So, I'm trying to fix logins/users permissions here ( everybody was using DBO for everything, weak passwords and etc ).
For each customer we have, I will create only one login. It will access test databases, homologation, and etc.
I will give the login these permissions:
USE [master]
GO
CREATE LOGIN [User_Customer]
WITH PASSWORD=N'Strong_Pass',
DEFAULT_DATABASE=[Customer_DB],
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
ALTER SERVER ROLE [bulkadmin] ADD MEMBER [Customer_DB]--BULK
GO
USE Customer_DB
GO
CREATE USER [User_Customer] FOR LOGIN [User_Customer] --User
GO
ALTER ROLE [db_datareader] ADD MEMBER [User_Customer] --DR
GO
ALTER ROLE [db_datawriter] ADD MEMBER [User_Customer] --DW
GO
ALTER ROLE [db_ddladmin] ADD MEMBER [User_Customer] --DDL
GO
GRANT EXECUTE TO [User_Customer] --EXECUTE
GO
USE [master]
GO
DENY VIEW ANY database to [User_Customer] --DENY
Is there a way to create a single role, where I can only crate the role, and assign the users mapped to this login, to the role?
I don't want to sometime forget a permission and mess everything.
I appreciate any tips about how to manage logins and users better than what I'm currently doing.
(The above script is for sql 2014. It's just for you guys to get the Idea. with sql server 2008, it's a different way ( sp_addrolemember and etc ).
Best Answer
Yes you can do exactly as you said, create a
role
, add it as a member to the roles you are interested in andgrant
it permissions the same way you did it with a singleuser
:Now you can add your users to this
role
:To control what
permissions
your user has now justimpersonate
it:One tip for
SQL Server 2014
:I saw you want to deny
view any database
to yourlogins
.After such a
deny
your logins will not seedatabases
inObject Explorer
, I mean all thedatabases
included those where they are mapped to.I think it will render their work more complicated. I don't know what exactly reasons led you to this decision, but if you really need it maybe
Contained databases
appeared in2012
is the solution for you.When you make a database
contained
, it's database itself thatauthenticates
yourusers
. This way you do not needlogins
anymore, everyuser
can be created in its own database directly and will "see" only that database inObject Explorer
.More on
contained databases
here: SQL Server 2012 Contained Database Feature