SQL Security :: How To Find Who Alter Database User Access Changes In Server
Oct 6, 2015someone was alter user databases owner access.
how to find who alter evoke the database user access changes in sql server.
someone was alter user databases owner access.
how to find who alter evoke the database user access changes in sql server.
Is there a way i can grant a windows authenticated user say abcadam privilege:
-> to create, execute and alter the stored procedures that will be created by him only:
Point is we do not want the user to execute alter or modify other stored procedures out there for that DB
I would like to know if there is a way to find out who changed a users roles/access WITHOUT using the audit function. For example, if a user account was created and given SA access then changed to read only, how can I find out who made that change? I tried searching for an answer, but kept getting no results. I'm thinking this may tie into the sys.sysusers view?
View 3 Replies View RelatedI have a restriced user on SQL Server that is only permitted to creat a new database and manage it only. All other database are hidden to that user.
when that user login to SQL Server and create a database and try to change the default folder path for data and log files, gets an error,
The Server principal "User" is not able to access the database "model" under the current security context. (MSSQL Server, Error: 916)
Any idea???
Thanks,
I have a script that automates some db drop/restore operations and bringing the database to single user mode is part of it: ALTER DATABASE ... SET SINGLE_USER WITH ROLLBACK IMMEDIATE...I want this to executes under a login, that has restricted privileges, so I've created a login and granted it a dbcreator role + ALTER ANY DATABASE privileges.
Problem: When I run the script against a database with an active/sleeping connection:It fails when using the restricted login: "Msg 5061...ALTER DATA BASE failed because a lock could not be placed on database ..."It completes successfully when using a sysadmin login According to stackoverflow.com the solution is to kill the active/sleeping connections to the database, before ALTER-ing it, which works fine, but the question is....
Questions: Why the "ALTER DATABASE..." statement works under the sysadmin login, but not under a dbcreator one?Does this mean the sysadmin login kills the connections to the target database in the background?Is it possible to grant additional privileges to the restricted login, so the "ALTER DATABASE..." statement won't need preventive killing of the connections?
We can restrict users from accessing the databases from the security. But is there anyway , we can restrict users from seeing the available databases on the server, user can access and see the database he or she has access to other databases will not be visible?
View 13 Replies View RelatedHow do I add an Importer as a user in my sql server database security folder.
Regards
Karen
We have a production server "prod" which has a user say 'test' that lets the users connect to the application and a logon trigger which stops them from connecting to the server through SSMS. I log ship 'prod' to the 'rep' database and the user 'test' is obviously created in the logshipped database 'rep' during the logshipping.
Now the login 'test' does not have any login from server 'rep', But people can still login to the 'rep' server and query the 'rep' db . I checked with SUSER_SNAME and found the SID of the user in rep server which I never created and which is not even present in the login names, Even If I create a new username in the 'prod' db, after logshipping the new user is replicated in the 'rep' server.
SQL2005 on winserver 2003. I have a view in Xdb that accesses tables in 2 different databases (Xdb and Ydb) on the same server. I have mixed mode security. I have a SQL user (XYuser) that has read access to all tables and views on both databases, yet when I try to access the view using a C# windows application I get the following error:
The server principal "XYuser" is not able to access the database "Ydb" under the current security context
This same scenario works under SQL 2000. I looked through the postings and tried to set TRUSTWORTHY ON on both databases but that didn't help. I can access any other views or tables on the SQL 2005 server, just not the one that joins the tables cross databases. Any help is much appreciated... john
I want a database user to be able to alter login, database user and database role from my application. so, i assigned that user to sccurityadmin server role, db_accessadmin and db_securityadmin database roles....By now, the user can add or remove login and database user. However, the user cannot add or remove any database role membership. What am I missing here?? What should I do so that the user can create, and alter database roles in the database??
View 1 Replies View Relatedi want to create new sql user and grant him two tables access. we have several databases created on same server so we want to allow only two table in ABC database. user should not be able to see other databases and their tables. And user also should not be able to access any other tables in ABC database except two tables.
is there any query to deny all tables in schema for all clauses (Select, Update, Insert) then grant two tables to user with select clause?
Is it possible for a batch command to give access or add a new role for the user to database? Basically:
USE my_Database
CREATE USER [User1] FOR LOGIN [User1] WITH DEFAULT_SCHEMA=
[dbo];
EXEC sp_addrolemember 'Application1', 'User1'
EXEC sp_addrolemember 'SQL_Read_Only', 'User1'
If User1 was already created then ignore that and run the exec sp_addrolemember. Next,
EXEC sys.sp_change_users_login
@Action = 'Update_One',
@UserNamePattern = 'User1',
@LoginName = 'User1',
@Password = NULL
to link the orphan user within database.
Hi, my first question, tried to use search first but couldnät find what I need.
Hopefully someone has asuggestion.
I work for a ISV producing HR applications.
When user starts the applications the program shows all databases that the user have access to. This is done by select all names from master..sysdatabases and then trying to "USE dbname" to see if user have access,. Users doesn't have sa rights.
This procedure takes approximately 90 secs for a server with 500 databases and that has become a problem.
Does anyone know off a faster method, any suggestions?
/Regards Anders
Deleting a Login from a server instance and adding it back did not show that the login was still mapped to databases. In SQL Server 2008, adding a Windows Login did not permit access to end user databases until the Windows Login was mapped to various databases. In SQL Server 2012, once a Windows Login is added to SQL Server Security, it may access ANY end user databaseWe use the following to circumvent this problem, Windows Login by Windows Login: DENY VIEW ANY DATABASE TO [TESTTest1]
View 6 Replies View Relateddisable the following system stored procedure (xp_grantlogin and xp_revokelogin)?
View 5 Replies View Related/* -------------------------------------------------
The Following Procedure Helps You To
Send a Messge to all Users
those Who Access a Specified Database in a Server
*/
Create Proc Sp_SendMsg
@Msg Varchar(100),
@DbName VarChar(100)
as
if db_id(@DbName) = Null
begin
Print 'DataBase dose not Exist'
end
else
Begin
Declare @spId Varchar(1000)
DECLARE TmpCursor CURSOR FOR
Select 'master..xp_CmdShell ''Net Send ' + rtrim(convert(Varchar(50), HostName))+' "Dear ' + upper(max(rtrim(loginame)))+ space(1) + @Msg + '"''' as spId
from master..SysProcesses
where db_Name(dbID) = @DbName and
spId <> @@SpId
and rtrim(ltrim(HostName)) <> ''
and HostName <> host_Name()
and dbID <> 0
and spId > 50
group by HostName
OPEN TmpCursor
FETCH NEXT FROM TmpCursor
INTO @spId
WHILE @@FETCH_STATUS = 0
BEGIN
Exec (@spId)
FETCH NEXT FROM TmpCursor
INTO @spId
END
CLOSE TmpCursor
DEALLOCATE TmpCursor
end
How do you handle user level security with SQL Server 2005?
Say I have an HR database.
In Active Directory I have two groups: Managers, Employees.
Now in this HR Database I want to setup permissions in such a way that Managers can see all employees under them (but not other managers) and the employees can only see themselves.
(I'd have various levels of management defined in a table somewhere, so that each employee has a manager ID that links to another employee so that the CEO would be manager of everyone by working down the chain).
What I'm trying to understand is the best way to handle the permissions.
I'm not entirely clear on how to deal with that.
Would I use user chaining to do that, I wouldn't need impersonation (that's just for instances where you want dynamic SQL and it won't execute with user chaining, correct?)
Anyway, just looking for some general direction on this (obviously I need to get a good book it would seem).
Would I create a stored procedure that runs with EXECUTE AS permissions so that I'd have a non-interactive login it uses that has table access then all the other users have permission to execute the sproc?
So that sproc runs, pulls back a SELECT * FROM tbl_HRINFO and using a WHERE constraint limits who is returned WHERE SupervisorID = CurrentLoggedInEmployeeID ?
Also: How can I determine who is logged in and running the procedure, would the sproc use the SELECT USER_NAME command to see who was running it?
As you can see, I'm working from square one on all of this.
Not sure if my posting entirely made sense, but hopefully someone can get me pointed in the right direction, thanks!
I need to determine the following about the current authenticated Windows domain user who is trying to access a SQL Server via a trusted connection.
1 Has the current user been granted login access to the trusted SQL Server?
2 Has the current user been granted access to a specific database?
3 Is the current user a member of a specific database role such as (DB_ROLE_ADMINISTRATORS)?
Thanks,
Sean
I'm trying to get specific permissions per user on each SQL database, would you let me know if it could be achieved e.g on an object level?
View 5 Replies View RelatedHow Sync the user and password from my Active Directory, to a SQL Database. Actually, my environment have a database with users and password added, my custom applications uses it like a passport, but now I want to use Active Directory to control these users, but I can't use windows authentication in my old apps. I was reading about Forefront Identity Manager to do this, but I need a free solution. The Sharepoint database sync user credentials with AD?
MCTS Exchange 2010
I want that I will allow a user only to select data from any object and only to alter an existing stored procedure or view. That user can not drop and create any stored procedure and view.
I can assign that user db_datareader role, grant view definition but if I grant alter permission, that user can create, alter and drop any stored procedure and view.
HiI need to set security for row level but not based on Database user'slogin. It should be based on the user table login. For the particularuser I need to allow only the particular records to access insert,update delete and select.Let me explain clearlyFor example think we are using asp/asp.net websiteEg:www.test.comSo take this is our website and if you try this URL then you will get awindow for Login name and password.For example the Login name is windows user name (Here windows usermeans server windows user and not client) and windows password. So ifyou have login user id you can able to login in our site and we haveanother check. We have our own usertable this table consist all theuser login names and user rights. We will check the windows user whologin in our site has rights in the usertable I mean he is present inthe usertable if he is not present then we will display a message youhave no rights to access this site.If he has login id in our usertable then he allowed viewing ourpages. Still if he has the login id we will check the user who loginhas how much right to access to each page and the records of each tableits all depend on the user rights.So, here I need the row level security. For each and every table weneed to check the corresponding user and executing the record producelot of business logic problem for us.So after the user login we need automatically to set row levelsecurity for all the tables. Based on the user who login.So from there if we try select * from <tablename> then we can only ableto get the allowed records to select, insert, update, delete.Please can some one help how to solve this?Note:For some help you can refer the below URL (See in that they only givenabout the row level and column level security for each database usersnot for our required concept)http://www.microsoft.com/technet/pr...5/multisec.mspxThanks in advanceRams
View 1 Replies View RelatedDatabase 'TEST' is already open and can only have one user at a time.
I also tried this command but having the same error.
Use Master
GO
Select * from master.sys.sysprocesses
Where spid > 50
And dbid=DB_ID (‘StuckDB’)) -- replace with your database name
I am getting the following message when trying to connect to a database (from an external application) that I have recently restored using my profile (Windows Authentication):
Connection failed:
SQLState: '01S00'
SQL Server Error: 0
[Microsoft][SQL Server Native Client 11.0]Invalid connection string attribute
Connection failed:
SQLState: '08004'
SQL Server Error: 4060
Server rejected the connection; Access to selected database has been denied
Connection failed:
SQLState: '28000'
SQL Server Error: 18456
[Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'xxxxaaaa'.
My profile (replaced with xxxxaaaa) has full access to the server and I can connect to every other database with no issues. I get exactly the same error if I try and connect using the SQL Authentication "sa" profile as well.
We created one SA login [login name: test_db] and give the Db_owner permission for particular user db, but this test_db login able to access the all system database except model database.Here problem is I am giving the only one particular user database but that login why able to access the system database.Here how to stop the system database access…
View 8 Replies View RelatedI'm using Visual Studio 2005 (8.0.50727.42) and going into the menu option Website > ASP.Net Configuration, access the security tab and all I get is an error message stating that there is a problem with the selected data store "Unable to Connect to the SQL Server Database"
I have SQL Server 2005 (Express Edition). I have created a database "NetDev" with the right connection, etc.
I can use the SQL server fine for my Windows applications, but somehow this ASp.Net Configuration tool is not making any sense.
I also used the aspnet_regsql command from framework 2.0 to create a DataBase to no avail.
Does anyone out there knows if there is a bug with this tool???
How to find All Permissions in the Current Database for a particularUser in SQL 2005 ?ThanksM A Srinivas
View 1 Replies View RelatedEvent 17204, FCB::Open failed: Could not open file F:MSSQLDatafilename.mdf for file number 1. OS error: 5(Access is denied.).When I look at the file permissions of filename.mdf, there is no MSSQLSERVER group permissions listed nor can I add it. I have tried to add MSSQLSERVER and NT SERVICEMS SQL $MSSQLSERVER but neither exist. There is also a ReportServer.mdf in the same folder with MSSQLSERVER permissions!Did I somehow delete this group? What can I do to restore this permission?
View 6 Replies View RelatedNeed to create a user in sql server provide grants to few system tables to the above user.
View 10 Replies View RelatedOk, lets see if I can put what I am looking for into words.
I run a MSSQL server, I show in my logs that a connection is being made to my server from a remote ip. I have contact the owner of the ip in question and they state that they have no buisness with us and they should not be connected to us. According to netstat the connection to us is established on 2 different remote ports to 1433. My question, is there any logging on sql that I can turn on, look at to see what database this connection is accessing? Thanks
I want to set up a database role so that users can use sp_readerrorlog through SSMS. It does a check on membership in the securityadmin role.
I have tested it and can see you can grant execute on xp_readerrorlog but the SSMS GUI uses sp_readerrorlog.
I thought I could create a user/certificate and add the signature to sp_readerrorlog but it's not permitted (likely because it's not a normal database object).
So the other solution is to add the users to the securityadmin role but then explicitly deny alter any login (best done with a custom server role in 2012+ but otherwise just manually in 2008). I tested this out and it works, I'm not able to alter any logins or increase my own permissions, I also did a check of what's reported from fn_my_permissions(null, null) and it shows minimal permissions like I'd expect.
I have a login that is mapped to a Windows sysadmin account. I used it to login to Sql Server 2005. I then created a database called Freedom. I then added a Windows login and user called FreedomAdmin, with Freedom set as the default database. When I login in to Windows using FreedomAdmin and then try to login in to Sql Server 2005, I get the following error:
The server principal "FREEDOM1FreedomAdmin" is unable to access the database "master" under the current security context.
If the default database for FreedomAdmin is Freedom (and it is - I checked from my sysadmin login account), why can't I login. Must I give FreedomAdmin permissions to master?
I've installed SQL 2005 Express Addition which created a default database using Windows Authentication -- MachineName/SQLEXPRES. I want to convert some access databases to sql server in the migration assistant, however, when I try to connect the migration assistant to the default database I can't find the database in the drop down box wizard? I'm perplexed? Please shed some light or point me to some articles that will help. Thanks.