I have an azure hosted SQL database per customer. The customer is set up as a contained user to their own database with the following permissions (ALTER, CONTROL, DELETE, EXECUTE, INSERT, SELECT, UPDATE, CONNECT, VIEW DATABASE STATE).
I don't mind the customer making any changes to their database schema, but is it possible to make any changes to the logical server or access any other databases on the same server? Is the main security risk the customer creating other users on their database?
https://learn.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-2017
Thanks in advance.
If your database user is not created base on a logical server login,you don't have the permission to access multiple databases.
Please reference:
Controlling and granting database access to SQL Database and SQL Data Warehouse
As the link you provid said:
Users in a contained database that have the ALTER ANY USER permission, such as members of the db_owner and db_securityadmin fixed database roles, can grant access to the database without the knowledge or permission or the SQL Server administrator. Granting users access to a contained database increases the potential attack surface area against the whole SQL Server instance.
When the customer is creating any other database users, please be very careful about granting users the ALTER ANY USER permission.
Related
I have a successful connection from Azure data Factory to my Azure Sql db .And I have set the AAD Admin as myself and also the UserManagedIdentity from the portal.
Now whoever use that UserManagedidentity in ADF can access the entire Sql DB.I need to restrict the access at Schema level, like X people should have access to X tables and Y people should have access to Y Tables.
So how can we achieve this through usermangedIdentity ,Can we set Schema level permissions via usermanagedidentity?
The managed identity has a corresponding user in SQL, so limit their permissions are you would any other user or group.
i.e.:
GRANT SELECT ON Employees TO UserManagedIdentity;
Admin overrides all other restrictions. So as long as a user is part of Server admin, he/she can have the entire access.
For your use case, you would need to remove the managed identity from the admin group DL, create a new user within the database and grant the new user required access
I have one azure SQL server PPP with Four Database.
Database are : A , B, C and D.
And there some azure AD groups and members which have access to this PPP Server.
So all AD members having access to all four database.
but my Requirement is to give only permission to user "Ram" and restrict access from all other users for Database D.
So only user ram can access database D. Even Ram can access all other database.
How I can achieve this.
You can Alter the permission of the users or you can go to the particular Azure SQL database and remove the users from there which users are not required. Generally the Login is created in Server and users are created one each databases accordingly. If the users are created in master database then it will be difficult to restrict the permissions.
I am trying to tighten up security on connecting to our Azure SQL database by creating custom roles and users, depending on what access to the database is needed. Most of our connections are done via Google Apps Script and have previously used the admin login.
I know it is good practice to not use the db_datareader / db_datawriter roles, but I'm having connection issues whenever I use a custom roles/ users and our scripts. The custom user accounts / roles work fine in SSMS but when I use our Google Apps Script I get:
Connection URL is malformed
I know the account is authenticating because if I use the wrong password I get a different error. Additionally, the script still works fine with the original database admin account and a test account I made assigned to db_datareader role. Accounts with db_datawriter roles work fine as well. So I believe this error message has nothing to do with the actual connection URL.
There seems to be some permission granted by db_datareader / db_datawriter that allows for external scripts to connect and run and I am unsure how to replicate that. Perhaps something that to do with querying a list of the tables that the account /role has access to?
Here is a screenshot of the custom role's permissions, I have omitted database and table names, but these are all on the same database and differing tables and scalar functions that the script needs:
new role permissions
Any idea of what I can try to replicate these 'built-in' roles?
Check that your custom role resides in database scope (Expand DB in SSMS -> Security...)
Ensure your user is an assignee of the role
Check your connection string references a database name
Set the default database for the user from the user properties pane
To get the permissions of a role you could use one of the scripts in this thread.
I am brand new to Azure so please bear with me ...
Using export tool in SSMS I managed to copy all of my tables from local database to Azure.
Now the most important part, adding users and mapping them to a database is unexplained.Also adding roles to database.Maybe it is explained but I sincerely dont understand a word of it. Seen some movies on YouTube but they mostly deal with database creation. SSMS is virtually useless for the Azure task (Or at least I do not know how). Also I can not find any tool on Azure dashboard to do it with.
So can someone to me explain in plain english the functionality of this stuff.
What I could fathom is that you need to add users first to the Master database. Ok, I add user with a query:
CREATE LOGIN USER1 WITH PASSWORD = 'AG123SAL#'
So the user is added to the Master database.
Now, how do I map this user to a certain database?
How do I set what he can do?
And how do I add roles to my database and add user to role ?
This is all very hard for a total newbie ...
You can use Contained user database model,instead of old model..The way to do this is to connect to database on which you are trying to provide access to a user and run
CREATE USER mary WITH PASSWORD = 'strong_password';
to provide permissions to this user
ALTER ROLE dbmanager ADD MEMBER Mary;
Microsoft recommends this model ,when using SQLAzure since this is database as a service..Below is a quote from microsoft on same
As Microsoft evolves the SQL Database service and moves towards higher guaranteed SLAs you may be required to switch to the contained database user model and database-scoped firewall rules to attain the higher availability SLA and higher max login rates for a given database. Microsoft encourage you to consider such changes today.
If you are looking for old model of login-user based heirarchy,you can read below
to create login:
create login mary with password='password'
Now to map user to database,you need to create user and map to that login.Login to the database ,you want to provide permissions and create user
create user marydb1 from login mary;
you also can assign roles as well
ALTER ROLE dbmanager ADD MEMBER Mary;
Updated as per comment :
create role
create role rolename AUTHORIZATION db_manager*;
*:this should be user has total permissions on the database..since we may use this as base
now add permissions to that role
grant select,update,delete to rolename;
now add users
ALTER ROLE rolename ADD MEMBER username;
Look at this sql server authentication with Azure SQL Database tutorial
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-sql-authentication-get-started
In my application, I have created Agent and Role table in root database and split database federation according to its PK. Then I have created Customer table in federated database,So when I queried to customer. Then I have to use this statement.
USE FEDERATION AgentFederation(AgentId='5') WITH RESET, FILTERING=OFF
Then I have to access agent name and customer role which is on root database.So how can I access root database tables inside federation database
This is not possible on Database Level (meaning queries within single connection)!
You have to do this at application level. And you can do this in parallel - execute one query over the Federation Root to get agent names and customer roles, and another query to get data from the Federation Member.
This is the only way. This is how SQL Database Federations work.