SQL Server 2005 Schema And Security
Aug 7, 2006
Hi everyone,
I'm currently investigating the security improvements of SQL Server 2005. I've got some problems with the schemas introduced in SQL 2005 and security settings.
For my test I've created two schemas: UserManagement and Sales. A user "test" is attached to the UserManagement schema. There's a table Sales.Users containing a list of users (varchar) and a stored procedure named UserManagement.AddUser that can be executed by the UserManagement schema (GRANT EXECUTE, so "test" can execute the SP). UserManagement.AddUser simply inserts a new row into Sales.Users.
Because the Sales schema doesn't contain any user, nobody (except the sysadmin, of course) can do a INSERT/SELECT/DELETE in the Sales.Users table. As expected, the following SQL statement fails:
EXECUTE AS LOGIN='machine est';
INSERT INTO Sales.Users VALUES('Test User');
INSERT was not allowed: object 'Users', database 'test', schema 'Sales'.
The second way of inserting rows into Sales.Users is to execute the stored proc UserManagement.AddUser:
CREATE PROCEDURE [UserManagement].[AddUser]
WITH EXECUTE AS CALLER
AS
INSERT INTO Sales.Users VALUES('Test User');
The user "test" can execute this sproc without problems:
EXECUTE AS LOGIN='machine est';
EXECUTE UserManagement.AddUser;
(1 row(s) affected)To my astonishment the INSERT statement inside the stored proc does execute - although UserManagement.AddUser and Sales.Users are two different schemas. Why is that, is there a chaining happening? To my understanding SQL Server should test INSERT rights on Sales.Users for the UserManagement schema and deny the INSERT statement because UserManagement isn't allowed to INSERT in the Sales schema.
Any ideas? Help regarding the issue is greatly appreciated.
Best regards,
Alex
View 3 Replies
ADVERTISEMENT
Jun 8, 2007
So on my local server I have a username CWI. I have my main DB: CW.
CWI is the owner of 5 schemas on CW, and everything works great.
---
I now go and create a new DataBase called CWTest. I want to now add the user CWI to the security section of CWTest (The same way I did it in 2000).
However, now I get the error message:
"The login already has an account under a different user name."
When I created my DataBase, IT had the default user, but now I want to add another user so I can create my schemas.
---
On our live servers, we will have 100-300 Databases all using the same useraccount as the "God Mode" user.
Any advice?
View 1 Replies
View Related
Sep 27, 2007
Locally I develop in SQL server 2005 enterprise. Recently I recreated my db on the server of my hosting company (in sql server 2005 express).I basically recreated the tables and copied the data in it.I now receive the following error when I hit the DB:The 'System.Web.Security.SqlMembershipProvider' requires a
database schema compatible with schema version '1'. However, the
current database schema is not compatible with this version. You may
need to either install a compatible schema with aspnet_regsql.exe
(available in the framework installation directory), or upgrade the
provider to a newer version.I heard something about running aspnet_regsql.exe, but I dont have that access to the DB. Also I dont know if this command does anything more than creating the membership tables and filling it with some default data...Any other solutions/thought on what this can be?Thanks!
View 4 Replies
View Related
Jun 28, 2015
In some our dotabases I can see Schemas created with the same name as Domain User name (domainusername). Schema owner for those schemas is not dbo but the same user as in schema name. How this happens? Is any way to prevent or prohibit this?
View 9 Replies
View Related
Sep 17, 2007
If I understand how the schema security works, then if I grant a group CONTROL on the Sandbox schema and then give them CREATE TABLE on the database permissions. Then they will only have the ability to create tables under the Sandbox Schema.
So, the problem I am having is if I grant the group CONTROL on the schema and DELETE on the database, it changes the permission on all the schemas. The only way I see to fix this, is you have to go in and manually DENY DELETE on each the schemas that you don't want them to be able to perform deletes on.
Is this the inly way to do this? Or is there another way that I just haven't figured out?
Thanks,
Justin
View 1 Replies
View Related
Jan 18, 2008
Having a great deal of difficulty finding a good description or exposition on the use of SCHEMAS as it pertains to security principals. I've been working with DBs such as AD and Exchange for several years, and am familiar with the concept and use of SCHEMAS in these contexts.
Specifically ... what and why the necessity to map a (user?) schema to a login/user in SS2k5? Someone please provide a clear (simple ... not too techno-nerd) answer or provide a link to an article/faq/blog/thread where this concept is clearly and FULLY explained.
Thanks ...
View 4 Replies
View Related
Sep 23, 2015
I have created a user Finance and I want to grant him access only to see views which are created under Schema called "FinanceQuery".
Note: View may use tables from multiple schemas example: dbo. Staging. ect
By doing this, I want to achieve that this user Finance can see only Views created under Schema FinanceQuery and should not see any other objects (tables, Stored Procedures, Functions etc.)
View 3 Replies
View Related
Oct 22, 2015
I need to provide a User with below permissions:
1. Ability to read and write records in tables in both the X schema and Y schema
2. Ability to read metadata about objects in the X and Y schema
3. Ability to execute stored procedures in the X and Y schema
4. Ability to create and update the necessary schema objects used by X, including but not limited to tables, views, and indexes
5. CREATE FUNCTION permission
6. ALTER and EXECUTE permissions on the X schema
7. VIEW DEFINITION permission on the X and Y schemas to enable view export.
For the point 1, I will assign db_datareader,db_datawriter database roles to the user
For the point 2, when I have searched web, I found out ReadDefinition permission should be granted. I could find only viewDefinition but not ReadDefinition.
For the point 3, 'USE DataBaseName GRANT EXECUTE TO User; Go' - does this sql suffice?
For the point 4, I am not sure what should be done.
For the point 5, 'USE DataBaseName GRANT CREATE FUNCTION TO User; Go' - I guess this will work
For the point 6, Can I use same SQL as point 3 including ALTER ?
For the point 7, 'USE DataBaseName GRANT VIEW DEFINITION TO User; Go'
View 5 Replies
View Related
Apr 17, 2007
My developers would like a 'sandbox' database with full ddl and dml permissions, however, they do not want others to read/change/drop their objects. With SQL 2005, can DDL permissions be granted to a user at the schema level? I'd rather not set up a database for each developer.
View 3 Replies
View Related
Jul 22, 2015
One of our databases has at some point in its dark past had the owner of the guest schema changed to be a named user, rather than the default guest user. Correcting this feels like it would be easy enough by running the following...
ALTER AUTHORIZATION ON SCHEMA::guest TO guest
but that results in..
Msg 15150, Level 16, State 2, Line 3
Cannot alter the schema 'guest'.
I realise the guest schema is a special one, and cannot be dropped, but I'm not trying to do that. End goal is to export the database to a SQL Azure DB, and this guest schema assignment is blocking that process from completing.
View 4 Replies
View Related
Sep 27, 2006
A database was created in SQL 2000. We are going to move to sql 2005. So I attached a database to SQL 2005 and now I have a problem with name resolution. When I worked with SQL 2000 I did not put my schema's name before table name (select * from table1). The schema's name is my user name (IQA) and by default the schema name is a name of user who loged in. (in 2000)
Here is a problem with SQL 2005. The schema's name is still IQA. But I need to do select * from IQA.table1.
I created IQA login and IQA user is an onwer my IQA schema but I still can not do a select without schema name. I need to resolve this because VB.Net code has all select statement without schema's name. Need help!!!
View 4 Replies
View Related
Nov 9, 2007
I am using sql server 2005 express. When I created a new database my schema name was dbo and my stored procedures looks like this:
dbo.sp_name
Now when I am creating new sp:s my schema name has change to DOMAINUsername:
DOMAINUsername.sp_name
My webb application cant find any sp:s with this schema name and I don't now how to change schema name back to dbo. What has happened, what is this schema name and why has my schema name been changed!? Please help me out!
View 1 Replies
View Related
Sep 6, 2007
Information Schema is the part of the SQL-92 standard which exposes the metadata of the database. I have written a small article that exposes the same. Let me know your comments on the same. http://aspalliance.com/1380_Information_Schema_and_SQL_Server_2005
Uday Denduluri
Software Engineer
Refer my articles at http://aspalliance.com/author.aspx?uId=62740
View 5 Replies
View Related
Nov 26, 2007
Hi Group,(I am just starting with SQL Server 2005.)On SQL Server 7 I used often the nice relation schema, where I used todraw out the whole database, especially the Foreign Keys constraints.I found these relational schemas very handy to study an old database Ibuild a few years earlier that needs some updating.I tried to find such an utility in SQL Server 2005, but cannot find it.I did found the FK-constraints, but it is just an popup where I candefine them.The overview such a visual schema gave was really great and I miss it.Question: Is it gone in SQL Sevrer 2005, or do I just not know where tolook? If the latter, please guide me. :)Thanks for your time.Regards,Erwin Moller
View 1 Replies
View Related
Jul 11, 2006
I wonder how can I track the changes in the columns whether added, deleted or their name is changed and how can I test that?
your help is appreciated
View 9 Replies
View Related
Aug 29, 2005
Hello Everyone,
View 12 Replies
View Related
Apr 22, 2008
Hi,
While i trying to drop the user,i getting the following error:
(Microsoft SQL Server, Error: 15138)"
Now,i wanna change the owner of that schema,Which is associated with the schema,which i am trying to delete.
How to transfer the owner?
Plz help me.
View 1 Replies
View Related
Oct 13, 2006
do the following steps:1:Use Manage Studio login the server with Integrated security.2:Create a dabase named testdb;3:Create a SQL Server login named amber ,and set it to be dbowner oftestdb;4:Create a SQL Server login named guxiaobo ,set it's default databse tobe testbd,and in the testdb databse map login guxiaobo to userguxiaobo;5:Close Manage Studio and reopen it ,this time use login amber log tothe server.6:In database testbd create a databse role role1 owned by dbo;7:In database testdb create a schema schema1 owned by dbo;8:Set user guxiaobo to be member of role1,and set guxiaobo's defaultschema to be schema1;9:In the schema properties-schema1 dialog choose permissions,in theusers or roles listview I add role1 to it.in the explicit permissionsfor role1 listbox,I choose select /update/insert/delete/view definitiongrant checkboxes.and apply the selects.10:In the schema1 schema I create a table:create table a(a int ,bvarchar(10));11:In the dabase role properties-role1 dialog choose securables panel,int securable listview I add the schema1.a table( choose all thecolumns of table a for all permissions),and in explicit permissions forschema1.a I choose all for grant ,then apply the selects.12:Now I use login guxiaobo to log into dabase and issue "select * froma",but got a error msg saying guxiaobo has not enough permission toselect form table a.Does anyone has found anything I missed?
View 6 Replies
View Related
May 23, 2008
Hi all. I'm mapping FKs in a DataWarehouse and I'm wondering if there is a way to change the schema of a database diagram from dbo.
Thanks,
Charlie
View 2 Replies
View Related
Aug 17, 2006
We have a commercial VB.NET winforms client/server application that utilizes SQL Server 2005 express edition. The schema and data that the application utilizes is proprietary and could be very damaging if it got into a competitors hands.
Is there any way to protect the data and schema of a sql server 2005 express edition database?
Will this functionality ever be added?
Thanks
View 1 Replies
View Related
Jun 29, 2007
During web-site development, I am using VStudio 2005 with SQL-Express. I frequently publish changes to my web server that is running SQL- Server 2000 standard edition.
Is there a simple way to replicate changes in database tables design without copying the whole mdf-file and loosing the existing data in the target database?
thanks, Reinhard
View 3 Replies
View Related
Apr 14, 2006
Hi all !
I have a question regarding the security of SQL Server 2005 Express Edition.
What securities options that SQL server 2005 EE provide for its users?
I know that after I deploy my website to a hosting company or a web
server, my database file will be on the net. That means everybody can
type in the file name and download my database file then open it. Just
like that. For example, my database filename is EXAMPLE.MDF. then,
someone just goto my website, say
http://www.cool.com/app_data/example.mdf, and download the database.
To prevent that to happen, what the securities options that available to me beside putting password on my database file?
Thanks for taking time to answer my question. Any help will be appreciated. Have a good day!
View 7 Replies
View Related
Oct 11, 2006
Hi all,
Could anyone suggest me which is the recommended authentication mode for web applications with MS SQL Server 2005.
Also let me know how the new security features of MS SQL Server 2005 can be used for secured application access.
Thanks in advance
HHA
View 1 Replies
View Related
Mar 28, 2007
(1) To prevent unauthorised database access, is it ADEQUATE to delete / disable the BuiltInAdministrator login and the guest (database) user ?
(2) How can I delete / disable the BuiltInAdministrator login
in SQL Server 2005 Express ? It didn't allow me to disable or delete it.
(3) How can I delete / disable the guest (database) user
in SQL Server 2005 Express ? It didn't allow me to disable or delete it.
View 3 Replies
View Related
Jul 4, 2007
HI,
I am just starting out with SQL Server 2005 and really getting in a muddle with al the security stuff.
It seems i have LOGINS, DATABASE USERS, Server Roles, Database Roles, SCHEMAS and somehow they all tie in together. I am using Microsoft Press "SQL Server 2005 Implementation and maintenance" but it really isn't doing a good job of explaining it to me.
Can anyone point me to a reference that clearly explains all this stuff?
View 2 Replies
View Related
Jan 28, 2006
Hi All,
I have been building a database in SQL Server Express for some months now using the Windows level authentication login that has given me full access to everything in the database.
The time has now come where I need to create user accounts and grant permissions to specific stored procedures and I'm having trouble doing this.
Can anyone give me a brief rundown of the required T-SQL commands I need to set up a user account that can do nothing but run stored procs (not the system procs which apparently are being discontinued: http://msdn2.microsoft.com/en-us/library/ms182795.aspx).
So far I have:-
CREATE LOGIN db_test_user WITH PASSWORD = 'eXaMpL3Pwd
USE db_new
CREATE USER db_test_user
The above code executes successfully but when I try and connect (using Management Studio) I get error message 'The user is not associated with a trusted SQL Server connection (error 18452)' which means little to me.
I also tried creating a 'WITHOUT LOGIN' user for the database but could not figure out how to give it a password.
I don't know (/understand) roles/schemas and don't know if I really need them as I only need user access to specific stored procs. I don't ever want them to see the tables for example so they only need the most restricted access.
Can anyone help?
Thanks,
DG
View 2 Replies
View Related
Dec 14, 2006
I cannot block user access to tables. I have restriced accounts at theserver, database, group, schema, and table lavel and can still opentables right up.In other words, I have absolutely no security. Any ideas?
View 1 Replies
View Related
Jun 13, 2007
Does anybody have a link to either of these two documents. My company is getting ready to go through an audit and we need some firepower and to know what is expected. Any help with obtaining microsoft SQL Server 2005 best practices documents is appreciated.
-Kyle
View 3 Replies
View Related
Feb 2, 2008
Couple of questions for the SQL Server Guru's out there.
SQLServer 2005
Web Hosting Provider
Ok I am developing a Web application in ASP.NET with AJAX, etc. etc. It will be some time before it is ready to roll out. As a mockup I created the same application in Microsoft Access and Visual Basic (VS 2008), which I can link the tables to the hosting provider on the internet. Works very well and speed is very acceptable. The want to start utilizing it with the mockup distributed app that I created.
My question is, is how secure is the data that is moving from the local application to SQLServer 2005 with the web hosting provider ? Is there anything that I can do to increase security ?
Thanks, any thoughts ?
Appreciate any suggestions or comments.
View 1 Replies
View Related
Feb 27, 2007
Has anyone compiled a list of out of the box features to disable (like sql mail in 2000)? Or even just a general security checklist for 2005?
I'm looking for one similar to http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec04.mspx
View 1 Replies
View Related
Jul 3, 2007
Hi,
I wonder if SQL Server 2005 supports row based security?
I need to set some users to see data filtered by a specific field and value...
Example: User XPTO only sees data about vendor code = '123'
Is this possible in the box?
Best Regards,
View 1 Replies
View Related
Nov 5, 2006
Dear mems,
I have a problem, and i don't khow how to resolve, pls help me:
My server is Windows XP (not domain),
I work with SQL Server 2005, installed on my server,
I configurate my SQL SERVER connection is "Windows Authentication mode",
I add user "MyComputerguest" to MyServerSecutityLogins to accept connections from local network
I have many databases: Db1, Db2, Db3...
But, I don't know to configurate my SQL Server to achive these:
1) My clients using "SQL Server Managment Studio" connect to Databases Db2, Db3... on my Server, they can expand, modify, add new all Tables, Sp, functions of Db2, Db3.
2) My clients are not allow to access Db1.
2) My clients can add new Databases Db4, Db5, Db6... in the future and they have full permission on every Database which they create without my interfere.
Best regard,
View 1 Replies
View Related
Aug 20, 2006
if you run the following script it takes access from the windows admin from getting into sql server through windows auth. The issue is that the files that are attached logging as SA after that are read only. Is there any solution? When you try and switch the file to read write sql server gives an error saying that it cant read the mdf and ldf--gives a windows access error....
USE [master]
GO
IF EXISTS (SELECT * FROM sys.server_principals WHERE name = N'BUILTINUsers')
EXEC sp_dropsrvrolemember [BUILTINUsers], sysadmin
DENY CONNECT SQL TO [BUILTINUsers] CASCADE
GO
IF EXISTS (SELECT * FROM sys.server_principals WHERE name = N'BUILTINAdministrators')
EXEC sp_dropsrvrolemember [BUILTINAdministrators], sysadmin
DENY CONNECT SQL TO [BUILTINAdministrators] CASCADE
GO
IF EXISTS (SELECT * FROM sys.server_principals WHERE name = N'NT AUTHORITYSYSTEM')
EXEC sp_dropsrvrolemember [NT AUTHORITYSYSTEM], sysadmin
DENY CONNECT SQL TO [NT AUTHORITYSYSTEM] CASCADE
GO
View 4 Replies
View Related
