Sql-server – Confused Logins and Users in SQL Server

loginspermissionssql serverusers

In SQL Server, when setting permissions with a Grant statement, we do it on Users, not Logins. For example:

CREATE LOGIN login1 WITH PASSWORD = 'sssssssss';
use mydb;
CREATE USER user1 FOR LOGIN login1
grant delete on table1 to user1

So, users may or may not be able to do a certain task on a certain table.
But, when connecting to a database from JDBC and etc, we give the login name and the password (login1 and 'sssssssss' in here) in the connection string, not the User name!

So where do these grant statements show themselves?! We never mentioned User1 in the code! And, if we define two users for same login, each with different permissions, and then connect to database from JDBC, which of these user permissions are considered?

Best Answer

I am not quite sure that I understand your question clearly, so please bear with me on the issue of Logins and Users.

It appears to be, in your case, SQL Server logins and not Active Directory accounts, but they behave essentially the same within a server and database.

Also, for what it is worth, it seems that some step or steps are missing from your question. No big deal overall.

Login: (Server Level)

You might create login Login1, which has a SID of 0x14151617181920212223242526099097 and grant it some rights. These rights belong to the login.

User: (Database Level)

When you create User1 for Login1 the user inherits the same SID of 0x14151617181920212223242526099097.

So, inside your database the server login Login1 is actually executed by the database user User1 so the User is accredited with the permission.

Because, as you see, the two are really the same account. The name of the User is absolutely meaningless in terms of execution. It is the SID that matters.

Related Solutions

Sql-server – sp_setapprole and creating users / logins

to do it correctly is not very simple, although once setup, your done.

Data users or application roles default have database scoped permissions. Database users are linked to Logins and therefore can have server wide permissions from their Login. Application roles aren't linked and can only get server wide permission by using a form of impersonation.

Any way to give these server scope permissions by means of impersonating will fail by default.This is by design.

You have 2 options:

Tell SQL Server that you as a DBA trust any user in that database to have privilegde escalation to server wide permission if impersonation is used. You acomplish this by setting the option TRUSTWORTHY to ON However if you don't fully understand what this option does first read: SQL Server 2012 Best Practice Whitepaper (Specifically page 18 and 19 about "Database Ownership and Trust")
Use signed stored procedures to accomplish your task.

I'll first give you the example of option 1:

CREATE LOGIN [appRoleProxy] WITH PASSWORD ='1234abcd!@'
GO

EXEC sp_addsrvrolemember    @loginame='appRoleProxy',
                            @rolename='securityadmin'

GO

CREATE DATABASE [Stefaan]
go

ALTER DATABASE [Stefaan] SET TRUSTWORTHY ON
GO

USE [Stefaan]
GO

--add the proxy account to the dbo role since your stored procedure will be running in the context of this account and is also accessing your user database.
ALTER ROLE [db_owner] ADD MEMBER [appRoleProxy]
GO

CREATE APPLICATION ROLE appRole WITH PASSWORD ='Passw0rd!';
GO

CREATE PROCEDURE dbo.usp_testproc 
@LoginName nvarchar(128),
@Password nvarchar(128),
@DBName nvarchar(128)
WITH EXECUTE AS 'appRoleProxy' --Impersonate a SQL server login with the proper server level permissions
AS
DECLARE @SQL varchar(max)
BEGIN
    IF NOT EXISTS ( SELECT  name
                    FROM    sys.server_principals
                    WHERE   name = @LoginName )
        BEGIN
            SET @SQL = 'CREATE LOGIN [' + @LoginName + '] WITH PASSWORD = '''
                + @Password + ''', DEFAULT_DATABASE=[' + @DBNAME
                + '], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF';
            EXECUTE(@SQL);
        END

    IF NOT EXISTS ( SELECT  name
                    FROM    sys.database_principals
                    WHERE   name = @LoginName )
        BEGIN
            SET @SQL = 'CREATE USER [' + @LoginName + '] FOR LOGIN ['
                + @LoginName + ']';
            EXECUTE(@SQL);
        END

    IF EXISTS ( SELECT  name
                FROM    sys.server_principals
                WHERE   name = @LoginName )
        BEGIN
            EXEC sp_addsrvrolemember @LoginName, 'securityadmin'
        END
END
GO

GRANT EXECUTE ON [dbo].[usp_testproc] TO [appRole]
GO


sp_setapprole   @rolename='appRole',
                @password='Passw0rd!'



EXEC usp_testproc 'testlogin','password23@','stefaan'

Now for an example of option 2 I'd like to point out a answer a gave on another question: Msg 4834 “You do not have permission to use the bulk load statement”

Sql-server – Running SQL job: The login is from an untrusted domain and cannot be used with Windows authentication

The job is executed as the SQL Agent account, unless you have configured a proxy. The owner of the job is irrelevant as long as the SQL Agent account can verify that the owner is valid (still exists in AD/SQL).

Verify which account is running the job, either the SQL Agent account or the Proxy account. Then verify that account has permissions into the linked server. Or create a proxy account for this job.

Best Answer

Related Solutions

Sql-server – sp_setapprole and creating users / logins

Sql-server – Running SQL job: The login is from an untrusted domain and cannot be used with Windows authentication

Related Question