I would like to ask you if it is possible to proceed (in entity framework core):
context.Database.Migrate();
using database user without ddladmin permissions?
What I would like to achieve:
User without permission should not update migrations (without errors). However users with those kinds of permissions should be able to make migrations.
Currently, I am getting this kind of errors:
System.Private.CoreLib: Exception while executing function: xxx. Core
Microsoft SqlClient Data Provider: CREATE TABLE permission denied in
database 'xxxx'.
You have two options:
You give the user the db_ddladmin role
You add the create table grant to the user, like GRANT CREATE TABLE TO Joe AS dbo
I think the second one is what you are looking for.
Related
We use MSSQL for our C# .NET Framework 4.8 Application using Entity Framework for database related activities.
But on our production environment the SQL server has the Securable: View any database on Deny.
The database for the application exists but Entity Framework cannot see the database and tries to create it, this results in the CREATE DATABASE permission denied in database 'master' error.
I am using CreateDatabaseIfNotExists and MigrateDatabaseToLatestVersion in my Application_Start().
Now the issue (I think) lies with CreateDatabaseIfNotExists.
For the first run we give the db user enough rights to create and fill the database, it does this without problem.
But after the initial setup we remove those rights and the issue starts.
It tries to create the database, But it already exists.
And I am hoping there is a way to have both Automatic database creation/migration, and the View any database on deny securable.
Does anyone have a idea on how to solve this issue?
Is there some sort of option I could enable to stop this behaviour?
You should "wire in" IHostingEnvironment and make sure you run
CreateDatabaseIfNotExists and MigrateDatabaseToLatestVersion
only in certain environments.
===========
For DotNet-Core (NON asp.net-core) apps.
https://learn.microsoft.com/en-us/dotnet/api/microsoft.extensions.hosting.internal.hostingenvironment?view=dotnet-plat-ext-7.0
for asp.net-core.
https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.hosting.iwebhostenvironment?view=aspnetcore-6.0
....
Then you will use (probably an existing)
"Is" method:
https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.hosting.hostingenvironmentextensions.isdevelopment?view=aspnetcore-7.0
IsDevelopment
IsProduction
IsStaging
or you have the ability to "add your own environment".. with
IsEnvironment(string)
I would NEVER leave to "auto-voodoo" what might happen to the production database.
You can see this approach:
https://stackoverflow.com/a/60399887/214977
My program creates databases and tables at runtime. My understanding of Schema is it is a conceptual folder for multiple databases and databases tables. So I wrote some meaningless code just to test out what schema would do to my code.
My program use SQL Server Authentication instead of Windows Authentication, and create database and tables under the username of TmpUser instead of sa.
If I create a table by CREATE TABLE TmpTable, I get dbo.TmpTable for table name. If I explicitly type a new schema in CREATE TABLE abc.TmpTable, I then get the following exception because the schema does not exist:
SqlException: The specify schema name either does not exist or you do
not have permission to use it
I went into SSMS and manually create a schema by executing CREATE SCHEMA abc. SSMS outputs saying the schema of abc has been successfully created. But in SSMS Object Explorer > Security > I see no Schema name nor anything else named abc.
Where is my Schema? If abc was not created, then why was CREATE SCHEMA abc executed and what did it create?
I went back to Visual Studio and CREATE TABLE abc.TmpTable again, still I receive the same exception.
Your TmpUser has no right to access the schema.
Option 1
CREATE SCHEMA abc AUTHORIZATION TmpUser;
Quoted from https://learn.microsoft.com/en-us/sql/t-sql/statements/create-schema-transact-sql:
"AUTHORIZATION owner_name
Specifies the name of the database-level principal that will own the schema. This principal may own other schemas, and may not use the current schema as its default schema."
TmpUser will own the schema, therefore will have permission to access it.
Option 2
Explicitly granting permission to the TmpUser:
GRANT SELECT, UPDATE, DELETE, INSERT SCHEMA abc TO TmpUser;
See usage on https://learn.microsoft.com/en-us/sql/t-sql/statements/grant-schema-permissions-transact-sql
It's like Option 1, but you can fine grain permissions.
Option 3
Put TmpUser to some database roles, e.g. db_datareader:
USE MyDatabase
GO
ALTER ROLE db_datareader ADD MEMBER TmpUser
TmpUser will have read access to all schemas in the database.
Option 4
It is similar to Option 3, but instead of using built-in roles, create your own one:
USE MyDatabase
GO
CREATE ROLE myrole
GRANT SELECT, DELETE, INSERT, UPDATE, EXECUTE TO myrole
ALTER ROLE myrole ADD MEMBER TmpUser
Users in myrole will have read/write/execute access to all schemas in the database.
I am trying to use the SqlTableDependency class in my C# .Net application and I am unable to grant myself the required database permissions needed. Specifically, I need permissions:
ALTER
CONTROL
CREATE CONTRACT
CREATE MESSAGE TYPE
CREATE PROCEDURE
CREATE QUEUE
CREATE SERVICE
EXECUTE
SELECT
SUBSCRIBE QUERY NOTIFICATIONS
VIEW DATABASE STATE
VIEW DEFINITION
CONNECT
The error message states:
"An unhandled exception of type
'TableDependency.SqlClient.Exceptions.UserWithNoPermissionException'
occurred in TableDependency.SqlClient.dll. Additional information:
User with no CREATE MESSAGE TYPE permission"
I have tried granting myself the permission using this query:
GRANT CREATE MESSAGE TYPE TO dbo
but I get this error:
"Cannot grant, deny, or revoke permissions to sa, dbo, entity owner,
information_schema, sys, or yourself."
I have confirmed that dbo is the owner of my database.
I am running Sql Server 2008 R2.
How can I grant myself permissions to my server?
Whatever credentials you used in your connection string needs to be db_owner of database. I made that user as db_owner and it worked for me.
Make sure to do this:
Enable broker
ALTER DATABASE Your_db_name SET ENABLE_BROKER WITH ROLLBACK IMMEDIATE;
Go
Add to db_owner
ALTER ROLE db_owner ADD MEMBER Your_user_db_name
GO
Set authorization
ALTER AUTHORIZATION ON DATABASE::Your_db_name TO Your_user_db_name;
I hope this help.
My problem too.
When downgrade SqlTableDependency verson from 4.6.7.8 to 4.6.7, my code is running well :)
I'm trying to create new DB user for Firebird 2.5 DB from my C# application and geting an error "add record error no permission for insert/write access to TABLE USERS".
I've granted rdb$admin role to the user, created connection to DB using this role yet still i'm getting this error.
Wierdiest thing for me is that when i'm trying to create new user for my DB in IBExpert using same user settings and role (rdb$admin) it goes fine and I don't get eny errors.
What could be the problem? Why can't I execute SQL queries and procedures that update/insert in USERS table although I have appropriate role, that I'm using establishing connection?
I'm using latest FirebirdClient - ADO.NET Data Provider.
Connection string to the DB looks like this:
`"User=developer;Password=*****;Database=C:\DB.fdb;DataSource=*****;Port=*****;Dialect=3;Charset=NONE;Role=rdb$admin;Connection lifetime=15;Pooling=True;MinPoolSize=0;MaxPoolSize=50;Packet Size=8192;ServerType=0;"`
Can somebody help me with this problem?
I've found a solution - problem was that I forgot to GRANT ADMIN ROLE to the user by which I've executed procedure so I can't manage database users.
So GRANT ADMIN ROLE to user solved the problem.
I'm writing a small website in ASP.NET C#.
I've already made a database which will receive the user data and various other things.
Now I want to register users. I've found the MembershipUser and MembershipCreateStatus class and enum to be often used for this.
However, even though my database is seen in the Server Explorer of Visual Studio, I can't seem to link the User-creation to that database.
What I want is when I do this:
MembershipUser newUser = Membership.CreateUser(username.Text, password.Text, email.Text);
It ends up in the database and table of my choice. I can't find how to configure this.
The ASP.Net membership provider uses its own tables/stored procedures for storing user data.
http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
You can use your own table for profile info (that is, non-authentication information) using either the ProfileProvider or by using the guid assigned by in the aspnet_Users table as a key for your own table and retrieving the profile record after authentication occurs.
From the Visual Studio command prompt run the following:
aspnet_regsql -S [my server, eg: (local)\SQLEXPRESS] -E -A all -d [my database]
This will attach the ASP.NET user required stored procedures and tables to your database so that the built in Membership and Role Providers can actualy work.
use the WAT tool in VS to create your initial users if you need so you can test right away.