The restore completes, but as soon as it's done, the domain login can no longer access the database because the database ownership is lost. (I believe because it had a different owner on the vendor's system).
Correct. While it's possible (I believe) to have the same SID (i.e. Security ID) between their system and yours (if so, it would require you creating their domain account in your domain with the SID that they provide that is the SID of the owner account on their side), most likely it's a different SID, and that is retained in the database itself.
After the restore is complete, I have to re-create the user within the database that matches up to the domain login, and make that user the owner again.
Now this doesn't sound right. Usually, if you add an SID to a database as a User, and then later try to make a Login (having that same SID) the owner of the database, you will get an error stating that the account / SID is already present in the database:
Msg 15110, Level 16, State 1, Line XXXXX
The proposed new database owner is already a user or aliased in the database.
It's possible that something is misstated here, or that I am misunderstanding something, but as we will see in a moment, it doesn't really matter.
This vendor is trusted enough that we have granted the login the "dbcreator" server role.
It's nice that you can trust them, but you don't need to do anything special for them. You can allow them to restore their database, and automatically set the owner to their domain account, and anything else that needs to happen in this process, all while removing them from the dbcreator fixed Server Role. All their login needs is the ability to connect to the instance (and they already have that), and permission to execute a single stored procedure. What stored procedure? The one I will now describe :-)
Using the wonderful awesomeness of Module Signing, you can set up a stored procedure that will a) execute the RESTORE DATABASE command, b) set their login as the owner of that database, and c) perform any other administrative steps needed for this operation, no matter what level of permissions are needed. You will never give the vendor's login any permissions except for the ability to execute this single stored procedure. The necessary permission(s) will instead be given to the stored procedure.
Assuming that you have a [Utility] (or whatever name) database for general administrative functionality, do the following:
- In the
[Utility] database:
- Add the DOMAIN\VendorLogin to the DB using
CREATE USER
- Create a
RestoreVendorDB stored procedure that does the following:
- Executes
RESTORE DATABASE [VendorDB] ...
- Executes
ALTER AUTHORIZATION ON DATABASE::[VendorDB] TO [DOMAIN\VendorLogin];
- Allow the vendor to execute the stored proc:
GRANT EXECUTE ON [dbo].[RestoreVendorDB] TO [DOMAIN\VendorLogin];
- Create a certificate using
CREATE CERTIFICATE...
- Sign the stored procedure with that certificate using
ADD SIGNATURE...
- Copy certificate (only the public key) to
[master] database using Dynamic SQL to execute CREATE CERTIFICATE with result of CERTENCODED(CERT_ID(...))
- In the
[master] DB, do the following:
- Create a login from the certificate using
CREATE LOGIN [Permission$CreateVendorDB] FROM CERTIFICATE [...];
- Add the certificate-based login to the
dbcreator role using ALTER SERVER ROLE [dbcreator] ADD MEMBER [Permission$CreateVendorDB];
- If you need an additional role and/or permission in order for the stored procedure to change the database's owner, then repeat the previous step with the appropriate role and/or
GRANT the certificate-based login the appropriate permission(s).
- Remove the vendor's login from the
dbcreator role (they no longer need that permission) using ALTER SERVER ROLE [dbcreator] DROP MEMBER [DOMAIN\VendorLogin];
If you ever alter the code in the RestoreVendorDB stored procedure, just re-sign the stored procedure (after the ALTER) using ADD SIGNATURE....
Using this approach, you not only get exactly what you were wanting, but you also end up with a more secure system ? .
For more explanation and a working example (of this concept), please see:
Safely and Easily Use High-Level Permissions Without Granting Them to Anyone: Server-level
I am reluctant to post this as an answer, because I don't have a tangible example to post with code, but I pointed Mark to Erland Sommarskog's great article, Giving Permissions through Stored Procedures, which has a section on Signing Procedures with Certificates.
Cert signing seems to be the right approach for forcing data access through a procedure without opening up all kinds of other security holes, which can happen with ownership chaining, using TRUSTWORTHY, elevating the user to a higher role, or granting them direct access to the tables (and thereby giving them a route to bypassing your procedures). I will mock up an example here as time allows (won't be today, unfortunately).
Best Answer
Before I answer this, I want to mention what Daniel eluded in his answer. You do not have a user with dbcreator role, it is a login that is member of dbcreator role. As dbcreator is a server-level role.
You can have a user denied control (Alter any schema, delete, execute, insert, select update etc) privilege whose mapped login is a member of dbcreator server-level role.
Lets do a demo of your question.
Login with a account with admin privilege. Run this statement.
Change connection to login with testDBcreator and run this.
You will get following error.
Now run this.
You get the result as expected.
I am not sure if you can run your .DACPAC with this login.