I am new to SQL Server authentication methodologies. I am trying to learn to create a read-only user who can access Azure SQL data from Power BI. I have followed the steps and created a login and user as suggested in this post. I am able to login to the database using 'login' and password as suggested here.
My concern is, as I created the user and assigned him the role of the 'db_datareader'; how does this guarantee that I can't modify something in another database(as there can be multiple user associated with login with a different role)? Is there any way I can directly login to the database using username?
About concerns:
My concern is, as I created the user and assigned him the role of the 'db_datareader'; how does this guarantee that I can't modify something in another database(as there can be multiple user associated with login with a different role)? Is there any way I can directly login to the database using username?
As we know, when we create the read-only user, we need follow bellow steps:
Create the Login in master DB.
Create the read-only user in user DB and mapping to the login.
Alter the 'db_datareader' role to the read-only user.
For Azure SQL database, the Login is used to login the Azure SQL Server and the user to access the database.
We can not alter database role to the login, it must be user level.
One login for one user. If you only grant the 'db_datareader' role to the user, it will be the read-only user for the current database.
For example, if the user "A" is created in database A, it only has the access permission to database A. If you only grant the 'db_datareader' role to the "A", it will be the read-only user.
Ref: https://learn.microsoft.com/en-us/azure/azure-sql/database/logins-create-manage
Hope this helps.
Related
I am using azure sql ____.database.windows.net. in this database server I have two databases:
DatabaseA / staging
DatabaseB / production.
i need sql user login for only access to DatabaseB. Is it possible with create new sql user?
To give user access to a DB in Azure SQL, you will have to perform one of the following things:
create a user login in the master DB and then grant it access to appropriate DB
create a user account within a desired DB
Nonetheless, you can follow the below path. First, create a new login:
CREATE LOGIN <login> WITH PASSWORD = '<password>';
Then create a user inside a DB:
USE <DB-name>
CREATE USER <user> FOR LOGIN <login>;
GO
See more:
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-ver15#examples
https://learn.microsoft.com/en-us/azure/azure-sql/database/logins-create-manage
I'm transforming a legacy system that stores its users in a database (including credentials) to use Azure AD B2C for authentication.
My first step is to rewrite the frontal API (the API that serves the web client directly)
Because many other systems and database tables depend on the users table and its columns, I've decided on creating a db user for every new azure ad registration.
This is the problem, the user id in the database is the primary key, an auto incremented number.
The id that I extract from the access token claims is a ad object identifier, a GUID.
To be able to relate an ad b2c user entity to a database user entity, I will have to create a new column in the users table, AzureObjectId.
The problem is that now I would have to constantly do the conversion between AzureObjectId which I extract from the access token, to the database users id, because other database tables and other internal APIs that I access expect a database user id.
What would be the right way to tackle this?
What I can thinks of is
Transforming AzureObjectId to database user id during every interaction with the database or another internal API.
Once my API creates the database user, use the Azure AD B2C Graph API to add a new claim, database user id, to the user.
Both of these I want to avoid.
Is there someway to enrich the access token with the database user id?
I would go with second option as its a one time operation and system doesn't need to do the conversion every time.
Update with details
This seems to be a migration scenario as well. Check samples here
You will also need to use Restful api feature of custom policies as well.
During the signup process, execute a restful technical profile which will call an api in contoso (your) service to create user. The contoso service will return the database user id of the newly created user. This new userId can be used as a subsequent claim for the user and AzureADB2C will create the user with that extension property.
The another approach is what we discussed earlier. After signup the user can be created by the service and for the first call, service can insert a claim for itself with new database user Id.
Yes - use custom attributes
You can add custom attributes via the portal and select these to return them as claims in the token.
The Graph API link above shows how to create them programmatically.
So if you populate the database user id into the custom attribute you'll be able to return it in the token.
I am trying to create a new user for an application which uses CosmosDB. From the documentation, it expose a service method to create a new user.
I believe the created user can access the Cosmos DB provided the users are updated with certain permission to the collections
And my query,
Is there a service method to create a user with password? If not, any alternatives to do the same?
Is there a way to see the created users in Data Explorer rather than List Users?
1.Is there a service method to create a user with password? If not, any alternatives to do the same?
As I know, no such method in cosmos db. Based on this document, Azure Cosmos DB uses two types of keys to authenticate users and provide access to its data and resources. User and permission is resource token type here. It's meant to avoid the risk of master key exposure. It is authenticated by token,can't be password.
If do want to use password for authentication, maybe you just have to protect the token by password with your own logical code. Other words, you get the above resource token first then manage the mapping relationships between user and resource token by yourself.
2.Is there a way to see the created users in Data Explorer rather than List Users?
It can't be found on the portal now.You need to list users and permissions using sdk or rest api. You could commit feedback here to ask azure cosmos team to add this feature.
I have an Azure SQL Server with two databases for which I'm trying to use Azure Active Directory Integrated Authentication. One of these databases is critical and most of the users need to be granted only 'read' access for this database.
To add a new user with a 'Reader Role', I did the following:
Added the user with Reader role under Access Control(IAM) from the Azure portal.
The user wasn't able to connect after this step.
Then I tried adding the user using the following commands:
CREATE USER [name#domain.com] FROM EXTERNAL PROVIDER;
sp_addrolemember db_datareader, [name#domain.com];
The user is still not able to connect to the server using AAD Integrated Authentication. In both the cases I get an Anonymous Logon error.
Click to see the snip of the error message
Am I missing something? If not, is there any other way I can add users with specific permissions to the database?
Sorry for the delay, M.
Yeah, you've confused two different levels of access control; the IAM controls that you described (Reader role assignment) allows a user to view (read) the settings in the Azure Portal. Instead, I suspect you want a user (AAD authenticated) to be able to only read the data on the server. That's done via T-SQL and has nothing to do with the Access Control defined by the portal.
Now, you're attempting to create an external user (AAD access) on the database level, and you want them to have read permissions- make sure you've covered all the steps outlined here.
At a glance, the following may be necessary steps:
1.) Ensure that you've assigned an AAD admin for the SQL Server.
2.) Ensure that you're connecting to the database you want to create the users on, not the master db as you ordinarily would on a non-azure SQL Server instance. Create the user via T-SQL using the following:
CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
3.) Grant the user db_datareader permissions on that database:
ALTER ROLE db_datareader ADD MEMBER <Azure_AD_principal_name>
GO
I have two users (name#company.com) in our Azure AD that have been granted owner permissions to an Azure server via the Azure portal.
First, is it possible to create a login that links/pulls from Azure AD for these login credentials? I've searched and haven't found a specific answer to this, though my suspicion is no.
Second, I have created logins/users for the same database, however, while access to the server is fine, access to the database is denied. I have granted connect to the logins as well as executed sp_addrolemember as datareader to each for the database. In double checking my work, I had referenced several examples that show the same syntax I'm using for Azure logins/users, and yet access is still denied.
Any help would be appreciated.
Steve.
Code:
CREATE LOGIN [login_name]
WITH PASSWORD = N'password'
CREATE USER [user_name]
FROM LOGIN [login_name]
WITH DEFAULT_SCHEMA = dbo
GO
GRANT CONNECT TO [user_name]
EXEC sp_addrolemember 'db_datareader', 'user_name'
First, is it possible to create a login that links/pulls from Azure AD
for these login credentials? I've searched and haven't found a
specific answer to this, though my suspicion is no.
No. In Azure SQL Database you can only use users and logins created in Azure SQL Database - SQL Login.
Second, I have created logins/users for the same database, however,
while access to the server is fine, access to the database is denied.
I have granted connect to the logins as well as executed
sp_addrolemember as datareader to each for the database. In double
checking my work, I had referenced several examples that show the same
syntax I'm using for Azure logins/users, and yet access is still
denied.
Logins should be created in the Master db, while the users, grants and sp_addrolemember should be executed in the context of the targeted DB. If you executed sp_addrolemember in the Master database, your user will not have access to the targeted db.
Also, something important, when you try to connect to the DB with the new logins (and please note that to login to the db you use the login not the user), you have to explicitly select the database to which this new user has access!
My wild guess is that you have executed the create user, grantand sp_addrolemember in the context of your master database. Thus these users now have only access to the master database. You cannot grant explicit grants to other database when you are in the context of master.
It is possible to access Azure SQL DB with Azure AD users:
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
You can't use AD users to login to SQL server. Logins has to be created in the master database and you need to use that login to create user and permission grants by connecting the user database. However SQL DB V12 supports contained user where you don't need to create logins in the master any more. The login can be executed in the user database context itself and this will be very helpful if you setup Geo Replication for ( restore using Point in time restore feature of) for your database in Azure. Based on my experience, I would recommend contained users in Azure database.