Sql-server – Azure SQL – Setting up permissions for users

The user has to be granted permissions in the source copy of the database.

The restored copy is just that -- a copy -- of the source, so there's no way to change one and not the other.

Since this is a SQL Server login, you'll need to create the logins on both servers with identical SIDs so the mapping from the database user to the login matches in all cases. You can do this by recreating the login on the secondary, specifying the SID manually in the CREATE LOGIN statement.

If you went with a solution such as replication (not saying you should, just giving an example), this works using two read/write databases, where you could grant permissions completely independently.

Unless you have cross-database ownership chaining enabled (off by default) and have the same User in both databases, then giving access to an object in one database does not imply anything permission-wise to other databases. Of course, I am not recommending that cross-database ownership chaining be enabled, and neither is Microsoft.

Instead, you should create a certificate that can be used to sign modules and act as a proxy for permissions between the databases. The catch is that they work on stored procedures, function (non-Inline TVFs), assemblies, and triggers. But this method allows for those Users that should not have any access to the [HR] database to actually not have any access themselves: it is the code (i.e. the module) that has the access.

The basic concept:

• Create certificate in [Reporting]
• Create stored procedure in [Reporting] (that selects directly from tables in [HR])
• Use ADD SIGNATURE to sign the new stored procedure using the certificate
• Backup the certificate to a file
• Create certificate in [HR] FROM the backup file you just created (the certificate needs to be identical in both places!)
• Create user in [HR] FROM the certificate
• GRANT SELECT permission on appropriates tables in [HR] (i.e. the ones references in the new stored procedures in [Reporting]) to the new certificate-based user
• Go home and enjoy the rest of the day :)

Some resources:

• Module Signing Info
• Ownership Chains
• ADD SIGNATURE
• Signing Stored Procedures in SQL Server
• Tutorial: Signing Stored Procedures with a Certificate
• Tutorial: Ownership Chains and Context Switching

OR, if you prefer to stick with the simplicity of using views, then your views are in the wrong database. You need to instead:

• Add the appropriate User(s) to the [HR] database so that there is basic access, but do not grant any permissions to any tables (and hopefully no group or role membership will imply such permissions)
• Create the desired Views in the [HR] database
• GRANT SELECT only to these Views, and not to anything else, to these Users