions.

What Happened: In BOTH of the above scenarios I tested a direct SQL statement against one of my tables, from my ASP.Net application and I was able retrieve data back, NOT GOOD, exactly what I am trying to STOP.

If someone could give me (Step-by-Step) guide on how to setup the situation I am looking for, I would be very grateful!


Thanks to all that help!

View 13 Replies View Related

How Can I Use Default Schemas Of Users In A Function ?

Aug 2, 2007

Hi,

I've a Problem with a Function called by different users.
I want the different callers to query a table in their own default Schema.

So if i refence the full Path [Schema].[Tablename] it works Properly.
If i just Use the [Tablename] for reference it fails.

The function was created with EXECUTE AS CALLER option ;

if I call it with dynamic SQL i retreive the error-message

"Only functions and extended stored procedures can be executed from within a function."

does anybody know a solution for this problem?

thanks in advance
Raimund

View 2 Replies View Related

Detach/attach Move Fails To Bring Over Roles & Logins Correctly

May 23, 2001

A database move was accomplished by detaching the database from the legacy server and attaching it to the new server. The servers ran NT 4, SP6a, SQL 7 SP2. The new server had the same name and IP as the old server.

However that process (detach attach) does not bring over the users (who had access to the database on the legacy systems) correctly.

Under databases, roles the users existed. Under security, logins they did not.

We were obliged to drop the roles and recreate the logins and assign new roles. In the case of an NT user group we were unable to drop it. We had to create a new one and add the users to that group under User Manager.


So far I have not found anything that deals with the user account/role problem.

We have to move a similar database tonight. Do any of you know of an alternative "move" that brings the user roles/logins across correctly?

Thanks in advance.

View 4 Replies View Related

Cannot Debug Stored Procedures Because The SQL Server Database Is Not Setup Correctly Or User Does Not Have Permission To Execute Master.sp_sdidebug.

Aug 7, 2007

Hello All,I tried to set the access permissions for debugging stored procedure by reading the articlehttp://msdn2.microsoft.com/en-us/library/w1bhybwz(VS.80).aspxandhttp://technet.microsoft.com/en-us/library/ms164014.aspxI have tried to add the role to sysaminas follows1)SELECT * FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_NAME = 'sp_sdidebug'(to find the sp)Error:--The stored procedure not found2)sp_addsrvrolemember 'Developmentswati.jain', 'sysadmin' though this is executed successfuly . Error is still persisting 
Cannot debug stored procedures because the SQL Server database is not setup correctly or user does not have permission to execute master.sp_sdidebug.

View 3 Replies View Related

Database Schemas And This Statement Has Attempted To Access Data Whose Access Is Restricted By The Assembly.

Jul 14, 2005

Hello.

View 5 Replies View Related

Roles/users

Oct 4, 2004

Is there a script or can I make a script to find out what roles and what users are assigned to the roles are?

View 4 Replies View Related

Users And His Roles

Sep 16, 2006

How to generate script which can move users with his roles from one DB to another (SQL 2005) ?

View 1 Replies View Related

SQL Server 2005 Schemas

Dec 10, 2007

Is there a way to create a table in SQL Server Management Studio under a different schema? I've tried setting my default schema and adding a table, but that didn't work. I know I could do it with a SQL statement, but wanted to know if I could do it with the designer.

View 1 Replies View Related

Changing From Users To Roles

Apr 2, 2008

Guys,

I have 2 users emp_rw (read write) and emp_ro in the database through which application accesses the database.

Now I would like to replace this users with roles and assign emp_rw, emp_ro to roles. Which roles should be created -
database roles or application roles what is the difference between application and database roles.

currently I execute the below statement to grant rights on database objects to emp and emp_ro users, can this be changed
to grant rights to role instead of user.

grant execute on <function name, procedure name> to emp_ro

Any suggestions and inputs would help.

Thanks

View 1 Replies View Related

What's The Difference Between Roles And Users?

Oct 12, 2005

Hi, all. I've got a question that's truly newbie. I've added logins to the "users" of a database, but I've never used the "roles" area. What's the difference? Is a role like a group account with some preset permissions?

View 3 Replies View Related

Adding Roles/Users Using SQL Procedures...

Dec 3, 2003

Hi everyone out there in ASP.NET land.

Have a quick question...

How do I add a role and/or a user through code (Specifically SQL Statements). If not through SQL, then maybe VB.NET?

Thanks ahead of time,
Denvas

View 2 Replies View Related

Users Not Listed While Adding To Roles

Mar 5, 2000

Hi there NT Server,sqlserver 7.0, Integrated Security. I used "sp_attach_db" to attach a database to the sql server. The database has 3 standard roles with members in each of those roles. But i am not able to add a user to any of the roles through Enterprise Manager(No users are listed, except the other 2 roles). Also when i click "users" under the Database in EM, no users are listed except "dbo" with sa login. Luckily since some members are there in the roles, they are able to connect to the database. Also i am not able to add the user bcos the user exists in the public role and i get an error message "user already exists in DB". The user has logged into the NT and everything is fine. I copied the .mdf and .ldf files from a "Standard Security" Server.

View 1 Replies View Related

Simple Question: Users && Roles

Jul 23, 2004

SHORT VERSION
i am setting up roles, do i also have to set up role-people as users?

LONG VERSION
my db has two owners. both of us run the Access front end happily - everything works perfectly.

now i'm trying to add non-owner users.
i have set up ten people as datareader/datawriter (primitive, but will refine this later).
these people are not able to get into the db.
at the registering DSN stage they can't see the server in the list of servers and if they manually type \myserver they can't connect (doesn't exist or access denied).

in Enterprise Manager,
Users: shows only the two owners
Roles:datareader shows the ten non-owners (ditto datawriter)

am i supposed to setup my datareader/writers as users as well?
should i see them in the Users: list?

thanks for your time.

izy

View 2 Replies View Related

List Of Users + Roles + Rights

Feb 27, 2004

How can I generate a list/view of all users/groups with appropriate roles and rigths?

View 3 Replies View Related

SQL Server 2005 Express Database Schemas

Jun 29, 2007



Down loaded the help desk starter data schema but do not know how to connect to mdf file using SQL server management studio can anyone help?



Thanks



Kevin

View 1 Replies View Related

ASPNETDB Deploy With Users/Roles Security

Apr 10, 2007

I have developed a site on my local machine utilizing the built-in security/roles provides by ASP.NET 2.0.  I am trying to publish the web application to a production server.  It will publish correctly, however the ASPNETDB is not recognized.  The folder app_data is created with the proper database files.  My question is how do I set this up to use the data I have created in this database?  I've searched on how to accomplish this but haven't found any definitive answers.  I have found ScottGu's blog to be useful, but I was wondering if there is a different way.
1 - Do I push the data to a SQL Server install via SQL scripts?
2 - Can I link to the ASPNETDB that is created locally on my machine?
3 - If I make changes to the application and re-publish, is there a way to keep from overwriting the ASPNETDB on the server?
I am a unsure of how the built-in roles/security works when you are ready to push something to production.  If someone wouldn't mind pointing me in the right direction, it would greatly be appreciated.  Any literature, advice, links, etc.. would be great.
 
- Thanks
Andrew 

View 4 Replies View Related

SQL 2000: Users, Roles, Permissions Management

Jul 20, 2005

I am in need of a utility (stored procedure, third party app, etc)that will help streamline the process of managing and auditing objectpermissions, users and roles on multiple sql server 2000 instanceswith multiple databases on each instance. That's a quick overview ofwhat I need, do I need to be more specific?Thanks.

View 2 Replies View Related

Permissions Hierarchy - GRANT On Logins/users/roles

Jun 20, 2005

A question on the permissions hierarchy:
Since logins, database users, and database roles are both principals and securables - what does it mean to GRANT permission on a login/user/role to another principal? Does it mean that for a login - you can GRANT permission to EXECUTE AS that login or modify it, for example?

View 3 Replies View Related

How To Setup Profile, Roles, Etc In My Hosted Sqlserver?

Jan 11, 2006

I've been working with godaddy.com, and when I setup there the sqlserver databases it tells me if I want to create the tables and stored procedures that conform the typical profile, roles and users features... the same as if I execute the aspnet_regsql.exeNow I'm working with anotherhoster (aruba) and I've setup the database OK, but i didn't found any way to setup the profile, roles, users, etc features.Aruba uses the mssql server web admin.How can I setup this features? Of course, aruba doesn't let me to execute the aspnet_regsql.exe...thanks

View 7 Replies View Related

Sending Email Reminder To Multiple Users - Cursor Not Working Correctly?

Sep 18, 2014

I am tring to send an email reminder to multiple users using a cursor.

declare emailCursor cursor for
select name,info,default_email, @MyMessage
from My_Temp

open emailCursor
fetch next from emailCursor into @Name,@info, @Recipients,@MyMessage

while(@@FETCH_STATUS = 0)
begin

-- select name,info,ins_default_email,@MyMessage
--from temp

EXEC msdb.dbo.sp_send_dbmail

@profile_name = 'Hello',
@recipients = @Recipients,
@from_address = '<address.com>',
@Body = @MyMessage,
@subject = 'Subject'

fetch next from emailCursor into @Name,@info, @Recipients,@MyMessage

end
close emailCursor
deallocate emailCursor

Currently I have two users in my table that I want to send email to, but when the stored procedure runs I got two emails for the last user in the table instead one for each user.

View 2 Replies View Related

Diffrence Between Roles, Accounts, Login, Users Permissions And Groups?

Dec 20, 2000

I have jsut started using SQL server 7 and am having problems with accounts permissions, users,roles, groups, owners etc what are the differences?

View 1 Replies View Related

Unable To View Jobs Even After Adding Users To MSDB Roles SQLAgent...

May 20, 2008

Developers need to view and modify jobs on some servers without being sysadmin. We've added the developers to the following MSDB roles:

SQLAgentOperatorRole
SQLAgentReaderRole
SQLAgentUserRole

Technically they should be able to view and modify jobs through Management Studio when being added only to SQLAgentOperatorRole. However they receive the following error when clicking on the Jobs folder regardless of the msdb role.

Execute Permission Denied on Object 'xp_sqlagent_enum_jobs', database 'mssqlsystemresource', schema 'sys'. (Microsoft SQL Server, Error: 229)

Our original two SQL 2005 servers do not produce this message, but all other instances do. All servers, but one, are SP2 so the service pack is not an issue. Any thoughts?

Thanks, Dave

View 3 Replies View Related

Reporting Services 2005 - Giving Access To All AD-users For A Specific Folder

Jan 21, 2008

I am in a project where we are using a vanillla Reporting Services 2005 with the builtin report portal. No sharepoint integration yet.

We have successful deployments where we limit access to different folders based on AD-accounts and groups. In this particular case I have a folder for which I would like to allow access to all AD-users within the entire company.


So basically I know how to limit access but I don't know how to enable access for everyone. Is there a simple way to do it? I have googled and search mshelp but I couldn't find anything. I will admit to the search being quite quick but as usual time is short.

View 1 Replies View Related

SQL Server Roles &&amp; ASP.NET 2.0 Forms Authentication Roles

Jun 16, 2006

Apologies if my post does not fit into this forum. I initially tried the SQL Server Data Access forum but I now think my question is more security related.

Is it possible for a web user who has been successfully authenticated with forms authentication to be authorised to use a SQL Server 2000 role depending on a particular ASP.NET 2.0 role that they have been authorised to use? I understand that that I can assign a SQL Server 2000 role to the ASPNET or NETWORK SERVICE account but this will grant access to anonymous web users to the database role. I can ensure that I only call stored procedures which access sensitive data in web pages that are in restricted by ASP.NET roles. However, it would be nice to also restrict stored procedures via the ASP.NET 2.0 Forms Authentication roles.

If this is not possible have you got any bright ideas how I could restrict access to stored procedures who are anonymous web users.

Many thanks,

Mark

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved