On my production system I login to SQL Server with CPSDOM\mconnors. When I execute 'SELECT CURRENT_USER;' it returns 'CPSDOM\mconnors'.
On my test system I login to SQL Server with CPSDOM\mconnors. When I execute 'SELECT CURRENT_USER;' it returns 'dbo'.
Can someone help me understand what is going on? Is this difference based on a configuration setting?
Thanks in advance.
There's a difference between a login and a user on SQLServer.
Each database has a set of users and a set of logins. Logins are server-wide, users are per-database. The login can be your Windows user account or a SQLServer internal one (eg sa).
The login is mapped to a user for each database, so in the production system you have your windows user (the login) mapped to a user with the same name. In the test system they just mapped your login to the inbuilt dbo user.
You should not rely on your login being the same name as the windows account, when you setup security for the sql server, it will default-map your windows user to a new sql user of the same name, but sometimes people map it to pre-defined sql users, and sometimes for dev/test to one of the 'admin' users that already exist.
You can see this mapping in the security section of SQLServer management studio, or in the users section of the individual database.
Related
I have a database that somebody else has built and I need to attach it on my SQL Server. The main user that owns schemas is named 'LSadmin'.
I want to use that same name for login to the server, and then have the rights for that login to access the database.
For some reason a login already exist LSadmin but it does not have any rights to access the attached database. When I want to Map the login to the database and give it datawritter and datareader for example, SQL Server shows that a user already exists.
When I try to delete the user to recreate it, then I can't because it owns schemas.
I found two ways to resolve this. One is to give the login a sysadmin rights, which of course is not desirable, and the other one is to move schemas ownership to another user, and then give database rights through mapping.
Is there any other solution that is not so "complicated"?
I found a user in mssql 2008 database - domain\testuser2 with login domain\testuser2.
But I couldn't find this login by using Mssql Management Studio or in the system tables (sys.server_principals, sys.syslogins, sys.linked_logins, sys.remote_logins).
When I try to make another user with this login (CREATE USER _test FOR login [domain\testuser2]), the error is following: The login already has an account under a different user name.
So, this login is exist. Where could I find it? Is there some system tables or views?
I've solved this problem.
In MSSQL you can create database users with Windows Authentification without logins.
For example, you can successfully execute the following sql-query (even you haven't sql-login [MyDomainName\myWinLogin])
CREATE USER [MyDomainName\myWinLogin]
I have a website on a shared server . it uses Sql server as database ( also shared ) with an account limited to execute procedures . now I wonder if anyone who has access to sql server could read and manipulate my data without having my credentials ( by using thier own ) ? if so how can I track users logged into my database and more importantly stop them ?
There are two ways to connect to SQL using a SQL login or using windows authentication. These are your logins to the server. To then connect to the database you have to be granted rights to the database. So as long as your login is the only one that has been granted rights to the DB then you have no need to worry.
Depending on the rights you have on the DB could set up roles within the DB and allocate user(s) to the roles. This way the only way anyone can do anything in your db is if they are a member of the roles you have set up (or they have an SA account on the server or have also been set up with dbo rights on the database).
Again depending on what rights you have on the server you could set up a trace (google sp_trace_create and sp_trace_setevent) to capture logins to your database this writes to the harddrive of the server and then you can use fn_trace_gettable to query this data.
The problem goes beyond Execute permissions and logging access...
The bottom line is that you and your data are at the mercy of the the host. If they can be trusted and are competent, your data should be safe. However, if you are unsure, or if you are storing data that is too valuable to risk, your only choices are to either encrypt the data so that nothing useful can be gleamed from it and make sure you have a backup, or find a different host who will provide appropriate safeguards.
I have a SQL Server server which has around 50 databases on it.
I wish to create a new Login for a client who wishes to have access to their database.
But I don't want to give them access to the other 49 databases.
How can I do this?
I think this is what we like to do very much.
--Step 1: (create a new user)
create LOGIN hello WITH PASSWORD='foo', CHECK_POLICY = OFF;
-- Step 2:(deny view to any database)
USE master;
GO
DENY VIEW ANY DATABASE TO hello;
-- step 3 (then authorized the user for that specific database , you have to use the master by doing use master as below)
USE master;
GO
ALTER AUTHORIZATION ON DATABASE::yourDB TO hello;
GO
If you already created a user and assigned to that database before by doing
USE [yourDB]
CREATE USER hello FOR LOGIN hello WITH DEFAULT_SCHEMA=[dbo]
GO
then kindly delete it by doing below and follow the steps
USE yourDB;
GO
DROP USER newlogin;
GO
For more information please follow the links:
Hiding databases for a login on Microsoft Sql Server 2008R2 and above
Connect to your SQL server instance using management studio
Goto Security -> Logins -> (RIGHT CLICK) New Login
fill in user details
Under User Mapping, select the databases you want the user to be able to access and configure
UPDATE:
You'll also want to goto Security -> Server Roles, and for public check the permissions for TSQL Default TCP/TSQL Default VIA/TSQL Local Machine/TSQL Named Pipesand remove the connect permission
For anyone else out there wondering how to do this, I have the following solution for SQL Server 2008 R2 and later:
USE master
go
DENY VIEW ANY DATABASE TO [user]
go
This will address exactly the requirement outlined above..
this is to topup to what was selected as the correct answer. It has one missing step that when not done, the user will still be able to access the rest of the database.
First, do as #DineshDB suggested
1. Connect to your SQL server instance using management studio
2. Goto Security -> Logins -> (RIGHT CLICK) New Login
3. fill in user details
4. Under User Mapping, select the databases you want the user to be able to access and configure
the missing step is below:
5. Under user mapping, ensure that "sysadmin" is NOT CHECKED and select "db_owner" as the role for the new user.
And thats it.
Currently user using connections to both TEST and PROD instances using MS Access, and everything goes well. By using ABC user. Now user having problems with APPS user in TEST .
Also, user having the same problem with user XYZ in PROD instance. This user has the ‘SELECT ANY TABLE’ privilege, so it should be able to see the tables, but doesn’t work from MS Access.
Please suggest us.
If you're able to connect via a SQL connection (I'm assuming ODBC) then you'll be using a predefined set of credentials (i.e. you'll be passing a username and password to Access; probably through the connection string).
Chances are that if your user is unable to get into the database directly, their network (AD?) account is not configured with the same elevated privileges that the ODBC connection has.