How would I programmatically go about limiting the access of a database in SQL Server 2000 to the database owner for that database? Example... if I right-click "Properties" on the "Northwind" database in Enterprise Manager, the Owner is listed as sa. How would I limit access for this database to just the sa login?
You could set the database to RESTRICTED_USER availability.
ALTER DATABASE MyDatabase SET RESTRICTED_USER
-- OR --
ALTER DATABASE MyDatabase SET RESTRICTED_USER WITH ROLLBACK IMMEDIATE
http://msdn.microsoft.com/en-us/library/ms190249.aspx
http://msdn.microsoft.com/en-us/library/aa275464(SQL.80).aspx
Some thoughts:
You can neither deny not restrict the sa login at all, anywhere in a SQL Server Instance
Do not use "sa" day to day
It makes more sense to limit to the members of the db_owner database role, per database (SET RESTRICTED_USER above)
The database owner id is fairly random: sa only owns this because sa created it, or ownership was changed to sa
Other than that, what is the reasoning behind your request?
Related
I'm working on a query editor in which user enters a SQL query and in code behind I pass this query to a SqlCommand and execute it and display result to the user.
But there is one problem: how can I access all the databases in SQL Server which the user created? How can I set initial catalog= to access all databases in SQL Server, so that user enters any query, then it will be execute against all those databases.
For example:
use db_compiler
select * from std
use student
select * from student
So I'm going to say this - what you are requesting to do is a fundamentally BAD idea. SQL Injection is a concern among many, many other things.
However, if you want a list of the databases to set initial catalog, check out the answer to this question:
SQL Server query to find all current database names
you don't require to set initial catalog in order to be able to access to other databases.
Ability to access other database is determine by the permission of the login. If the login is able has the permission to access to other database, you can you use the 3 part naming convention to access it.
Example, even if the initial catalgo is DB1, it will be to access the TABLE3 in DB2
SELECT *
FROM [DB2].[SCHEMA].[TABLE3]
For example instead of
use db_compiler
select * from std
you can
select *
from db_compiler.dbo.std
I want to check if a database is working as a "Publisher" to other databases.
To do this I was planing on checking if the database "distribution" exists on that instance.
after reading this I thought I could just do
new Sqlcommand("SELECT name FROM master.dbo.sysdatabases WHERE name = #name")
and solve my problem...but I dont have that table in my database...:s
is there another way to solve my problem?
If you want to know if a database is a publisher then looking for a distributor is the wrong check. A database can have a remote distributor, in which case you'll get a false negative. Or the distributor may exist but the database may not be a publisher, in which case you get a false positive. Not to mention that the distribution DB may have any name, so looking for a database named distribution is also wrong.
The proper way to do it is to sue the built in replication helper procedures:
exec sp_helppublication will return information about all publications in a database. IF the database is not a publisher, it won't return anything (yoru cue to action).
exec sp_helpdistributor will return information about the distributor of a publisher
exec sp_helpdistributiondb will return information about a distribution database
In addition, the simple facts whether the DB is a publisher, subscriber or distributor can be discovered in sys.databases:
is_published Database is a publication database in a
transactional or snapshot replication topology.
is_merge_published Database is a publication database in a merge replication topology.
is_subscribed Database is a subscription database in a
replication topology.
is_distributor Database is the distribution
database for a replication topology.
Assuming you have sufficient permissions to view database metadata you can use
SELECT CASE
WHEN DB_ID('distribution') IS NULL THEN 0
ELSE 1
END AS distributionExists
select *
from sys.databases
where name = #name
Very close. It looks like that is SQL Server 2000 catalog view. What you are looking for is querying sys.databases.
I created a login to connect to SQL SERVER.
create login bobLogin with password = 'bobpass' , default_database = bobDB
but when i am connecting sql server using this, it does not connects? because it needs a user.
so i created a user:
create user bobDB_USER for login bobLogin
then i connected to sql server using bobLogin & tried to create table:
create table bobDbTable(eid int)
which gives permission denied error;
so i granted permission:
GRANT CREATE TABLE TO bobDB_USER
then i again connected using bobLogin, & tried to create a table but it gave error:
The specified schema name "dbo" either does not exist or you do not have permission to use it.
why so? its creating the table in the dbo schema, thats why? so how do i grant him this permission ?
i dont want to create a new schema. is it necessary?
You would need to GRANT ALTER ON SCHEMA::dbo TO bobDB_USER to allow objects to be created in the dbo schema.
I would also use a Role too.
create role bobDB_ROLE
EXEC sp_addrolemember 'bobDB_ROLE', 'bobDB_USER'
GRANT ALTER ON SCHEMA::dbo TO bobDB_ROLE
However, you could addbobDB_USER into db_owner if it requires these rights
EXEC sp_addrolemember 'db_owner', 'bobDB_USER'
Note: end user permissions are quite different to admin type rights. If 'bobDB_USER' is an end user, then they should not be creating objects
I am using SQL Server Express 2005.
I have a single database myDB
I have created a Login L-1 with user U-1 on databas myDB.
To connect to database myDB I found 3 ways:
-1(a)-after creating L-1 Login with default database = myDB , I have to create a user U-1 , and when I connected to SQL server , then it connected.
I used this query:
create login L-1 with password='passL1' , default_database = myDB
use myDB
create user U-1 for login L-1
Means, creating a user inside a login , gives the user connect permission implicitly. Am I right ?
-1(b)-I didn't create any user U-1, but executed this :
use myDB
sp_grantdbaccess L-1
this also made me connect , the reason being that, sql added a user named L-1 implicitly in the myDB database. Am I right?
-1(c)-this time also, I didn't create any user U-1,but I executed this:
sp_changedbowner L-1
this also made me connect , the reason being that, sql added a user named L-1 implicitly in the myDB database. Am I right?
Now, I want to give the user U-1 created in 1(a) the following permissions:
Create Logins L-2,L-3
Create Users U2,U3 which can also connect to database myDB.
How do I do this?
Yes - calling sp_grantdbaccess or sp_changedbowner will just implicitly do what you would normally do with CREATE USER - no difference.
Calling CREATE USER explicitly is just clearer, more obvious what you're doing etc.
Also: don't use sp_grantdbaccess anymore - because:
This feature will be removed in a
future version of Microsoft SQL
Server. Avoid using this feature in
new development work, and plan to
modify applications that currently use
this feature. Use CREATE USER instead.
Source: Technet on sp_Grantdbaccess
And don't use sp_changedbowner either - same reason:
This feature will be removed in a
future version of Microsoft SQL
Server. Avoid using this feature in
new development work, and plan to
modify applications that currently use
this feature. Use ALTER AUTHORIZATION
instead.
Source: Technet on sp_changedbower
I wrote simple sql script that creates my database:
create database [MaterialStream];
exec sp_addlogin N'MaterialStreamLogin', N'123', N'MaterialStream'
exec sp_adduser N'MaterialStreamLogin', N'MaterialStreamUser', N'db_owner'
And then couldn't connect to my database from ADO.NET. How can I set up credentials for my user?
Have you tried logging on as that user using Management Studio? It's possible it's defaulted to requesting a password change on first login or similar.