As the Azure Account owner, I have universal access, and can make copies of my databases in the Portal.
However, my team members, who are members of Active Directory groups cannot. because their Target Server list is empty.
I have granted the AD groups access (via the Access Control menu option) to both our database severs (and the owning resource group). So they are able to access the database server, but still they are unable to see it in their list of Target Servers when they try to make a copy.
Does anyone know what permissions are required to populate the Target Server list when copying databases?
Thanks,
Max.
Please reference this document Copy database within Azure:
When you copy a database to a different SQL Database server, the security principal on the new server becomes the database owner on the new database. If you use contained database users for data access, ensure that both the primary and secondary databases always have the same user credentials, so that after the copy is complete you can immediately access it with the same credentials.
If you want to see target SQL Server, the AD group members also should have the permission to access other resources in your subscriptions.
Make sure they are in the same subscription or add the role(I tried reader, owner and contributor and works well) to the member from Subscription IAM,:
Hope this help.
Related
I'm trying to configure access to a Cosmos DB database that contains multiple containers. In our scenario we want different teams of users to have read and write permissions within specific containers only, if they were to attempt any access to another container then they should be denied.
I've been reading about role based access within Cosmos and it sounds exactly like what we need. So i'm trying to create custom roles for this but I'm getting confused by the different permissions available.
I can't embed images but the link below is the permissions i've found for containers within DocumentDB.
Link to permissions:
There's permissions such as Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write but it sounds like these are for the actual maintenance of containers themselves rather than the data within them. The set below that in the image mention the throughput of the container so that doesn't seem right either.
Previous material i'd seen mentioned that these roles were only available to create from something like PowerShell, however when I saw these within the portal I assumed that may have been outdated, but is that still the case?
Essentially, the setup I want is:
Role 1 given access to read and write items in container 1 only
Role 2 given access to read and write items in container 2 only
Also, as another quick side question. Are permissions additive? So can I create this role just for this purpose of accessing that container and then add it onto another more generic role, or would I need to include basic permissions that you would find in something like the Cosmos DB Account Reader Role?
The permissions you have are for management operations on Cosmos DB resources. The permissions you are looking for are these which are documented at Configure role-based access control with Azure Active Directory for your Azure Cosmos DB account
First step is to create a role definition for each container. You can use the Built-in role definitions such as Cosmos DB Built-in Data Contributor, or if you want to limit to discreet actions, you can build a custom role definition using az cli, PowerShell or ARM/Bicep.
Once you have your role definitions, you can then Create role assignments for each container to any service principal within your AAD tenant.
Last step is to Initialize our SDK with Azure AD. This is available for our .NET, Java, Python and JS SDK's. You will need to ensure you are using the correct version of our SDK's so best to upgrade if using older versions. To authenticate via AAD you need to create a client secret credential. The token from which, is what is passed to the Cosmos client when creating a new instance.
Lastly, you will want to use a custom query string when you want to access your data via the Cosmos Data Explorer. You may also want to restrict access to your data to only via AAD. To do this you will need to deploy an ARM template to your account (be sure to do a GET first so you don't accidentally destroy your resources). Then add "disableLocalAuth": true to the properties of the databaseAccount resource.
We are testing the process for azure data share and have set up source shares from SQL db on our primary azure domain and shared them to accounts on our secondary azure domain.
We can accept the share invite and successfully map the source SQL data to blob storage but when we attempt to map the same share to a target SQL db we get the error:
Mapping failed. Please check Troubleshoot Azure Data Share for help
and try again.
Data Share account's Managed identity is missing required permissions
on database. For more details, please refer to
https://learn.microsoft.com/en-us/azure/data-share/subscribe-to-data-share
We have followed all the troubelshooting tips and can confirm the Data Share external user has the 3 roles on the target db (db_datareader, db_datawriter, db_ddladmin).
We have also made the Data Share identity a SQL Db Contributor on the target SQL server.
Is there anything else we need to update or checks we can run to find out why the data share is not mapping to SQL target. We really need to prove this process before we offer it to our clients so any help that can be provided would be gratefully received.
Thanks
There are several permissions are needed or conditions to access Database from Azure DataShare resource's managed identity:
First Set Azure Active Directory Admin to yourself in SQL server. After becoming admin Connect through Azure Active Directory authentication to the Azure SQL Database using SSMS and then grant db_datareader permission to the Data Share Resource-Managed Identity while granting this permission, make sure you're connected to the database by Azure Active Directory authentication not SQL authentication.
In Azure SQL I can query what temp tables currently exist by using the query -
select * from tempdb.sys.tables;
However, I am not able to find who created these. Surely there must be a simple way to find out who created these temp tables! There are links which suggest things, but all of that works on SQL Server, not Azure SQL.
Permissions
Any user can create temporary objects in tempdb. Users can
access only their own objects, unless they receive additional
permissions. It's possible to revoke the connect permission to tempdb
to prevent a user from using tempdb. We don't recommend it because
some routine operations require the use of tempdb.
The tempdb system database is a global resource that's available to all users connected to the instance of SQL Server or connected to Azure SQL Database.
By default, server admin, database owner or a user with required permission can access the tables of tempdb.
This official article on tempdb database is related to Azure SQL Database. Please go thorugh for more details and better understanding.
This article says that an Azure subscription owner has access to all the resources in the subscription. However to get access to an Azure database, one must either be a user in the database, or be part of the Azure Admin AD group.
Can a subscription owner access the database regardless of the SQL security? If so, how?
The article you refer to gives a very high-level overview on RBAC roles provided in Azure.
It is important to understand these built-in roles that give access to the resources (the management plane) vs those that give access to the resource data (the data plane).
For example, many built-in roles give users access to data, for example: Storage and KeyVault.
As for databases, it all depends on the type of database engine your refer to. Each have specific particularities in terms of roles and permissions.
SQL Database is managed right in the SQL server. This link provides additional details on how this is done. SQL Database
Other modern database engines, such as Cosmos DB, come with different Azure Built-in roles (just like Key Vault or Storage). See this link in order to give you a better idea on the roles and permissions assigned for each roles. Role-based access control in Azure Cosmos DB
I have two Azure accounts, A and B
I have a sql server database created under subscription of Account A.
I want to move this sql server database to subscription of Account B.
You can do it all in SQL Server Management Studio
Connect to both Azure accounts in SSMS.
Right click on the source database and do Tasks -> Export data tier application
Save as a .bacpac file to your local disk
In the target connection, go to Databases, right click and choose Import data tier application
Choose Import from local disk and browse to the .bacpac file you just created
There is another way similar to what hawbsl has described. However instead of exporting data tier application to local disk, export it to azure blob storage.
So export database in Account A to azure blob storage in Account B:
Then in Account B go to your sql server and click import database:
This link will describe how to import database from blob file
There are 2 things that might help:
Moving resources between subscriptions
Subscription ownership transfer (to a different billing account)
I don't know anything about the latter, so unless somebody else has tips, it might be best to contact Support, if that's what you need.
In order to move resources between subscriptions, you'll need to make sure:
Both source and target subscriptions need to be in the same directory
One user account must have access to create and delete resources in both subscriptions
You need to move all SQL databases on that server at once
There may be other requirements, but those are the main ones I suspect you'll hit.
If subscriptions are in different directories, you can move the SQL server to a temporary, trial subscription, then move that subscription to the target directory (from the old portal), and finish the move in the new portal using the target directory.
If you're moving resources between organizations that use AAD accounts, you'll likely need to grant a Microsoft Account (e.g. outlook.com) access to each subscription and perform the actual move operation with that user. Don't forget to delete the subscription and remove the temporary user account from both subscriptions and directories after you finish the move.
Hopefully, that should be it. Of course, you could always just create a backup and restore that to a new server :-P
EDIT:
Have you looked into SSIS?
https://msdn.microsoft.com/en-us/library/ms141204.aspx