I had to move the data files from one driver to another. After moving the data files when I brought the database online it gave"Access denied" error and I found out that the reason was that the MSSQL$instance account did not have permission to the data file.
I right clicked on the folder and on the security tab tried to add the user to give the missing permission but could not locate the user. I had to do the following to find the user in the user list
To add the missing permissions
chose the local computer and type in "NT SERVICE\MSSQL$instance
Showing posts with label permissions. Show all posts
Showing posts with label permissions. Show all posts
Thursday, June 7, 2018
Thursday, July 14, 2016
db_executor role for user permission to execute all procedures
SQL Server has several fixed database roles such as db_datareader and db_datawriter, which grants the user read and write access respectively to all the tables in the database. Curiously there is no role to grant a user permission to execute stored procedures, but fortunately this is easily resolved by creating a new role.
The following SQL creates the new role in a database, and then grants it execute rights :
The following SQL creates the new role in a database, and then grants it execute rights :
-- Create a db_executor role
CREATE ROLE db_executor
-- Grant execute rights to the new role
GRANT EXECUTE TO db_executor
CREATE ROLE db_executor
-- Grant execute rights to the new role
GRANT EXECUTE TO db_executor
--then add a member to this role
Friday, February 19, 2016
SSIS error: Drop faield for user
I was trying to drop a user from SSIDB database and I encountered the following error -
The database principal has granted or denied permission to catalog objects in the database and cannot be dropped. The transaction ended in the trigger. The batch has been aborted. (Microsoft SQL Server, Error: 27226)
I ran the following query to find the permission of the user I am trying to drop
use SSISDB
GO
SELECT TOP 1000 [object_type]
,[object_id]
,[principal_id]
,[permission_type]
,[is_deny]
,[grantor_id]
, 'EXEC catalog.revoke_permission @object_type=' + CAST([object_type] AS VARCHAR)
+ ', @object_id=' + CAST([object_id] AS VARCHAR)
+ ', @principal_id=' + CAST(principal_id AS VARCHAR)
+ ', @permission_type=' + CAST(permission_type AS VARCHAR) [execute this]
FROM [SSISDB].[catalog].[explicit_object_permissions]
WHERE principal_id = USER_ID('usertodrop')
Then copied the contents of the [execute this] column in a new query window and executed it against the SSISDB database which revokes the permission .
Then I was able to drop the user.
The database principal has granted or denied permission to catalog objects in the database and cannot be dropped. The transaction ended in the trigger. The batch has been aborted. (Microsoft SQL Server, Error: 27226)
I ran the following query to find the permission of the user I am trying to drop
use SSISDB
GO
SELECT TOP 1000 [object_type]
,[object_id]
,[principal_id]
,[permission_type]
,[is_deny]
,[grantor_id]
, 'EXEC catalog.revoke_permission @object_type=' + CAST([object_type] AS VARCHAR)
+ ', @object_id=' + CAST([object_id] AS VARCHAR)
+ ', @principal_id=' + CAST(principal_id AS VARCHAR)
+ ', @permission_type=' + CAST(permission_type AS VARCHAR) [execute this]
FROM [SSISDB].[catalog].[explicit_object_permissions]
WHERE principal_id = USER_ID('usertodrop')
Then copied the contents of the [execute this] column in a new query window and executed it against the SSISDB database which revokes the permission .
Then I was able to drop the user.
Tuesday, January 19, 2016
List permission on a databse objects
use current_userdb
GO
select o.name , pm.permission_name,pr.name, user_name(pm.grantee_principal_id) from sys.database_permissions pm inner join
sys.database_principals pr
on pm.grantee_principal_id = pr.principal_id
inner join sys.objects o
on o.object_id = pm.major_id
where object_name(pm.major_id) = 'object1'
GO
select o.name , pm.permission_name,pr.name, user_name(pm.grantee_principal_id) from sys.database_permissions pm inner join
sys.database_principals pr
on pm.grantee_principal_id = pr.principal_id
inner join sys.objects o
on o.object_id = pm.major_id
where object_name(pm.major_id) = 'object1'
Friday, July 17, 2015
Work adeventure : Permission to view sql error log (ONLY)
I had a situation where I had to give a user permission to view the sqlerror log only. I achieved by doing the following
---Create a login DBA_error_logUser in the server
use [master]
GO
CREATE LOGIN [DBA_ErrorLogUser] WITH PASSWORD=N'123', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO
--Added the login to the securityadmin server role
EXEC master..sp_addsrvrolemember @loginame = N'DBA_ErrorLogUser', @rolename = N'securityadmin'
GO
--Created a user DBA_error_logUser with map to the login to grant access to the error logs
CREATE USER [DBA_ErrorLogUser] FOR LOGIN [DBA_ErrorLogUser] GO
--Deny Alter to any Login
DENY ALTER ANY LOGIN TO DBA_ErrorLogUser GO
--Grant permission to view Sql Server Logs for the user
Grant EXECUTE ON master.sys.xp_readerrorlog TO DBA_ErrorLogUser GO
--Create a log on Trigger to deny access to Query Window
IF EXISTS ( SELECT * FROM master.sys.server_triggers
WHERE parent_class_desc = 'SERVER' AND name = N'Deny_QueryWindowLogin_Trigger' )
DROP TRIGGER [Deny_QueryWindowLogin_Trigger] ON ALL SERVER
GO
Create TRIGGER Deny_QueryWindowLogin_Trigger ON ALL SERVER
WITH EXECUTE AS 'sa'
FOR LOGON AS
BEGIN
DECLARE @data XML
SET @data = EVENTDATA()
DECLARE @AppName SYSNAME, @LoginName SYSNAME
SELECT @AppName = [program_name] FROM sys.dm_exec_sessions WHERE session_id = @data.value('(/EVENT_INSTANCE/SPID)[1]', 'int')
SELECT @LoginName = @data.value('(/EVENT_INSTANCE/LoginName)[1]', 'sysname') IF @AppName= 'Microsoft SQL Server Management Studio - Query' AND @LoginName = 'DBA_ErrorLogUser'
BEGIN
ROLLBACK ; --Disconnect the session
END
END ;
- Create a login DBA_error_logUser in the server
- Added the login to the securityadmin server role ( to view sql error log the login must be the member of this server role)
- Created a user DBA_error_logUser with map to the login to grant access to the error logs
- Deny Alter to any Login
- Grant permission to view Sql Server Logs for the user
- Create a log on Trigger to deny access to Query Window
---Create a login DBA_error_logUser in the server
use [master]
GO
CREATE LOGIN [DBA_ErrorLogUser] WITH PASSWORD=N'123', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO
--Added the login to the securityadmin server role
EXEC master..sp_addsrvrolemember @loginame = N'DBA_ErrorLogUser', @rolename = N'securityadmin'
GO
--Created a user DBA_error_logUser with map to the login to grant access to the error logs
CREATE USER [DBA_ErrorLogUser] FOR LOGIN [DBA_ErrorLogUser] GO
--Deny Alter to any Login
DENY ALTER ANY LOGIN TO DBA_ErrorLogUser GO
--Grant permission to view Sql Server Logs for the user
Grant EXECUTE ON master.sys.xp_readerrorlog TO DBA_ErrorLogUser GO
--Create a log on Trigger to deny access to Query Window
IF EXISTS ( SELECT * FROM master.sys.server_triggers
WHERE parent_class_desc = 'SERVER' AND name = N'Deny_QueryWindowLogin_Trigger' )
DROP TRIGGER [Deny_QueryWindowLogin_Trigger] ON ALL SERVER
GO
Create TRIGGER Deny_QueryWindowLogin_Trigger ON ALL SERVER
WITH EXECUTE AS 'sa'
FOR LOGON AS
BEGIN
DECLARE @data XML
SET @data = EVENTDATA()
DECLARE @AppName SYSNAME, @LoginName SYSNAME
SELECT @AppName = [program_name] FROM sys.dm_exec_sessions WHERE session_id = @data.value('(/EVENT_INSTANCE/SPID)[1]', 'int')
SELECT @LoginName = @data.value('(/EVENT_INSTANCE/LoginName)[1]', 'sysname') IF @AppName= 'Microsoft SQL Server Management Studio - Query' AND @LoginName = 'DBA_ErrorLogUser'
BEGIN
ROLLBACK ; --Disconnect the session
END
END ;
Friday, January 16, 2015
script:User Permission
The following script creates a new user and lets the user create new objects and grant permission on the objects to other users
IF EXISTS (SELECT * FROM sys.database_principals WHERE name = N'user1')
DROP USER [user1]
create user [user1] for login [domain\user1]
EXEC sp_addrolemember db_ddladmin, [user1]; -- allows to create objects
EXEC sp_addrolemember db_securityadmin, [user1]; --allows to assign permission on objects
IF EXISTS (SELECT * FROM sys.database_principals WHERE name = N'user1')
DROP USER [user1]
create user [user1] for login [domain\user1]
EXEC sp_addrolemember db_ddladmin, [user1]; -- allows to create objects
EXEC sp_addrolemember db_securityadmin, [user1]; --allows to assign permission on objects
Friday, June 6, 2014
Permission: To list the permissions on a schema
--the schema name is testschema
select pr.permission_name as permissionName,s.[name] as schemaname,s.[schema_id], p.[name] as principal_name, p.principal_id as pricipalID
from sys.schemas s
inner join sys.database_permissions pr
on s.schema_id = pr.major_Id
inner join sys.database_principals p
on pr.grantee_principal_id = p.principal_id
where s.[name] = 'testschema'
select pr.permission_name as permissionName,s.[name] as schemaname,s.[schema_id], p.[name] as principal_name, p.principal_id as pricipalID
from sys.schemas s
inner join sys.database_permissions pr
on s.schema_id = pr.major_Id
inner join sys.database_principals p
on pr.grantee_principal_id = p.principal_id
where s.[name] = 'testschema'
Wednesday, January 15, 2014
Check a list of objects and permissions
--list views, procs, table
select o.* from sys.database_principals p inner join sys.objects o on p.principal_id = p.principal_id where p.name = 'GRP_App_Users' and o.type in ('U','V','P') and o.is_ms_shipped = 0
--select permissions of a group or user on a database
select p1.*,o.* from sys.database_permissions p1 inner join sys.database_principals p2 on p1.grantee_principal_id = p2.principal_id inner join sys.objects o on o.object_id = p1.major_id where p2.name = 'GRP_SQLReportingUsers'
--FIND SPS WITH EXECUTE PERMISSIONS ON A USER
SELECT [name] FROM sys.objects obj INNER JOIN sys.database_permissions dp ON dp.major_id = obj.object_id WHERE obj.[type] = 'P' -- stored procedure AND dp.permission_name = 'EXECUTE' AND dp.state IN ('G', 'W') -- GRANT or GRANT WITH GRANT AND dp.grantee_principal_id = (SELECT principal_id FROM sys.database_principals WHERE [name] = 'GRP_USERS_ABC') ORDER BY NAME
select o.* from sys.database_principals p inner join sys.objects o on p.principal_id = p.principal_id where p.name = 'GRP_App_Users' and o.type in ('U','V','P') and o.is_ms_shipped = 0
--select permissions of a group or user on a database
select p1.*,o.* from sys.database_permissions p1 inner join sys.database_principals p2 on p1.grantee_principal_id = p2.principal_id inner join sys.objects o on o.object_id = p1.major_id where p2.name = 'GRP_SQLReportingUsers'
--FIND SPS WITH EXECUTE PERMISSIONS ON A USER
SELECT [name] FROM sys.objects obj INNER JOIN sys.database_permissions dp ON dp.major_id = obj.object_id WHERE obj.[type] = 'P' -- stored procedure AND dp.permission_name = 'EXECUTE' AND dp.state IN ('G', 'W') -- GRANT or GRANT WITH GRANT AND dp.grantee_principal_id = (SELECT principal_id FROM sys.database_principals WHERE [name] = 'GRP_USERS_ABC') ORDER BY NAME
Tuesday, June 18, 2013
Giving execute permission to all stored procedures through a databaserole
I had a situation where I had to give a user( AD group) execution permission to all the sps.
- Created a role called db_executor data user role
USE pubs
GO
GO
exec sp_addrole 'db_executor'
GO
--added memebers to the role
USE pubs
GO
GO
exec sp_addrolemember 'db_executor', 'GRP_ProdSupport'
GO
--gave permission to execute the stored procedures to the role.
USE pubs
GO
DECLARE @SQL nvarchar(4000),
@Owner sysname,
@StoredProcedure sysname,
@Return int
-- Cursor of all the stored procedures in the current database
DECLARE cursStoredProcedures CURSOR FAST_FORWARD
FOR
SELECT USER_NAME(uid) Owner, [name] StoredProcedure
FROM sysobjects
WHERE xtype = 'P'
OPEN cursStoredProcedures
-- "Prime the pump" and get the first row
FETCH NEXT FROM cursStoredProcedures
INTO @Owner, @StoredProcedure
-- Set the return code to 0
SET @Return = 0
-- Encapsulate the permissions assignment within a transaction
BEGIN TRAN
-- Cycle through the rows of the cursor
-- And grant permissions
WHILE ((@@FETCH_STATUS = 0) AND (@Return = 0))
BEGIN
-- Create the SQL Statement. Since we're giving
-- access to all stored procedures, we have to
-- use a two-part naming convention to get the owner.
SET @SQL = 'GRANT EXECUTE ON [' + @Owner
+ '].[' + @StoredProcedure
+ '] TO db_executor'
-- Execute the SQL statement
EXEC @Return = sp_executesql @SQL
-- Get the next row
FETCH NEXT FROM cursStoredProcedures
INTO @Owner, @StoredProcedure
END
-- Clean-up after the cursor
CLOSE cursStoredProcedures
DEALLOCATE cursStoredProcedures
-- Check to see if the WHILE loop exited with an error.
IF (@Return = 0)
BEGIN
-- Exited fine, commit the permissions
COMMIT TRAN
END
ELSE
BEGIN
-- Exited with an error, rollback any changes
ROLLBACK TRAN
-- Report the error
SET @SQL = 'Error granting permission to ['
+ @Owner + '].[' + @StoredProcedure + ']'
RAISERROR(@SQL, 16, 1)
END
GO
GO
DECLARE @SQL nvarchar(4000),
@Owner sysname,
@StoredProcedure sysname,
@Return int
-- Cursor of all the stored procedures in the current database
DECLARE cursStoredProcedures CURSOR FAST_FORWARD
FOR
SELECT USER_NAME(uid) Owner, [name] StoredProcedure
FROM sysobjects
WHERE xtype = 'P'
OPEN cursStoredProcedures
-- "Prime the pump" and get the first row
FETCH NEXT FROM cursStoredProcedures
INTO @Owner, @StoredProcedure
-- Set the return code to 0
SET @Return = 0
-- Encapsulate the permissions assignment within a transaction
BEGIN TRAN
-- Cycle through the rows of the cursor
-- And grant permissions
WHILE ((@@FETCH_STATUS = 0) AND (@Return = 0))
BEGIN
-- Create the SQL Statement. Since we're giving
-- access to all stored procedures, we have to
-- use a two-part naming convention to get the owner.
SET @SQL = 'GRANT EXECUTE ON [' + @Owner
+ '].[' + @StoredProcedure
+ '] TO db_executor'
-- Execute the SQL statement
EXEC @Return = sp_executesql @SQL
-- Get the next row
FETCH NEXT FROM cursStoredProcedures
INTO @Owner, @StoredProcedure
END
-- Clean-up after the cursor
CLOSE cursStoredProcedures
DEALLOCATE cursStoredProcedures
-- Check to see if the WHILE loop exited with an error.
IF (@Return = 0)
BEGIN
-- Exited fine, commit the permissions
COMMIT TRAN
END
ELSE
BEGIN
-- Exited with an error, rollback any changes
ROLLBACK TRAN
-- Report the error
SET @SQL = 'Error granting permission to ['
+ @Owner + '].[' + @StoredProcedure + ']'
RAISERROR(@SQL, 16, 1)
END
GO
Permission to run a specific SQL job to a user
I added a user to the msdb database and gave him the SQLAgentUserRole but that gave him access to all the jobs, which is not what I wanted. This is the work around I followed....
USE msdb
GO
CREATE PROC dbo.Start_Job_MyJobThatAGroupControls
-- Executes as the database owner, for msdb that is 'sa'
WITH EXECUTE AS OWNER
AS
-- Hardcoding the job name limits this procedure's control
EXEC dbo.sp_start_job @job_name = 'MyProductionJobName'
GO
-- Grant Execute rights to your selected users
GRANT EXECUTE ON Start_Job_MyJobThatAGroupControls TO <usernames>
GO
This way the user will not have direct access to the job MyProductionJobName but through this wrapper sp it can run the job.
USE msdb
GO
CREATE PROC dbo.Start_Job_MyJobThatAGroupControls
-- Executes as the database owner, for msdb that is 'sa'
WITH EXECUTE AS OWNER
AS
-- Hardcoding the job name limits this procedure's control
EXEC dbo.sp_start_job @job_name = 'MyProductionJobName'
GO
-- Grant Execute rights to your selected users
GRANT EXECUTE ON Start_Job_MyJobThatAGroupControls TO <usernames>
GO
This way the user will not have direct access to the job MyProductionJobName but through this wrapper sp it can run the job.
Thursday, May 3, 2012
error:process could not execute 'sp_replcmds' error on Publisher with Remote Distributor
Today the replication failed on our Publisher. We have a transactional replication running from Publisher to the Subscriber and they are in two differnt machines, both using SQL 2008 R2. The exact error we got was
--STEP 1
exec sp_changedbowner [domain\user]
This made the [domain\user] account the owner and mapped it to dbo
--STEP 2
In SSMS find the replication and expand it
Expand the local publication folder
Select the publication and right click on it and seclet "View Log Reader Agent Status"
Stop the Agent and Restart the agent
Now all ther replications were back in sync.
I ran the follwoing query to see if they are back up running
select * from distribution..MSrepl_transactions order by entry_time
- Replication failed: process could not execute 'sp_replcmds' error on Publisher with Remote Distributor
- The database owner SID recorded in the master database differs from the database owner SID recorded in database 'databasename'
--STEP 1
exec sp_changedbowner [domain\user]
This made the [domain\user] account the owner and mapped it to dbo
--STEP 2
In SSMS find the replication and expand it
Expand the local publication folder
Select the publication and right click on it and seclet "View Log Reader Agent Status"
Stop the Agent and Restart the agent
Now all ther replications were back in sync.
I ran the follwoing query to see if they are back up running
select * from distribution..MSrepl_transactions order by entry_time
Wednesday, April 4, 2012
script: List the permissions of a user
I had a task where I had to list all the permission of a specific user on the database . The following script came to the rescue
SELECT dppriper USER_NAME(dppriper.grantee_principal_id) AS [UserName], .type_desc AS principal_type_desc, .class_desc, OBJECT_NAME (dppriper.major_id) AS object_name, .permission_name, .state_desc AS permission_state_desc
FROM sys.database_permissions dppriper
INNER JOIN sys.database_principals dppri
ON dppriper.grantee_principal_id = dppri.principal_id
WHERE
--dppriper.permission_name = 'EXECUTE'
USER_NAME(dppriper.grantee_principal_id) = 'myuser'
--**replace the myuser with the user we are looking for
--**If we want to find only the stored procedures that the user has perission on comment out the clause in the above query.
SELECT dppriper USER_NAME(dppriper.grantee_principal_id) AS [UserName], .type_desc AS principal_type_desc, .class_desc, OBJECT_NAME (dppriper.major_id) AS object_name, .permission_name, .state_desc AS permission_state_desc
FROM sys.database_permissions dppriper
INNER JOIN sys.database_principals dppri
ON dppriper.grantee_principal_id = dppri.principal_id
WHERE
--dppriper.permission_name = 'EXECUTE'
USER_NAME(dppriper.grantee_principal_id) = 'myuser'
--**replace the myuser with the user we are looking for
--**If we want to find only the stored procedures that the user has perission on comment out the clause in the above query.
Subscribe to:
Posts (Atom)