I have created new user 'testUser' in Dynamics GP company lets say 'TWO', there is another database on same server which is a non GP company database lets say 'TEST'. There are few tables in TEST db which I need to read on my some Dynamics GP form. I have created a view in database 'TWO' to read records from this table.
create view TestView
as
select description from TEST..table1
GO
But when accessing this view in GP form I am getting permission error for my user testUser.
I went to SQL server and mark database 'TEST' for user testUser.
After that I get select permission message on view TestView.
after running
grant select, insert, update, delete on TestView to testUser.
I got no more issues. But is there any query by using which I will give permission to users whenever new user will be created in Dynamics GP?
You should grant the permissions to the DYNGRP role on the database.
grant select, insert, update, delete on TestView to DYNGRP.
This should give all gp Users those permissions. Any User created afterward will have those permissions.
Related
Kindly help me with SQL statement which can list the users and the role assigned to them in Sybase DB.
Need to capture users\roles who have following authorisations:
ALTER ANY TABLE
CREATE ANY TABLE
DELETE ANY TABLE
DROP ANY TABLE
GRANT ANY ROLE
UPDATE ANY TABLE
DROP ANY ROLE
GRANT ANY OBJECT PRIVILEDGE
GRANT ANY PRIVILEDGE
ALTER USER
ALTER PROFILE
ALTER DATABASE
BECOME USER
CREATE ANY RULE
DROP USER
I have below questions about schema/privilege:
May User have multiple DB roles(schema)?
What is db_denydatareader used for? (it seems can have different DB roles among databases, right?)
What are difference between db_datareader and db_denydatawriter if only want user to read data in particular database?
I tried to revoke SELECT right from schema (TestUser is with default schema db_datareader), why can it still search for tables?
REVOKE SELECT ON SCHEMA::db_datareader TO TestUser;
How can I grant select and update permissions to few tables only to user but not all tables? (i.e. no delete and insert permissions)
What are these system privileges referring to as I could not find in sys.objects table?
select * from sys.database_permissions where major_id <= 0;
Thanks.
It seems you think schemas and roles are the same but they are not the same. Roles are security membership containers, a principal can be member of a role. Schemas contain database schema bound objects, they help to group database objects together, and are owned by a principal. When you create a new user you can choose his default schema, add him to certain roles, and grant him ownership of schemas.
Members of the db_denydatareader fixed database role cannot read any data in the user tables within a database.
About the difference between db_datareader and db_denydatawriter. The db_datareader grants select permissions on all tables, and It does not affect any insert, update, delete permissions. Meanwhile db_denydatawriter denies insert, update and delete permissions on all tables, it denies permission to do any changes to any table. Even if someone was granted insert permissions directly they would still not be able to insert, because deny overrules grant. Assigning a user to the db_denydatawriter role means that they will never be able to make any changes to the database, regardless of what other permissions they have. Deny takes precedence over grant.
About question #4, you can group tables on schemas and then DENY SELECT permission over the schema to a principal or user. db_datareader is a fixed database role and it is not a schema.
DENY SELECT ON schema::[SchemaName] TO [user_name]
Similarly you can grant SELECT and UPDATE permissions over an schema on the database, that contains a group of tables.
GRANT SELECT, UPDATE on SCHEMA::SchemaName TO [user_name]
You can find the list of database roles here.
I have an azure hosted SQL database per customer. The customer is set up as a contained user to their own database with the following permissions (ALTER, CONTROL, DELETE, EXECUTE, INSERT, SELECT, UPDATE, CONNECT, VIEW DATABASE STATE).
I don't mind the customer making any changes to their database schema, but is it possible to make any changes to the logical server or access any other databases on the same server? Is the main security risk the customer creating other users on their database?
https://learn.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-2017
Thanks in advance.
If your database user is not created base on a logical server login,you don't have the permission to access multiple databases.
Please reference:
Controlling and granting database access to SQL Database and SQL Data Warehouse
As the link you provid said:
Users in a contained database that have the ALTER ANY USER permission, such as members of the db_owner and db_securityadmin fixed database roles, can grant access to the database without the knowledge or permission or the SQL Server administrator. Granting users access to a contained database increases the potential attack surface area against the whole SQL Server instance.
When the customer is creating any other database users, please be very careful about granting users the ALTER ANY USER permission.
I am brand new to Azure so please bear with me ...
Using export tool in SSMS I managed to copy all of my tables from local database to Azure.
Now the most important part, adding users and mapping them to a database is unexplained.Also adding roles to database.Maybe it is explained but I sincerely dont understand a word of it. Seen some movies on YouTube but they mostly deal with database creation. SSMS is virtually useless for the Azure task (Or at least I do not know how). Also I can not find any tool on Azure dashboard to do it with.
So can someone to me explain in plain english the functionality of this stuff.
What I could fathom is that you need to add users first to the Master database. Ok, I add user with a query:
CREATE LOGIN USER1 WITH PASSWORD = 'AG123SAL#'
So the user is added to the Master database.
Now, how do I map this user to a certain database?
How do I set what he can do?
And how do I add roles to my database and add user to role ?
This is all very hard for a total newbie ...
You can use Contained user database model,instead of old model..The way to do this is to connect to database on which you are trying to provide access to a user and run
CREATE USER mary WITH PASSWORD = 'strong_password';
to provide permissions to this user
ALTER ROLE dbmanager ADD MEMBER Mary;
Microsoft recommends this model ,when using SQLAzure since this is database as a service..Below is a quote from microsoft on same
As Microsoft evolves the SQL Database service and moves towards higher guaranteed SLAs you may be required to switch to the contained database user model and database-scoped firewall rules to attain the higher availability SLA and higher max login rates for a given database. Microsoft encourage you to consider such changes today.
If you are looking for old model of login-user based heirarchy,you can read below
to create login:
create login mary with password='password'
Now to map user to database,you need to create user and map to that login.Login to the database ,you want to provide permissions and create user
create user marydb1 from login mary;
you also can assign roles as well
ALTER ROLE dbmanager ADD MEMBER Mary;
Updated as per comment :
create role
create role rolename AUTHORIZATION db_manager*;
*:this should be user has total permissions on the database..since we may use this as base
now add permissions to that role
grant select,update,delete to rolename;
now add users
ALTER ROLE rolename ADD MEMBER username;
Look at this sql server authentication with Azure SQL Database tutorial
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-sql-authentication-get-started
I created a new role called medical administrators
My motive is to allow the user role to create/edit/delete the medical records
I went to the custom entities tab and selected "Create, Read, write, Delete, append, append to" against the custom entity.
But when the user tries to access the CRM environment they get the below message
Insufficient Permissions
You do not have permission to access these records. Contact your
Microsoft Dynamics CRM administrator.
What else should I add for the particular user group?
I provided create,read,write,delete to entities like contacts, notes etc and it started working
It is because, there are look up fields to contacts in the entity form of the medical case
Also in the customizations section give read access for Process and the below fields