Need To Find And Document Permissions In User Databases
Feb 11, 2005
Hi folks, i've an instance with many userdatabases. i want to use SP_HELPUSER to output all database users and roles defined to em. how come i do this through a script to view permissions in all databases. I couldn't use (USE database ) in a loop.
can anybody help me. I'm looking for an easy way to grant permissions to a user in all user databases. I already have a script which grants permission to all views and userdefined tables within one database, but since I have to run it in about 100 databases it's still quite timeconsuming. Is there a way to execute that script in all user databases at once ???
Hi, my first question, tried to use search first but couldnät find what I need.
Hopefully someone has asuggestion.
I work for a ISV producing HR applications.
When user starts the applications the program shows all databases that the user have access to. This is done by select all names from master..sysdatabases and then trying to "USE dbname" to see if user have access,. Users doesn't have sa rights.
This procedure takes approximately 90 secs for a server with 500 databases and that has become a problem.
Does anyone know off a faster method, any suggestions?
How to find last login date/time for user DML acitivity on databases on Instance?
Is there any way we can find our the last login date/time for databases?
Note: 1. We can find if the SQL Trace is running and store.This is not good solution 2. Audit logins off/on is also not good solution. 3. Using DMV's also not good option, if reboot sql server instance then historical values can not see.
I'm trying to deploy a project that I deployed yesterday just fine, but today I get the following error:
------ Deploy started: Project: Point Reports, Configuration: Debug ------
Deploying to http://reporting.companyname.com/reportserver
Deploying data source '/Data Sources/Srv24.FieldResponse2_1'.
The permissions granted to user 'DOMAINharley.p.bartman' are insufficient for performing this operation.
Deploy complete -- 1 errors, 0 warnings
This seems like a basic permission issue, except I'm not logged in as the user listed! I've never logged into my computer as the user. I did log in to the reporting services website yesterday as that user, but since have rebooted my machine and logged into bothe my computer and the reporting services website as me. Yesterday this report deployed fine. Today, this error message. I've even tried creating a new project and just creating a simple datasource and deploying just that, but still this message! Where is Visual Studio storing and reusing this user name during my deploy process???
I have an environment where I would like to grant the ability to perform certain functions to specific users for all databases on one of my SQL Servers. Specifically, I want to allow someone to alter table structures on the server, without having the ability to modify data within any databases on the server and without having the ability to create new databases on the server. Is this possible, and if so, how?
We have several servers running SQL Server 2005. Each of these were upgraded from SQL Server 2000. Each server has about 50 databases on it. Each database has a table with the same name, containing login information to the database that the table resides in.
We have a VB 6.0 application that allows our Help Desk to do a SELECT on the table that contains login information. All it does is a SELECT; no UPDATEs, DELETEs, INSERTs, or DDL operations are performed by this application. The application logs into the databases using a Security Group login (let's call it MyGroup). Each member of the Help Desk team is a member of MyGroup.
About twice a month, the MyGroup security group loses SELECT permissions on all of the databases on a server. The server affected usually is different each time, but sometimes the same server will be affected two times in a row.
So far, we just run a script to update the SELECT permissions on the table in each of the databases, and this takes care of the problem (for now). But the problem seems to be recurring regularly.
What would make the server lose all permissions for a particular security group? The other logins continue to work fine. Only this one security group seems to be affected.
I would like to know if there is a way to find out who changed a users roles/access WITHOUT using the audit function. For example, if a user account was created and given SA access then changed to read only, how can I find out who made that change? I tried searching for an answer, but kept getting no results. I'm thinking this may tie into the sys.sysusers view?
I'm trying to identify the objects in master that the role public has select permissions on, but when I run this query, I get 4 results where the default schema is null and the major_id column does not correspond to any records in the sys.all_objects table. Where else can I look to find what objects these are. DBO is listed as the grantor.
I appreciate your help.
SELECT * FROM SYS.DATABASE_PERMISSIONS P, SYS.DATABASE_PRINCIPALS R WHERE P.GRANTEE_PRINCIPAL_ID=R.PRINCIPAL_ID and permission_name='SELECT' and class_desc='OBJECT_OR_COLUMN' and r.name='public' order by r.name desc
I am trying to migrate reporting services from SQL server 2000 to SQL 2005. I followed the migration steps listed in one of the TechNet documents. Installed SQL 2005 and SP2.
Backed up existing SQL 2000 databases and restored on SQL 2005.
Went to Configuration tool and then to the Database setup. Connected to SQL 2005.
Clicked on the Upgrade button. The upgrade fails and I always get the following errors:
"The database version (C.0.6.54) does not match your reporting services installation. You must upgrade your Reporting services database"
Then I get this exception:
System.Data.SqlClient.SqlException: Cannot find the user 'RSExecRole', because it does not exist or you do not have permission. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async) at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) at System.Data.SqlClient.SqlCommand.ExecuteNonQuery() at Microsoft.ReportingServices.Common.DBUtils.ApplyScript(String connectionString, String script) at ReportServicesConfigUI.SqlClientTools.SqlTools.ApplyScript(String connectionString, String script)
I do not understand why it is looking for user 'RSExecRole', which is a role.
I'm trying to identify the objects in master that the role public has select permissions on, but when I run this query, I get 4 results where the default schema is null and the major_id column does not correspond to any records in the sys.all_objects table. Where else can I look to find what objects these are. DBO is listed as the grantor.
I appreciate your help.
SELECT * FROM SYS.DATABASE_PERMISSIONS P, SYS.DATABASE_PRINCIPALS R WHERE P.GRANTEE_PRINCIPAL_ID=R.PRINCIPAL_ID and permission_name='SELECT' and class_desc='OBJECT_OR_COLUMN' and r.name='public' order by r.name desc
do sqlagent service account proxies need more than just permissions on the app databases being read from and written to in the executing ssis package?
it looks like there are some prep steps when a pkg is going to be run. In my case, the pkg comes from msdb which has it's own security roles. So will my proxies need "datareader" permission on msdb...in addition to datareader and datawriter permissions on the other databases the pkg reads/writes from/to?
are there other permissions/roles normally important to proxies used in getting ssis pkgs to run? Where are they set?
I am having a problem with permissions using Windows groups. I have a database (database1) that has permissions granted via Windows groups. Two groups (group1 and group2) are members of the db_datareader role in database1, and this work fine. Do to the number of tables that get created during our work, using db_datareader is the easiest way to keep up with permissions without creating a maintenance problem. Now I have a table that I want to add to this database, but I only want group2 to have select permission on this one table which is a problem because group1 has the db_datareader role. So I thought I could create a view in this database to the restricted table that I put in database2. Then in database2 I only added group2 as a user with the permission to select from this table. Unfortunately the group membership does not seem to get interpretted correctly in database2 and no one can successfult select from the view in database1.
In other words, user1 who belongs to group1 connects to database1 and cannot select from the restricted view -- this is what I would expect. However, when user2 who belongs to group2 connects to database1 they also cannot select from the restricted view -- not the behvior I would expect. Now, if I make user2 a user in database2 with select on the restricted table then user2 can connect to database1 and successfuly get data from the restricted view. So it looks like the fact that user2 belongs to group2 is never passed to database2 via the select from the view on database1. Is this indeed the way that Windows group security is working or is meant to work in SQL Server?
I realize I could solve this simplified version of the problem by creating my own role in database1 for group1 etc., but I am trying to solve a bigger problem in our environment that has hundreds of databases across numerous servers.
HiI have two databases: Customers and Operations. In Customers database I havemade a view based on a few tables from both Customers and Operations (leftjoin - customers without any operations). In the same database (Customers) Ihave created a stored procedure based on the view. Finally I'd like to giveto some users permission only to exec the stored procedure.Have I to add the users to Customers? If yes, please describe me how tolimit the users privileges only to execution the stored procedure (no rightsto open tables or view from Customers).Regards,GrzegorzPs. I had sent the post on microsoft.public.sqlserver.security, but I had noanswer.
Can someone tell me where user permissions for a table are stored within the database? One of my programmers would like to access this table for the security portion of a program he is writing.
Just trying to figure out how to set a users permission in SQL 2005. Ive got one user but I only want them to be able to view data from one or two tables or and views, but can I do this without having to deny access to every other table?
Hello, Our application works this way: attaches database, modifies data and dettaches database. This works fine when user has administrative permissions, but does not work for users with standard permissions. The reason is that SSE ovewrites MDF file permissions (after MDF is attached) and then it is accessible only for Administrators, Network Service and SQLServer2005MSSQLUserxxxxx. How to avoid this behaviour? We want to keep permissions of MDF file as they are, i.e. inherited from parent folder. This becomes serious problem because some users are migrating to Vista where standard permissions are default (but the problem exists also on XP). Has SSE been designed to work in such environment?
Thank you in advance Roman
P.S. We work with SSE SP2, BUILTIN/Users have sysadmin priviliges, problem is with file permissions of MDF. This behaviour can be easily reproduced with Management Studio - just attach MDF file and look how permissions were changed.
I am having difficulty connecting to a SQL database from C#. There are no user signons set up on my PC and I am using windows authentication with C#. Whenever I try to connect to the data base I get a message "You do not have permission to open this database.........".
I have created a vb app that connects with an sql database on server express 2005.
When i install the app on my machine, i can connect and edit records no problem, but when the app is installed on other machines on the network (using windows authentication) i get this error: SELECT permission denied on object 'tbltest', database 'test', schema 'dbo'
************** Exception Text ************** System.Data.SqlClient.SqlException: SELECT permission denied on object 'tblTest', database 'Test', schema 'dbo'. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlDataReader.ConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior) at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataTable[] dataTables, Int32 startRecord, Int32 maxRecords, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataTable dataTable) at Test.TestDataSetTableAdapters.tblTestTableAdapter.Fill(tblTestDataTable dataTable) at Test.Form1.Form1_Load(Object sender, EventArgs e) at System.EventHandler.Invoke(Object sender, EventArgs e) at System.Windows.Forms.Form.OnLoad(EventArgs e) at System.Windows.Forms.Form.OnCreateControl() at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible) at System.Windows.Forms.Control.CreateControl() at System.Windows.Forms.Control.WmShowWindow(Message& m) at System.Windows.Forms.Control.WndProc(Message& m) at System.Windows.Forms.ScrollableControl.WndProc(Message& m) at System.Windows.Forms.ContainerControl.WndProc(Message& m) at System.Windows.Forms.Form.WmShowWindow(Message& m) at System.Windows.Forms.Form.WndProc(Message& m) at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m) at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
I think it may have something to do with user permissions for the database on sql server, but no amount of editing permissions will allow access. Help !!!!!!
I am in the process of migrating SQL Server 2000 to SQL Server 2005. Moving one user database at a time to SQL Server 2005. Is there anyway I can list the DTS packages referenced by each databases. All our DTS packages are stored in the database. Will the query to system or meta database will help? Thank you, Gish Smith
I've seriously looked, but this simple concept eludes me. How do I go about viewing all the permissions granted to a database user? Like whether or not they can execute a stored procedure.
I have a user account that needs CREATE TABLE permission in tempdb. I know how to do this using the GUI (Enterprise Manager).
The problem is that this reverts whenever the DB server is restarted. I need to figure out how to keep it from reverting, or it needs to be set in some sort of startup script.
Can someone tell me where the information about the permissions granted to a user are stored? For eg, user xyz in db1 has SELECT permissions on Col1, Col2, Col3 of Tab1 and UPDATE permissions on COL2 of the same table. Which system table(s) will hold this data?
In SQL/2000 EM I can go to a user Database, expand the Users, double click a user and click Permissions to see everything a user has permisson to in the database. How can I get the same information in Management Studio in SQL/2005? Is there an overview of this process in BOL 2005?
Hi guys,I have been told that only users with SA priviledges could check thestatus of a job. For this reason, I had to give SA priviledges to thisuser so he could check the results of a job (succesful or not) and dohis work. Now, he makes changes on the database without telling me andlast time we nearly lost one day of work as he changed the db optionto truncate on checkpoint. I don't want to be the one to log on andverify the results of the job everyday so is there any way that I cangive him limited permissions so he could only check the job and leavethe database alone ? I am pregnant so I am afraid that next time hedoes something like that I may hit him on the head with the keyboard(hormones... :-)Any suggestions would help,Thanks !!!
I have added a new user to a database without any explicit permissions, but when I view their effective permissions inside the Microsoft SQL Server Management Studio, they have a whole host of permissions. How can this be? Is it a bug in SQL Server? Or could it be that the public role has all these permissions?
If new users are inheriting these permissions from the public role, how do I view the public role permissions?
I created an application using VB.NET, which performs accessto SQL database. the server is MS SQL 2000.
I got a few questions:
a. The application performs access to tables, performs SELECT transactions, and calls stored procedures. I want to define a userlogin that is only permitted to commit UPDATE and INSERT only by the stored procedures, and not by direct commands. Is that possible ? Do I have to deny access to READWRITE in the tables? If I do deny - will the user be permitted to call stored procedures that performs the INSERTUPDATE those tables ?
b. Do I have to create a LOGIN or a USER for the specified requirements ?
c. Where can I find REALLY detailed information about what I need to create (login, user, role ect.) ? I find only general stuff...
d. The user-defined role I need to create - is it considered as an application role (because it grants an application access to the database) or is it called SERVER ROLE ?
I'm trying to build a web application using SQL2005 Express and Visual Studio Express. It all works OK on the local machine, but gives an error "Login failed for user xxxxASPNET" when used remotely. I can't find where I can set login permissions for SQLServer 2005 Expresss - can anyone help, please? Thanks John