Schemas, Users, Logins, Database Roles, Application Roles

Mar 5, 2006

Hello,

I am new user of SQL Server. I have some problems with these words. I want to make my database works in my specified permissions. I will specify permissions with schemas and these schema wants an owner. I want this owner should be my user. When creating a user it needs a valid login. I am selecting my login and it occurs and error says this login has an different user. I am specifying permissions with roles. But i can't make association all of them. I hope i told my problem to you as well. If you explain these words to me and tell me how can i do my database's works with my own schemas, users and roles i'll be grateful. Thanks for advices.

Happy coding...

View 4 Replies


ADVERTISEMENT

Newbie Questions On Schemas, Roles, Users & Logins

Apr 5, 2008

Sql 2005
I want to grate execute permissions on my stored procedures to a role. While creating the role, it asks for "schemas owned by this role".
To me, the schema is merely a namespace that allows you to group objects, but arent schemas such as db_datawriter roles that are central to the db and only admin type users should have ownership of these, correct ?

In a nutshell, I want to:
create a new role and assign a user to that role
with a stored procedure, grant execute permissions to this role

I was confused by the sql 2005 dialog that asks me to take ownership of roles such as db_datawriter, db_datareader etc, wouldnt that mess up other things with the database ?

help ...

I think its time I review all of the above items
role
user
login
schema

View 4 Replies View Related

Users/Roles/Schemas

Nov 27, 2006

I'm trying to find some documentation or procedures that will allow me to xfer existing users' roles, etc from sql2000 to sql2005.
When our sql 2005 database was restored on a new server (from sql2000), all of the database users were orphaned. I need to create identical server logins and then make the logins database users. It is also important to understand the significance of the new schema concept. The Microsoft SQL2005UpgradeTechRef.doc white paper does not explain any of this.
Ultimately, I would like to create a script for the above scenario once a sql2005 db is restored from a sql2000 db.
Could someone please help me out on this?

View 1 Replies View Related

Users/Roles/Schemas

Nov 27, 2006

I'm trying to find some documentation or procedures that will allow me to xfer existing users' roles, etc from sql2000 to sql2005.

When our sql 2005 database was restored on a new server (from sql2000), all of the database users were orphaned. I need to create identical server logins and then make the logins database users. It is also important to understand the significance of the new schema concept. The Microsoft SQL2005UpgradeTechRef.doc white paper does not explain any of this.

Ultimately, I would like to create a script for the above scenario once a sql2005 db is restored from a sql2000 db.

Could someone please help me out on this?

View 1 Replies View Related

Fixed Database Roles Vs Application Roles

Aug 24, 2006

After reading Books Online, I am still confused with Database Role vs Application role.

My intention is to control the end users' authority on the database, where the end users will access through Winforms client application. With proper assignment of schema and database roles to an user, I believe this will enough to control the permisison of an user.

If this is the case, why Application role exists? When and why should I use Application Role? How is it different from Fixed Database Role?

View 14 Replies View Related

I Cannot Get The SQL Server 2005 Roles, Schemas, Users Correctly Setup For Proper Access

May 16, 2008

I have been struggling with this for a while and cannot get it right. I have read countless articles on the internet as well as MSDN documentation about SQL Server 2005 and no success so far.

What I want is a database with multiple SCHEMAS, DATABASE ROLES and USERS in order to have a finer grade of security to access the various objects.

My schemas are (in order to simplify the situation and provide an example of the setup):

- [dbo] the standard DBO schema which is always default. Contains public objects.
- [com] a special module integrated into the system
- [ofc] contains objects used by back-office only
- [aud] contains objects used for auditing, etc.

Each of these schemas has their fair share of tables, views, functions and stored procedures which have been created appropriately (i.e. CREATE TABLE [ofc].[Addresses]), in other words prefixed by the name of the schema to which they belong.

Then I have created various database roles (don't confuse them with SQL2005 application roles) as follows:

- PublicRole mostly used for viewing, no data alterations
- WorkerRole used by front end processes that need write access to data in [dbo] and [aud]
- OfficeRole used by back-office for dealing with backoffice data (basically [ofc], [aud] stuff)
- AdminRole used by application administrator

Each of these database roles has been defined with owner 'dbo', none of them own any schemas. And last but not least to each of these roles I have selected the above named schemas (dbo, ofc, aud) as securables and for each of those securables schemas I have then given the correct set of GRANT/DENY on the Alter, Control, Delete, Execute, Insert, References, Select, Update, Take ownership and View definition.

As an example, the PublicRole role has been given the following permissions (Y=GRANT, N=DENY):

Table #1 of Application Permissions [dbo] [com] [ofc] [aud]Alter N N N N
Control N N N N Delete N N N N Execute Y Y N Y Insert N N N Y References Y Y N Y Select Y Y N Y Update N N N Y Take ownership N N N N View definition N N N N

And I have the following minimum set of database users defined (the server login has the same name):

- upublic, assigned to PublicRole
- uworker, assigned to WorkerRole
- uoffice, assigned to OfficeRole
- uadmin, assigned to AdminRole

As I understand when I assign these users to a particular custom Database Role, the users inherit the permissions granted to THAT role thus liberating me from having to assign the permissions to each and every user account on the same role.

What I expected was that when I logged in to the database with the upublic user account I would at least be able to view (SELECT at least) ALL the objects with the exception of those in th e[ofc] schema. Unfortunately the account is not able to access ANYTHING at all, I get an error like

"The SELECT permission has been denied on object XYZ, database DB, schema 'dbo'"

So, when I use Management Studio to look at the properties I selected the PublicRole and it showed the upublic user as a member of the role (Members of this role). So far so good.

Then when I switch to the Securables page for this role it shows all the schemas I defined and for each of them the same list shown in Table #1 except it has two lines for each permission, the first for Grantor dbo and the second for Grantor upublic. The first has the same permissions I assigned to the role (as shown on Table #1) but the 2nd does not show a checkmark on either GRANT or DENY!!! For example ([x] = checked, [ ] unchecked):

Table #2 Explicit permissions for Securable
Permission Grantor Grant Grant-with Deny
Select dbo [x] [ ] [ ] Select upublic [ ] [ ] [ ]

What am I doing wrong here? Apparently I then have to repeat the whole grant/deny for EACH and EVERY USER I define when the idea was that I would grant/deny on the database role and every member of that role would inherit those permissions automatically.

View 3 Replies View Related

Permissions Hierarchy - GRANT On Logins/users/roles

Jun 20, 2005

A question on the permissions hierarchy:
Since logins, database users, and database roles are both principals and securables - what does it mean to GRANT permission on a login/user/role to another principal? Does it mean that for a login - you can GRANT permission to EXECUTE AS that login or modify it, for example?

View 3 Replies View Related

Application Roles For Cross-Database Joins

Aug 25, 2005

I have an application that segregates data into two differentdatabases. Database A has stored procs that perform joins betweentables in database A and database B. I am thinking that I have reachedthe limits of Application Roles, but correct me if I am wrong.My application creates a connection to database A as 'testuser' withread only access, then executes sp_setapprole to gain read writepermissions. Even then the only way 'testuser' can get data out of thedatabases is via stored procs or views, no access to tables directly.Anyone know of a solution? Here is the error I get:Server: Msg 916, Level 14, State 1, Procedure pr_GetLocationInfo, Line38Server user 'testuser' is not a valid user in database 'DatabaseB'The system user is in fact in database A and B.thanksJason Schaitel

View 4 Replies View Related

Add User/Set Roles In Code And Read Roles

Jan 28, 2004

Can you write a stored procedure to add a user to your DB and set the roles the user belongs to?

I want to write a stored proc. to add users and set roles so it can be used in code instead of doing it manually.

After the user has been added and their roles set, can you write another stored proc. to give you what roles they belong to?

View 3 Replies View Related

SQL Server Roles && ASP.NET 2.0 Forms Authentication Roles

Jun 16, 2006

Apologies if my post does not fit into this forum. I initially tried the SQL Server Data Access forum but I now think my question is more security related.

Is it possible for a web user who has been successfully authenticated with forms authentication to be authorised to use a SQL Server 2000 role depending on a particular ASP.NET 2.0 role that they have been authorised to use? I understand that that I can assign a SQL Server 2000 role to the ASPNET or NETWORK SERVICE account but this will grant access to anonymous web users to the database role. I can ensure that I only call stored procedures which access sensitive data in web pages that are in restricted by ASP.NET roles. However, it would be nice to also restrict stored procedures via the ASP.NET 2.0 Forms Authentication roles.

If this is not possible have you got any bright ideas how I could restrict access to stored procedures who are anonymous web users.

Many thanks,

Mark

View 1 Replies View Related

SQL Server Roles, Windows Groups && ASP.NET Allow Roles

May 6, 2007

I'm developing an ASP.NET2.0 application which accesses a SQL Server 2005 Express database. I plan to use integrated security for access to the database.

I'm confused about the relationships between Windows groups, the ASP.NET web.config file <allow roles=.../> and SQL Server roles.

I would like to create a Windows group to which I can assign multiple users and grant that group access to a Web Site using windows authentication and also grant that windows group access to the database my web application uses.

I have gotten the combination of Windows Authentication to the web site and to the database to work for a specific windows user but I am having trouble determining the combination of database security entities I must create to allow access to my database by members of the windows group.

For a Windows user:

1. Create Windows user

In SQL Express

2. CREATE LOGIN FROM WINDOWS WITH DEFAULT_DATABASE =

3. CREATE USER FOR LOGIN

4. CREATE ROLE

5. EXEC sp_addrolemember <role-name> <user-name>



For a Windows group, what would be the equivalent commands necessary to grant a windows group access to my database? Specifying the Windows Group name in sp_addrolemember does not appear to be sufficient even though the documentation states that a windows group name is a valid value for the member name argument.






View 3 Replies View Related

Roles/users

Oct 4, 2004

Is there a script or can I make a script to find out what roles and what users are assigned to the roles are?

View 4 Replies View Related

Users And His Roles

Sep 16, 2006

How to generate script which can move users with his roles from one DB to another (SQL 2005) ?

View 1 Replies View Related

Changing From Users To Roles

Apr 2, 2008

Guys,

I have 2 users emp_rw (read write) and emp_ro in the database through which application accesses the database.

Now I would like to replace this users with roles and assign emp_rw, emp_ro to roles. Which roles should be created -
database roles or application roles what is the difference between application and database roles.

currently I execute the below statement to grant rights on database objects to emp and emp_ro users, can this be changed
to grant rights to role instead of user.

grant execute on <function name, procedure name> to emp_ro

Any suggestions and inputs would help.

Thanks

View 1 Replies View Related

What's The Difference Between Roles And Users?

Oct 12, 2005

Hi, all. I've got a question that's truly newbie. I've added logins to the "users" of a database, but I've never used the "roles" area. What's the difference? Is a role like a group account with some preset permissions?

View 3 Replies View Related

Using SQL Application Roles From ASP.NET

Nov 1, 2004

Hi there

Can anyone point me to a good tutorial or give me a run down on using Sql Application roles from my asp.net application. Books Online only give a run down on how to set it up - not how to implement or use it from my code. MSDN no help. Google - same thing.

Any help greatly appreciated.

Thanks in advance

View 2 Replies View Related

Application Roles?

Mar 20, 2008

We have a distributed app that creates it's own instance of sqlexpress when installing. This prevents anyone with sa rights on another instance from accessing our data directly (HIPAA compliance concerns). We are currently looking into making our app easier to install, and want to be able to attach our database to existing instance (if one exists), but still prevent the sa account of that instance from directly accessing/viewing our data. Are application roles the way to accomplish this, is there another way, or is this even possible?

Thanks in advance.

View 5 Replies View Related

Adding Roles/Users Using SQL Procedures...

Dec 3, 2003

Hi everyone out there in ASP.NET land.

Have a quick question...

How do I add a role and/or a user through code (Specifically SQL Statements). If not through SQL, then maybe VB.NET?

Thanks ahead of time,
Denvas

View 2 Replies View Related

Users Not Listed While Adding To Roles

Mar 5, 2000

Hi there NT Server,sqlserver 7.0, Integrated Security. I used "sp_attach_db" to attach a database to the sql server. The database has 3 standard roles with members in each of those roles. But i am not able to add a user to any of the roles through Enterprise Manager(No users are listed, except the other 2 roles). Also when i click "users" under the Database in EM, no users are listed except "dbo" with sa login. Luckily since some members are there in the roles, they are able to connect to the database. Also i am not able to add the user bcos the user exists in the public role and i get an error message "user already exists in DB". The user has logged into the NT and everything is fine. I copied the .mdf and .ldf files from a "Standard Security" Server.

View 1 Replies View Related

Simple Question: Users && Roles

Jul 23, 2004

SHORT VERSION
i am setting up roles, do i also have to set up role-people as users?

LONG VERSION
my db has two owners. both of us run the Access front end happily - everything works perfectly.

now i'm trying to add non-owner users.
i have set up ten people as datareader/datawriter (primitive, but will refine this later).
these people are not able to get into the db.
at the registering DSN stage they can't see the server in the list of servers and if they manually type \myserver they can't connect (doesn't exist or access denied).

in Enterprise Manager,
Users: shows only the two owners
Roles:datareader shows the ten non-owners (ditto datawriter)

am i supposed to setup my datareader/writers as users as well?
should i see them in the Users: list?

thanks for your time.

izy

View 2 Replies View Related

List Of Users + Roles + Rights

Feb 27, 2004

How can I generate a list/view of all users/groups with appropriate roles and rigths?

View 3 Replies View Related

Detach/attach Move Fails To Bring Over Roles & Logins Correctly

May 23, 2001

A database move was accomplished by detaching the database from the legacy server and attaching it to the new server. The servers ran NT 4, SP6a, SQL 7 SP2. The new server had the same name and IP as the old server.

However that process (detach attach) does not bring over the users (who had access to the database on the legacy systems) correctly.

Under databases, roles the users existed. Under security, logins they did not.

We were obliged to drop the roles and recreate the logins and assign new roles. In the case of an NT user group we were unable to drop it. We had to create a new one and add the users to that group under User Manager.


So far I have not found anything that deals with the user account/role problem.

We have to move a similar database tonight. Do any of you know of an alternative "move" that brings the user roles/logins across correctly?

Thanks in advance.

View 4 Replies View Related

Security- Application Roles

Jul 17, 2000

We are looking to make our applications as secure as possible. I am interested in how well Application Roles work to make security tighter.

Have you used Application Roles. If you have, I'd like to know if it helped provide better security or not and if it did, how was it implmented in you production environment. I already know how to get it set up, I'm just wondering if it's really worth the trouble.

Thanks!

View 2 Replies View Related

Application Roles For Sql 2000 And VB6

May 22, 2003

I may need to setup an application role(s) fro a SQL 2000 db that is being front-ended by VB6. There are 2 types of functions needed, and admin role with access to all tables, and a user role with access to only specific tables. I know from just a straight db roles, I could set up 2 roles, set their rights, and then add the users to these roles. My questions is if I need the same functionality for an Application role, do I need 2 Application roles, one for the admin, and the other for the user?

View 1 Replies View Related

Application Roles In SQL 2005

Jun 13, 2006

We have an an application that was written using OLE DB (ADO) against a SQL 2000 Server that uses an Application role to give rights to the database objects. It connects, calls sp_setapprole and goes on. If the database needs to LOCK a record, it is creating a new ADO Connection and instantiating the Approle again. This model has been working fine up til now.

Now we are installing a SQL 2005 server for the latest version of the product we are working on and are running into an error. The error is
Error: 18059, Severity: 20, State: 1.
The connection has been dropped because the principal that opened it subsequently assumed a new security context, and then tried to reset the connection under its impersonated security context. This scenario is not supported. See "Impersonation Overview" in Books Online.


It's happening when the second ADO Connection for locking a record is being created and the sp_setapprole is being executed.

One of my questions is what is the problem with executing the approle on a different connection? Our code has not changed, so obviously SQL 2005 is doing something different. The other is What can we do to correct this?

Is the resource pooling different? We had problems in the beginning with approles and figured out through research that we needed to add OLE DB Services=-2 to the connection string to turn off resource pooling.

Is there an extra step to using Approles in SQL 2005?

Any help would be greatly appreciated as we need to resolve this ASAP.



Thanks,

David

View 5 Replies View Related

Usin Application Roles

Apr 30, 2007


I want to test Application Roles security for our project, I guess it serves the purpose.
But the quesion I have is if a developer who can look at the application code know's the "Password" can he set the password from Query Analyser and get acess to the database.


Thanks!

View 4 Replies View Related

Oracle Predefined Roles Vs Ms Sql Roles

May 3, 2005

Hi! Can anyone say which ms sql server predefined roles are similar to the following oracle predefined roles: dba, connect, resource. I already know that sysadmin in MS SQL Server is the same as DBA in Oracle but what about the rest?
Thanks a lot.

View 4 Replies View Related

How To Decide On Server Roles And DB Roles

Mar 2, 2006

I am in the process of locking down the SQL Server in an environment that is considered to be in production (pilot stages) and there is no staging or test environment that mirrors it. I need assistance in determining the server and database roles to assign to existing logins, most of which currently have sa and dbowner rights. Because it is not a development environment, I need to be sure that downgrading the server and/or database level permissions will not break any functionality.

I'm starting with the logins that have the SA fixed server role. These logins need to be able to install applications that require the use of a backend database, which will be stored on SQL Server. In addition, through the installation process a new login/password for the newly created database(s) is normally created. For the existing logins with the SA fixed server role, will downgrading to the securityadmin and dbcreator roles be sufficient to facilitate those needs, or are those too much/ too little? And should any user account ever be granted the SA role? If so, what questions could I ask to determine this need?

Since these install process for these applications usually prompt to install using SA or local system account to authenticate to SQL to create the new database(s), that account should have securityadmin and dbcreator roles to create the database and its tables, as well as add a new login to that database.

Please address this question, keeping in mind that the logins will only be performing the described actions, installing apps using SQL Server as the backend database and adding a login to that database (which may or may not be done during the installation process).

Thank you,
nu_dba

View 1 Replies View Related

ASPNETDB Deploy With Users/Roles Security

Apr 10, 2007

I have developed a site on my local machine utilizing the built-in security/roles provides by ASP.NET 2.0.  I am trying to publish the web application to a production server.  It will publish correctly, however the ASPNETDB is not recognized.  The folder app_data is created with the proper database files.  My question is how do I set this up to use the data I have created in this database?  I've searched on how to accomplish this but haven't found any definitive answers.  I have found ScottGu's blog to be useful, but I was wondering if there is a different way.
1 - Do I push the data to a SQL Server install via SQL scripts?
2 - Can I link to the ASPNETDB that is created locally on my machine?
3 - If I make changes to the application and re-publish, is there a way to keep from overwriting the ASPNETDB on the server?
I am a unsure of how the built-in roles/security works when you are ready to push something to production.  If someone wouldn't mind pointing me in the right direction, it would greatly be appreciated.  Any literature, advice, links, etc.. would be great.
 
- Thanks
Andrew 

View 4 Replies View Related

SQL 2000: Users, Roles, Permissions Management

Jul 20, 2005

I am in need of a utility (stored procedure, third party app, etc)that will help streamline the process of managing and auditing objectpermissions, users and roles on multiple sql server 2000 instanceswith multiple databases on each instance. That's a quick overview ofwhat I need, do I need to be more specific?Thanks.

View 2 Replies View Related

Application Roles - Changing Password

Mar 13, 2007

Hello,

 

in SQL Server 2005 I have an application role that is being used to limit access to my server data from third party applications. Everything is working well, except changing the Application role password.

I set up a small form that allows an administrator to change the App Role password through the front end app. I cannot, however, seem to get the Password field in my approle to accept a parameter.

For example:

declare @newpassword varchar(128)

set @newpassword = 'foo'

ALTER APPLICATION ROLE MyApplicationRole

with PASSWORD = @newpassword

This procedure gives me a syntax error in the last line. It will accept a string in quotes but not a varchar parameter.

 

Ideas?

View 3 Replies View Related

Application Roles And Module Signing

Feb 12, 2007

Hi, Am migrating my SQL 2000 legacy app to SQL2005 and am dealing with restrictions on the underlying system tables. Have taken advice that Granting VIEW state to all users is heavy handed (especially meta data access at SERVER level). Now looking at Module signing which is great. I can supply SP's which target the few System table/ information schema fields that I require. Now I Sign the Sp's cool, now I grant exec rights to the application role (doesn't work). Create a db role and put my users in it, okay grant role exec on Sp's (fine they work).

However my application runs under an application role always, so my users rights are ignored and it appears that its only the users not the approles who can benefit from the module signing ? I know I can switch too and from approle using cookies but I seem to be going round in cirlces here.

Essentially is there any 'EASY' and 'CONTROLLED' way that my application user who has no rights, who immediately switches to the application role can see the dbName (All rows ) from master.sysdatabases ?

Thansk for any advice

View 7 Replies View Related

Diffrence Between Roles, Accounts, Login, Users Permissions And Groups?

Dec 20, 2000

I have jsut started using SQL server 7 and am having problems with accounts permissions, users,roles, groups, owners etc what are the differences?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved