SQL Server Roles, Windows Groups && ASP.NET Allow Roles
May 6, 2007
I'm developing an ASP.NET2.0 application which accesses a SQL Server 2005 Express database. I plan to use integrated security for access to the database.
I'm confused about the relationships between Windows groups, the ASP.NET web.config file <allow roles=.../> and SQL Server roles.
I would like to create a Windows group to which I can assign multiple users and grant that group access to a Web Site using windows authentication and also grant that windows group access to the database my web application uses.
I have gotten the combination of Windows Authentication to the web site and to the database to work for a specific windows user but I am having trouble determining the combination of database security entities I must create to allow access to my database by members of the windows group.
For a Windows user:
1. Create Windows user
In SQL Express
2. CREATE LOGIN FROM WINDOWS WITH DEFAULT_DATABASE =
3. CREATE USER FOR LOGIN
4. CREATE ROLE
5. EXEC sp_addrolemember <role-name> <user-name>
For a Windows group, what would be the equivalent commands necessary to grant a windows group access to my database? Specifying the Windows Group name in sp_addrolemember does not appear to be sufficient even though the documentation states that a windows group name is a valid value for the member name argument.
View 3 Replies
ADVERTISEMENT
Jun 16, 2006
Apologies if my post does not fit into this forum. I initially tried the SQL Server Data Access forum but I now think my question is more security related.
Is it possible for a web user who has been successfully authenticated with forms authentication to be authorised to use a SQL Server 2000 role depending on a particular ASP.NET 2.0 role that they have been authorised to use? I understand that that I can assign a SQL Server 2000 role to the ASPNET or NETWORK SERVICE account but this will grant access to anonymous web users to the database role. I can ensure that I only call stored procedures which access sensitive data in web pages that are in restricted by ASP.NET roles. However, it would be nice to also restrict stored procedures via the ASP.NET 2.0 Forms Authentication roles.
If this is not possible have you got any bright ideas how I could restrict access to stored procedures who are anonymous web users.
Many thanks,
Mark
View 1 Replies
View Related
Mar 2, 2006
I am in the process of locking down the SQL Server in an environment that is considered to be in production (pilot stages) and there is no staging or test environment that mirrors it. I need assistance in determining the server and database roles to assign to existing logins, most of which currently have sa and dbowner rights. Because it is not a development environment, I need to be sure that downgrading the server and/or database level permissions will not break any functionality.
I'm starting with the logins that have the SA fixed server role. These logins need to be able to install applications that require the use of a backend database, which will be stored on SQL Server. In addition, through the installation process a new login/password for the newly created database(s) is normally created. For the existing logins with the SA fixed server role, will downgrading to the securityadmin and dbcreator roles be sufficient to facilitate those needs, or are those too much/ too little? And should any user account ever be granted the SA role? If so, what questions could I ask to determine this need?
Since these install process for these applications usually prompt to install using SA or local system account to authenticate to SQL to create the new database(s), that account should have securityadmin and dbcreator roles to create the database and its tables, as well as add a new login to that database.
Please address this question, keeping in mind that the logins will only be performing the described actions, installing apps using SQL Server as the backend database and adding a login to that database (which may or may not be done during the installation process).
Thank you,
nu_dba
View 1 Replies
View Related
Mar 5, 2006
Hello,
I am new user of SQL Server. I have some problems with these words. I want to make my database works in my specified permissions. I will specify permissions with schemas and these schema wants an owner. I want this owner should be my user. When creating a user it needs a valid login. I am selecting my login and it occurs and error says this login has an different user. I am specifying permissions with roles. But i can't make association all of them. I hope i told my problem to you as well. If you explain these words to me and tell me how can i do my database's works with my own schemas, users and roles i'll be grateful. Thanks for advices.
Happy coding...
View 4 Replies
View Related
Jan 28, 2004
Can you write a stored procedure to add a user to your DB and set the roles the user belongs to?
I want to write a stored proc. to add users and set roles so it can be used in code instead of doing it manually.
After the user has been added and their roles set, can you write another stored proc. to give you what roles they belong to?
View 3 Replies
View Related
Aug 24, 2006
After reading Books Online, I am still confused with Database Role vs Application role.
My intention is to control the end users' authority on the database, where the end users will access through Winforms client application. With proper assignment of schema and database roles to an user, I believe this will enough to control the permisison of an user.
If this is the case, why Application role exists? When and why should I use Application Role? How is it different from Fixed Database Role?
View 14 Replies
View Related
Dec 20, 2000
I have jsut started using SQL server 7 and am having problems with accounts permissions, users,roles, groups, owners etc what are the differences?
View 1 Replies
View Related
May 3, 2005
Hi! Can anyone say which ms sql server predefined roles are similar to the following oracle predefined roles: dba, connect, resource. I already know that sysadmin in MS SQL Server is the same as DBA in Oracle but what about the rest?
Thanks a lot.
View 4 Replies
View Related
Apr 15, 2007
Hi,
I'm looking for some guidance/help regarding setting up a sa - lite account in SQL 2005. I need to give another admin rights to create/monitor maintenance plans, backup and restore databases, monitor performance/logins, but NOT be able to have any rights on several tables (and of course not being able to set user permissions).
I've tried using server and db roles but haven't been able to determine how to give someone w/o full sa rights access to maintenance plans.
If you can think of soemthing, please let m eknow.
Jenn
View 4 Replies
View Related
Mar 10, 2004
I have MS SQL Server 2000 DB.
I have created a User and created some tables for the same.
I created a Role named A and granted Select Permissions for few tables to that roles.
When I created another Role named B and added this role (A) to B, the permissions are not being xferred to B. Bcos of which, if i assign an User to Role B, he is not able to select the tables for which permissions have been given thru role A.
Note : If i give assign directly the user to Role A, it is working. But i want to assign User to role A only thru B.
View 1 Replies
View Related
Jul 13, 2004
Hi all,
I am facing some trouble in my asp.net application. We have decided to add some more security at the DB. Every user gets his own login in SQL-server. (I know for connection-pooling it is better to use the exact same connectionstring, but security is the most important fact in our project).
What I want to do is add sql-server roles to new created sql-server users. I can create sql-server users from my code and I can GRANT or DENY rigths to a specific table, but I don't know how to give a user a role.
Any ideas?
Thx,
BKT
View 4 Replies
View Related
Jun 18, 2004
Hi,
I want a user login to have permissions to view sql server jobs that they are not the owner of without giving them system administrator permissions,
Is there any way to do this?
View 1 Replies
View Related
Jun 14, 2008
Hi,
I have just received my notebook from my work, and Sql Server 2005 is installed on it. There are 2 accounts, the SA (i dont know this password), and my Windows account.
When I go to security - server roles; I see that only the SA account is assigned to the sysadmin role. But my account is not assigned to any server role and when I want to create a database I get the following error: CREATE DATABASE permission denied in database 'master'. (This is at my local database)
Is there anyway I can get passed this restriction? (without hacking my own pc?)
With kind regards
View 3 Replies
View Related
Nov 17, 2006
What roles or permissions does a user need to create stored procedures?
Jshurak - The International Businessman of Mystery
View 3 Replies
View Related
Aug 16, 2007
Hi,
I have some stored procedures that I use in my .Net application. These stored procs are created by the role of [dbo]. Now I want to deploy the application along with the database. On the live database I have created a new user, but I cannot give this user the role of dbowner. I have only given it the roles of public, dbreader and dbwriter.
Now the problem is that I am not able to execute my stored procedures. So what should be the solution for this problem. Should I modify my stored procs and create them with the role of public or should I give the user the role of a dbowner.
I also want to know, what is the best set of roles I should give a db User and yet not compromise the security of the database.
If any one knows the solution to my problem, please reply or provide some links that would help. Urgent
Regards
Vineed
View 7 Replies
View Related
Jun 26, 2001
After "copying" a SQL Srv DB from one server to the next, we have found that the permissions within the developer-created database roles did not transfer. How can we insert these permissions without doing it manually? Or can we create some type of DTS package that will bring the roles' permissions for us? Or how do you move a SQL database from one server to the next and get everything within it to come along??
View 3 Replies
View Related
Nov 1, 2004
Short of system administrator, does anyone know what server role a login must be assigned to in order to execute DTS package in Query Analyzer?
View 9 Replies
View Related
Jul 30, 2007
I am currently working on a SSIS configuration database. However, I am having trouble writing a script to get the the users that have each server role permissions. I'm pretty sure that I need to use sp_helpsrvrole, but am not sure where to go from here. If anybody has any ideas or has seen a script on the internet to get this then that would be a tremendous help.
Thanks in advance,
Kyle
View 1 Replies
View Related
Oct 24, 2006
I need to find out how to add roles to my SQL that is on a hosted server.I have created 2 roles, but after publishing and uploading my site, when I try and create a user, I get the error:"Exception Details: System.Configuration.Provider.ProviderException: The role 'userAtype' was not found."There are two other roles that the same happens with.Running it locally all was fine, I just didn't seem to get this info where it needs to be when I uploaded it.I'm new to messing about with SQL, so sorry if this is really elementary.I have VS2005 Standard, and the SQL Server Management Studio Express.The hosting provider I have does not allow remote connections to the DB on shared hosting, so I need to (?) generate a script to populate the DB? and run it in their browser-based Querry Window?How would I do this?Thanks.
View 4 Replies
View Related
Feb 18, 2015
I have seen the red down arrow for disabled, but I don't know what this means?
(I can't post an image is there a way to upload an image?)
It appears to be a little red tornado or down pin?
View 2 Replies
View Related
Oct 5, 2007
I wanted to set up a trigger to alter me or log to a table when someone is added to a server role. The event for the trigger I wanted to use is ADD_SERVER_ROLE_MEMBER. When trying to create the trigger, I get the following information:
"ADD_SERVER_ROLE_MEMBER" does not support synchronous trigger registration.
View 6 Replies
View Related
Mar 30, 2000
Hi
I've been stuck with this for a while - but now I really need to find an answer - maybe you kind-hearted guys can help.
At the moment, our security model is done via NT Trusted Connection; each NT user can belong to more than one NT groups, which in turn are members of roles within a SQL7 database.
This means that SQL Server 7 does NOT have individual NT user's login information.
At the same time, we have a table called "Personnel" which stores each of this NT user's specific ID value(let's called this field "RepID"). On entering the VB front-end, an API call which gets the current NT login can validate against this table "Personnel" and gets this ID value (as this value is stored in various other tables within the database).
Now it comes to a point that I need to filter a recordset out from another table whose record source depends on whether the RepID field value belongs to a certain role within the database. So far these two levels of security is not linked in anyway - I have yet to be able to find a way to do the filter (except to hard-code the whether the user is a role in a new field in the table "Personnel").
Is there a better way to do it? One that only involves stored procedures?
Problem is IS_MEMBER only returns information of current user - but I need to find out other RepIDs' roles too!
Any suggestions is welcomed.
Simon
P.S. Apologies for end up reading cross-post; as I am not sure whether it's purely SQL Server or a bit of NT Server involved too.
View 1 Replies
View Related
Sep 14, 1999
Hi Nerds
There are 2 production servers (SQL Server 6.5). One is publisher and the other one is subscriber. Data is replicated from publisher to subscriber which is a transaction based replication. Each day at 8:00PM data comes into publisher and the updations,replication,backup,reporting are carried out till 11:00AM next day. The subscriber server is used as a reporting server and the publishing server is used as the data warehouse server.
I want to cleanup a table on the publisher. Since it is replicated on the subscriber, can I do delete operation on the subscriber, make the subscriber server a publisher and the publisher server a subscriber, do replication from publisher(new) to subscriber(new) and again change publisher to subscriber and subscriber to publisher without affecting the production line of the databases. I have to do this between 11:00AM to 8:00PM.
Pranav.
View 1 Replies
View Related
Sep 10, 2012
Is there a simple SQL/stored procedure to assign a user to be db_owner on all databases in a SQL server?
In our env., we have SQL Server 2000, 2005 and 2008 ...
View 1 Replies
View Related
Jul 4, 2007
hello, I have developed a website using asp.net 2.0 and sql server 2005 express edition. I have used the built-in membership, roles and login controls in my website. now i need to change the database server. i have to use sql server 2000 instead. as asp.net 2.0 uses the ASPNETDB.mdf for member,roles and login controls, so how can i do it? i can easily export the database from 2005 to 2000 but how my application controls will know where to look at for those data. I am clueless. please help me. thanks in advance.
View 2 Replies
View Related
Jan 30, 2007
Hi,
I would like to create the folders Sales, Orders and Credit under the Home folder.
The Sales folder contains a set of reports that should be accessible to a group of users, similarly Orders folder contains a set of reports that should be accessible to a group of users.
I do not have facility to create user groups in SQL Reporting Service. I create a user group in my machine (from Control Panel) but Reporting service is not able to view this group.
I am able to add individual users to a folder, but I would like to check if I can create a group and then add users to this group.
Any help in how to resolve this issue.
Cheers,
View 3 Replies
View Related
Nov 24, 2007
Hi all:
[Posting this in the security forum because in this forum I found a related post.]
I have a problem with SQL Server 2005 and application roles and pooling. I needed to use application roles and I needed to use pooling at the same time for an application. I am using sp_setapprole and sp_unsetapprole. In order to ensure that the application role is always set and unset by the application, I actually developed a custom Data Provider based on the SqlClient Data Provider. I have a custom Connection and Command class that wrap the SqlClient versions. Upon opening my custom Connection class, I execute the sp_setapprole stored procedure. Upon closing or disposing the connection, I call sp_unsetapprole.
This works fine in 99% of my tests. However, I have three or four methods (always the same ones, but one only fails ever so often) that fail, but only under the following circumstances:
Pooling is turned on (but pool size doesn't matter)
I am using my custom Data Provider (using System.Data.SqlClient does not cause this issue... but I am also not using approles then)
When other tests have run in the same test run. I.e. when I run the failing methods by themselves in a test run, there is no problem.
So it seems to me that the problem is related to using application roles with pooling turned on. For scalability reasons, we cannot turn pooling off. When the methods fail, I see the following two (2) entries in the SQL Log:
Error: 18059, Severity: 20, State 1.
The connection has been dropped because the principal that opened it subsequently assumed a new security context, and then tried to reset the connection under its impersonated security context. This scenario is not supported. See "Impersonation Overview" in Books Online.
I understand the error message somewhat. However, I am not sure why the "reset" of the connection occurs. My code does not call reset anywhere, so it must be something that happens in the background.
I am reviewing code to see if there is possibly a situation where the sp_unsetapprole procedure does not get called or does not get called successfully, but there is a lot of code (in many custom components).
I would like to know if anyone has a suggestion on how to solve this problem, or, find the code that may be causing the problem.
Thanks in advance,
SA.
View 3 Replies
View Related
Sep 12, 2006
My question is I have a SQL Server running on Web Server which is a member of a 2000 Active Directory, I only grant access to the database via Global Groups from the Active Directory. When I log onto the database via Windows Authentication the actual user shows up in the master.dbo.sysprocesses table, I can tell what database that process is going to but not how that user is being translated to the Global Group that was actually given access. I need the actual database user name which is the Global Group name that had permissions granted via user defined database roles so that I can do some pre-processing in an ASP.NET application so that I know what parts of a form are updatable or not.
View 1 Replies
View Related
Mar 28, 2007
Hi!
I have developed a database in MS SQL Server 2005 Express, to which I would require only bulkadmin server role from an external java application, because I only need to update rows, insert values or use select queries in the database.
The problem is that, using either the Microsoft JDBC Driver 1.1 or the Java JDBC ODBC Driver and the Windows XP Data Base (ODBC) configurations, I need a user with sysadmin server role inside Sql Server, otherwise JDBC won't connect to the database using the selected user. Even if I leave the sql login with setupadmin or any server role lower than sysadmin, the connection is refused.
Is there no way to connect using JDBC to MS Sql Server 2005 other than granting the connected user sysadmin rights? My code looks as follows:
Code Snippet
String driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver";
String url = "jdbc:sqlserver://FIREBLADE\SQLEXPRESS";
String user = "username";
String password = "password$$";
Connection conn;
Class.forName(driver);
conn = DriverManager.getConnection(url,user,password);
if (conn != null)
System.out.println("SQL Server Connection established ...");
I have heard that Java JDBC connections to Microsoft require high-level access.
Any informed answer is more than welcome. Thanks for reading my post!
View 1 Replies
View Related
May 16, 2008
I have been struggling with this for a while and cannot get it right. I have read countless articles on the internet as well as MSDN documentation about SQL Server 2005 and no success so far.
What I want is a database with multiple SCHEMAS, DATABASE ROLES and USERS in order to have a finer grade of security to access the various objects.
My schemas are (in order to simplify the situation and provide an example of the setup):
- [dbo] the standard DBO schema which is always default. Contains public objects.
- [com] a special module integrated into the system
- [ofc] contains objects used by back-office only
- [aud] contains objects used for auditing, etc.
Each of these schemas has their fair share of tables, views, functions and stored procedures which have been created appropriately (i.e. CREATE TABLE [ofc].[Addresses]), in other words prefixed by the name of the schema to which they belong.
Then I have created various database roles (don't confuse them with SQL2005 application roles) as follows:
- PublicRole mostly used for viewing, no data alterations
- WorkerRole used by front end processes that need write access to data in [dbo] and [aud]
- OfficeRole used by back-office for dealing with backoffice data (basically [ofc], [aud] stuff)
- AdminRole used by application administrator
Each of these database roles has been defined with owner 'dbo', none of them own any schemas. And last but not least to each of these roles I have selected the above named schemas (dbo, ofc, aud) as securables and for each of those securables schemas I have then given the correct set of GRANT/DENY on the Alter, Control, Delete, Execute, Insert, References, Select, Update, Take ownership and View definition.
As an example, the PublicRole role has been given the following permissions (Y=GRANT, N=DENY):
Table #1 of Application Permissions [dbo] [com] [ofc] [aud]Alter N N N N
Control N N N N Delete N N N N Execute Y Y N Y Insert N N N Y References Y Y N Y Select Y Y N Y Update N N N Y Take ownership N N N N View definition N N N N
And I have the following minimum set of database users defined (the server login has the same name):
- upublic, assigned to PublicRole
- uworker, assigned to WorkerRole
- uoffice, assigned to OfficeRole
- uadmin, assigned to AdminRole
As I understand when I assign these users to a particular custom Database Role, the users inherit the permissions granted to THAT role thus liberating me from having to assign the permissions to each and every user account on the same role.
What I expected was that when I logged in to the database with the upublic user account I would at least be able to view (SELECT at least) ALL the objects with the exception of those in th e[ofc] schema. Unfortunately the account is not able to access ANYTHING at all, I get an error like
"The SELECT permission has been denied on object XYZ, database DB, schema 'dbo'"
So, when I use Management Studio to look at the properties I selected the PublicRole and it showed the upublic user as a member of the role (Members of this role). So far so good.
Then when I switch to the Securables page for this role it shows all the schemas I defined and for each of them the same list shown in Table #1 except it has two lines for each permission, the first for Grantor dbo and the second for Grantor upublic. The first has the same permissions I assigned to the role (as shown on Table #1) but the 2nd does not show a checkmark on either GRANT or DENY!!! For example ([x] = checked, [ ] unchecked):
Table #2 Explicit permissions for Securable
Permission Grantor Grant Grant-with Deny
Select dbo [x] [ ] [ ] Select upublic [ ] [ ] [ ]
What am I doing wrong here? Apparently I then have to repeat the whole grant/deny for EACH and EVERY USER I define when the idea was that I would grant/deny on the database role and every member of that role would inherit those permissions automatically.
View 3 Replies
View Related
Aug 29, 2007
We would like to use the bulk insert function to import large CSV files into a SSE database however we have serious concerns regarding giving all our users these high privleges. Is there some way around this can we give them the privleges temporarily do the insert and take it away again or some other solution.
View 5 Replies
View Related
Sep 21, 2001
I need to grant select/viewing on a information_schema for a programmer. how do I grant this without granting server role "System Administrators".
Thanks,
Jason
View 1 Replies
View Related
Sep 21, 2001
I need to grant select/viewing on a information_schema for a programmer. how do I grant this without granting server role "System Administrators".
Thanks,
Jason
View 2 Replies
View Related
