What are the minimum permissions necessary to use CREATE LOGIN?
I'm using db_accessAdmin and db_securityAdmin and db_owner. The user as access to the database.
It still says I can't create the login. What am I missing?
Hi,
I created a database,login,user and schema like belows.
-- 2. create database
CREATE DATABASE MyTempDatabase;
-- 3. create login
CREATE LOGIN MyTempLogin WITH PASSWORD = '#mytemplogin$',
DEFAULT_DATABASE = MyTempDatabase,
CHECK_EXPIRATION = OFF,
CHECK_POLICY = OFF;
--
USE MyTempDatabase;
-- 4. create user
CREATE USER MyTempLogin FROM LOGIN MyTempLogin WITH DEFAULT_SCHEMA = MyTempSchema;
-- 5. create schema
CREATE SCHEMA MyTempSchema AUTHORIZATION MyTempLogin;
The created user,MyTempLogin, must have permissions that can create tables,drop tables,select,insert,delete,update and bulk insert.
How can I grant permissions to the user?(or schema?)
I failed to grant by T-SQL query.
Additionally, what is purppose of the ROLE? Should I create or use it?
I'm confusing in security concept(login,user,schema,role).
Thanks.
I am getting the error:
Cannot open database "aspnetdb" requested by the login. The login failed.
When I browse to my ASP.NET 3.5 LINQ web application on the IIS 6.0 server on Server 2003.
I imagine this is because while I granted SQL Server 2005 login and permissions to my database that the application stores its data in, I did NOT grant any rights to the service account the IIS Application Pool uses for its identity to the aspnetdb database on SQL Server which is where all my roles information is stored at.
My question is what are the MINIMUM permissions needed for this database so it can perform its roles related functions?
I'm using Windows Authentications with the SQL Role provider for authorization.
Thank you.
EDIT: I think I only need to open the aspnetdb database and add my login to the aspnet_Roles_FullAccess role. Is that correct?
Dear all;
I'm trying to use a local variable @NEW_LOGIN_CODE to pass LOGIN NAME to CREATE LOGIN script as follows:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
declare
@NEW_LOGIN_CODE varchar(255),
@NEW_LOGIN_PASSWORD varchar(255);
begin
SET @NEW_LOGIN_CODE = 'any_login';
SET @NEW_LOGIN_PASSWORD = 'AnyPassword';
CREATE LOGIN @NEW_LOGIN_CODE WITH PASSWORD @NEW_LOGIN_PASSWORD;
end
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
the script will not work unliss I provided a hard coded login code and password as follows:
CREATE LOGIN ANY_LOGIN WITH PASSWORD 'AnyPassword'
what should I do to make the CREATE LOGIN script accept local variables as parameters?
Thanks
I created a cursor that moves through a table to retrieve a user's name.When I open this cursor, I create a variable to store the fetched name to use within the BEGIN/END statements to create a login, user, and role.
I'm getting an 'incorrect syntax' error at the variable. For example ..
CREATE LOGIN @NAME WITH PASSWORD 'password'
I've done a bit of research online and found that you cannot use variables to create logins and the like. One person suggested a stored procedure or dynamic SQL, whereas another pointed out that you shouldn't use a stored procedure and dynamic SQL is best.
Question for you. Due to some testing within our environment, I've restored a database a few times
today. Now, when I look at the databases that logins have access to, some have the correct
access to databases and others have no access anymore. This all has happened since I've
restored the database. What happened? It isn't even with the 1 database that I restored that
this is happening. When I look, most users don't have access to any database anymore... All the groups I have
set up and the permissions assigned within the database themselves are fine, just the
login doesn't have access to a database. Did I do something wrong? If so, please let me know
so I can correct it before another restore is necessary.
Thanks so much!
Toni Eibner
I hope this is a nice fat ball that someone can knock out of the park...
We've recently started to upgrade our development servers from Win2k to Windows Server 2003. Naturally, the SQL Server boxes receive MS SQL Server 2000 SP3a. Our database users now cannot restore to their own databases.
We usually grant each login the 'dbcreator' server role (and hope the developers are too busy to realize everything else it allows). Each user's login is dbo in his/her database. Typically one developer will produce a reference dump file, and all the other developers load it as they need it.
If a user executes a restore, it trundles along happily until almost the end, spitting out an error. Here's a sample:
100 percent restored.
Processed 376 pages for database 'bobdb', file 'Data' on file 1.
Server: Msg 916, Level 14, State 1, Line 68
Server user 'bob' is not a valid user in database 'bobdb'.
Server: Msg 3013, Level 16, State 1, Line 68
RESTORE DATABASE is terminating abnormally.
Oh, and this worked with SQL Server 2000 (any patch) on Windows 2000 Server.
Developers reload their databases so often (and DBA resources are so spare) that routing all restores through a DBA will bring development to its knees. So, each developer must be able to restore dumps to their own database.
Help? Which server roles/permissions/GRANTs do we need to provide our developers with the power they need? (and not the powers they don't need!)
I had created three users for my centeralized database server.
usernames are
1.sa
2.production
3.praveen
I had given the permissions as follows
for production i given the permissions for each database
dddatawriter,datareader, db_executor,public
for praveen i had given full permissions
for sa I want full permissions so i had given each and every thing
my aim is as follows. i want permissions according to this one.
for production he is not able to change the coloumn name,he is not able to backup database or restore database, and also he is not able to change password of any logins
For this one i got it correctly . but while coming to praveen login
He is able to do anything regarding database . but i don't want to give permissions to chnage passwords of his login and at the same time any login . can you give any idea regarding this permissions.
For sa i want to full permssions he is able to change passwords of any login .
please kindly help me in this
I am trying to set up a secure system and would like some advice on how to do it as it is a bit tricky.
View 14 Replies View RelatedHi,
I created a new sql server login, but didn't assign it any permissions in any databases.
When I login with this new login, it logs into the master database, and is able to select tables from the system databases, such as master, msdb.
This seems very wrong to me. How can I turn these default permissions off for new logins? I thought it might have something to do with the guest account, but not sure how to best handle this.
Thanks
I use 1&1 to host my site, with SQL Server.
I've used their db management tool to create stored procs and tables.
I backed up the db stored at 1&1 and restored it on my home machine.
On my home machine, I can't access most of the db objects in the restored db via ASP.net, even if I login as sa. I get messages such as "Could not find stored procedure 'proc_name'".
1&1 provided me with a username and password to login into their SQL Server database, and all my objects now have that username as the owner.
The only way I can get the stored procs or tables to work is to prefix them all with the username from 1&1, e.g.:
exec <1&1username>.<proc_name>
Any advice would be most welcome.
Thanks,
B
Hi,
I have created a Windows user login and have granted it the appropriate roles (including a revoke).
As a test I also created a standard user and gave it the same roles as above.
When I run a query against the revoked table, the results are unexpected.
The Windows user can run the query, and the standard user gets a permissions error (which is what i expect).
Does anyone have any ideas as to what is happening here? I am still confused.... Does it have anything to do with the public permission that much be granted?
Thanks
Hello All,
I'm hoping someone can help me with this puzzle.
Most logins I've created have been SQL Server authenticated. I assign the login newEmployee to a role existingRole, and ensure the role has the required permissions. This didn't seem to be rocket science....
My company has been provided with an application with a SQL Server back-end. My instructions were to create a Windows authenticated login and give it full access to the database. I followed the above principles, but running the application, the user got the error -
SELECT permission denied on object 'sysobjects', database 'databasename', owner 'dbo'.
So I decided to try the simplest possible scenario to make it work:
I've created a login DOMAINewEmployee with Windows authentication.
DOMAINewEmployee has been granted access to databasename.
By default, DOMAINewEmployee is a member of Public.
Public has been granted all available permissions on all objects.
ie... grant all on userTables to public
........grant all on sysobjects to public
........grant all on otherSystemTables to public
etc.
Running the application, the user still gets the above error. I'd send the problem back to the vendor, except if I've logged onto the PC as DOMAINewEmployee, querying -
select * from dbo.sysobjects
via Query Analyser produces the same error message. (An equivalent error message is produced when querying a user-created table).
To compare, I then created a login newEmployee2 with SQL Server authentication.
newEmployee2 has been granted access to databasename.
select * from dbo.sysobjects
runs successfully from Query Analyser (as to any queries on user-created tables).
What else is required to grant access to tables from a Windows authenticated login?
( What really scares me, is that the application will run if I make the Windows authenticated login a member of server roles System Administrator and Database Creators, then the application will run - but I don't want this to be the permanent solution. Even after doing this, the above query still fails in Query Analyser for that login, suggesting that there is something wrong with how I configured the permissions. )
Any help would be appreciated.
Thanks.
Kim.
Good day
I have a problem with our Reporting Services. The error says:
Login failed for user 'user'. [CLIENT: <local machine> ]
Error: 18456, Severity: 14, Stage: 16.
I read here http://blogs.msdn.com/sql_protocols/archive/2006/02/21/536201.aspx that State 16 means the user has no permission to log into the target database.
So I went and tried it the hardcore way, giving this user all roles under "Server Roles" and all Database roles for the two ReportServer and the two CRM databases, hoping it would work and I could strip it down again.
No luck, no login and still the same error.
At http://host/Reports I have set the connection string to:
Data Source=host;Initial Catalog=Company AG_MSCRM
I found that in a KB article, so I assume the Initial Catalog should be this database.
Anyway, is there an option I'm missing where I have to give the user additional permissions to successfully login? What irritates me is that I can login with this user using SQL Server Management Studio and browse the tables of the DBs I mentioned above.
The server authentication is currently set to Windows authentication mode.
Kind regards
André
After installing SQL Server Express I can now connect using my Windows authentication but am unable to create a database because all BUILTINUsers only have public permissions. I don't have the sa password and there are no other users or user groups set up which I could use to upgrade my permissions. So I can't do much of anything with SQL Server.
For background, I'm setting this up on a personal laptop running Windows Vista. I'm one of only two users on the machine and I have an Administrator user account.
Any help is appreciated.
We are having problems with the response times from UPS WorldShip after switching from SQL Server 2000 to 2005.
I think that the problem can be fixed from the database end by setting the permissions correctly for the user/role/schema that is being used by WorldShip to connect to the server but, I'm not sure how to do it.
The Setup
Client
UPS WorldShip 8.0 running on XP Pro SP2
Connecting via Sql Native Client via SQL Server Login
Connection is over a T1 via VPN
Server -
SQL Server Standard Edition on Windows Server 2003
2x3ghz Xeon processors w/ 4gb ram
The user that is being used to connect runs under it's own schema and role and only needs access to two tables in a specific database on the server.
What UPS WorldShip seems to be doing is on a continual basis retrieving information about the layout of the database via calls such as the following
exec [sys].sp_tables NULL,NULL,NULL,N'''VIEW''',@fUsePattern=1
exec [webservices].[sys].sp_columns_90 N'CHECK_CONSTRAINTS',N'INFORMATION_SCHEMA',N'webservices',NULL,@fUsePattern=1
exec [webservices].[sys].sp_columns_90 N'COLUMN_DOMAIN_USAGE',N'INFORMATION_SCHEMA',N'webservices',NULL,@fUsePattern=1
This seems to happen whenever WorldShip contacts the database to find out information in order to be able to create a mapping to the database as well as exporting information to it. Because of the VPN connection these calls take anywhere from 20 seconds to 3 minutes.
I am fairly confident that the problem lies with these calls to the database which I was able to capture using the SQL Server Profiler. We have experimented with the following setups.
1. Connecting to SQL 2000 over VPN with SQL Native Client - No noticeable lag
2. Connecting to SQL 2000 over VPN with SQL Server 2000 driver - No Noticable lag
3. Connecting to SQL 2005 locally with SQL Native Client - No Noticable lag
4. Connectiong to SQL 2005 over VPN with SQL Native Client - Lots of lag
Our network admin has been testing the network connections over the VPN and it is very responsive with none of the long wait times found when using UPS WorldShip.
Now for a possible solution other than getting UPS to fix their software. I think that by limiting the tables and views that the login is able to see will cut down significantly on the lag times that are being experienced. The problem is that there were 264 items that were being returned by sp_tables. I was able to cut that down to 154. I am unable to disable access to any of the rest of the items because they are server scoped.
Take for example the INFORMATION_SCHEMA.CHECK_CONSTRAINTS view. When I try to deny access to it in any way I get the following error:
Permissions on server scoped catalog views or system stored procedures or extended stored procedures can be granted only when the current database is master (Microsoft SQL Server, Error: 4629)
Am I able to deny access to these types of object and if so how? Also, what objects should be accessable such as sys.database_mirroring, sys.database_recovery_status, etc?
I have jsut started using SQL server 7 and am having problems with accounts permissions, users,roles, groups, owners etc what are the differences?
View 1 Replies View RelatedHi,
I recently installed an evaluation copy of SQL Server 2005 Enterprise Edition on my local machine and during the installation I used Local System system account for the SQL Server service and set the server to use Mixed Mode authentication.
I am able to connect to this local server Database Engine with my Windows login through SQL Server Management Studio and am able to perform sysadmin tasks. My question is why?
My thinking was that even though my Windows login would provide me a connection to the server, I would still have to manually add this login to the sysadmin server roles but after checking the sysadmin role, my Windows login isn't in there. The Windows login is not found under Security - Logins in SSMS either.
Can someone tell me should details for the login be visible on the server and why it seems to have sysadmin permissions ?
Thanks
I need to grant create cubes to developers, but if I include them into server administration role, then they could delete or modify all the databases.
Each developer require full administration on their own databases, but not other developer's databases.
A simple one (not for me)
MS SQL Server 2005
Which permissions do I need to have (as a User) to create a Stored Procedure
Which other entity's properties do I need to change in order to create a Stored Procedure
Thanks
I just spent the better par of 3 days creating a prototype in ASP.Net 2.0 and SQL Server Express only to discover that nobody from outside can see it...
ERROR with impersonation=true
User does not have permission to perform this action.
ERROR with impersonation=false
Unable to open the physical file "c:inetpubwwwroot------.mdf". Operating system error 5: "5(Access is denied.)".An attempt to attach an auto-named database for file c:inetpubwwwroot-----.mdf failed. A database with the same name exists, or specified file cannot be opened, or it is located on UNC share.
What makes this so difficult?
What am I missing?
In our development and test environments the developers need to create and execute stored procedures as dbo without having any other dbo permissions. If I place them in db_owner, they have too many permissions. Is there a way to address this situation?
I'm also curious how other companies address the subject of creating stored procedures in development and test environments. If I give developers create and execute permission in a database, all objects would be created as JohnDoe.storedprocedurename instead of dbo.storedprocedurename. Any help in this area is appreciated.
Dave
I need to be able to set up a table listing users permissions, this needs to be run daily and then notify me of any changes without using the auditing or profiler software.
Any ideas?? :eek: :eek: :confused:
where can check for SQL Server service account write access permissions ??????
and if it don't has permission How can i set the write access permissin.
Thanks & Best Regards
Madhu
I need to create a new login with SELECT rights so the users can view all tables with no UPDATE, DELETE, OR INSERT rights. But this user needs to be able to CREATE VIEWS. I have assigned the user to the Public role and gone in and modified Securables for the Database to be able to CREATE VIEW. When I connect using my new user and try to create a view, I get the error message: CREATE VIEW permissions denied in database 'test01'.
Help Please
TMDavis
I am setting up a role to allow certain users to create and maintain Shared Schedules in SSRS 2005. The tasks I have authorized are:
View reports
View folders
Manage all subscriptions
View data sources
Consume reports
What else do I need to grant? Right now the user cannot see the Site Settings link in order to get the the manage schedules.
Thanks,
Phill
what are the minimum permissions to allow a user to view, create, & drop tables within a DB (SQL 2008)?
View 4 Replies View RelatedOnly to a specific schema? Can this be done?
View 5 Replies View RelatedOur company has 2 Database Roles (DBE and DBA). The DBE creates
database schema, performs SQL Server Administration, and manages server
security. The DBA writes data access, ETL, and manages database
security. In 2005, we're struggling with how to allow the DBA to see
all of the logins on the server in order to add them as users of their
database. What permissions does the DBA need to select from any of the
logins on the server to add them to their database?
Michelle
How do I allow a user (or group of users) permission to create/drop a table?
I have found the 'GRANT CREATE TABLE TO username' command, which will (I assume) allow a user to create a table, but how to I allow a user to 'DROP' the created table as well?
'GRANT DROP TABLE TO username' doesn't work?
and I want the users to be able to DROP/DELETE this table (temporary table created just for printing purposes) as well.
thanks
I have a sql server 2012 server and I need to prevent the users from creating new schemas by mistake. Is there any way to revoke that permission alone but still letting the user to create their own objects in dbo (yes I know that shouldn't be in dbo but that is another issue).
View 2 Replies View RelatedHello, I recently view a webcast of sql injection, and at this moment I created a user, and give dbo to this user, and this same user, is the one I have in the connection string of my web application, I want to create a user to prevent sql injection attacks, I mean that user wont be able to drop or create objects, only select views, tables, exec insert,update, deletes and exec stored procedures.
Is any easy way to do this?
A database role and then assing that role to the user?
hi,
i tried to create a sql authenticated login by right click security,new login and follow the steps needed but once i finish creating, i could not login using the account. Why is it so? Can help me? Let my user name = " pe " and my password= " 123456 ". Help me. Thanks