Sql-server – ownership of users

loginssql serversql-server-2012

Two related questions: Using SQL Server 2012, how does one find out who/what owns a user, and how can you set the ownership for users, if at all?

To add a couple of questions: 'how to' for both of the above with logins.

Best Answer

The sys.server_principals owning_principal_id is NULL except for Server Roles. Fixed Server Roles are owned by 'sa' (the server principal_id = 1) and cannot have ownership changed. You can create a new Server Role and set an owning principal using:

CREATE SERVER ROLE role_name [ AUTHORIZATION server_principal ]

The sys.database_principals Fixed Database Roles are owned by dbo (database principal_id = 1) and cannot have ownership changed. But other Database Roles can be created and assigned to an owning principal_id.

CREATE ROLE role_name [ AUTHORIZATION server_principal ]

Both the ALTER SERVER ROLE and the database level ALTER ROLE only change membership or the name of the role.

Authorizations can be changed (providing you have the needed rights) by assigning a new owning principal by using ALTER AUTHORIZATION. Example:

ALTER AUTHORIZATION ON ROLE::MyRole TO [Domain\User];

See the syntax for ALTER AUTHORIZATION at: http://msdn.microsoft.com/en-us/library/ms187359.aspx

Related Solutions

SQL Server Schema Ownership – How to Transfer Ownership of dbo Schema

Slightly different approach would be to give the schema back to the original owner/schema, instead of to dbo:

ALTER AUTHORIZATION ON SCHEMA::db_owner TO db_owner;

SQL Server – Using sp_setapprole for Creating Users and Logins

to do it correctly is not very simple, although once setup, your done.

Data users or application roles default have database scoped permissions. Database users are linked to Logins and therefore can have server wide permissions from their Login. Application roles aren't linked and can only get server wide permission by using a form of impersonation.

Any way to give these server scope permissions by means of impersonating will fail by default.This is by design.

You have 2 options:

Tell SQL Server that you as a DBA trust any user in that database to have privilegde escalation to server wide permission if impersonation is used. You acomplish this by setting the option TRUSTWORTHY to ON However if you don't fully understand what this option does first read: SQL Server 2012 Best Practice Whitepaper (Specifically page 18 and 19 about "Database Ownership and Trust")
Use signed stored procedures to accomplish your task.

I'll first give you the example of option 1:

CREATE LOGIN [appRoleProxy] WITH PASSWORD ='1234abcd!@'
GO

EXEC sp_addsrvrolemember    @loginame='appRoleProxy',
                            @rolename='securityadmin'

GO

CREATE DATABASE [Stefaan]
go

ALTER DATABASE [Stefaan] SET TRUSTWORTHY ON
GO

USE [Stefaan]
GO

--add the proxy account to the dbo role since your stored procedure will be running in the context of this account and is also accessing your user database.
ALTER ROLE [db_owner] ADD MEMBER [appRoleProxy]
GO

CREATE APPLICATION ROLE appRole WITH PASSWORD ='Passw0rd!';
GO

CREATE PROCEDURE dbo.usp_testproc 
@LoginName nvarchar(128),
@Password nvarchar(128),
@DBName nvarchar(128)
WITH EXECUTE AS 'appRoleProxy' --Impersonate a SQL server login with the proper server level permissions
AS
DECLARE @SQL varchar(max)
BEGIN
    IF NOT EXISTS ( SELECT  name
                    FROM    sys.server_principals
                    WHERE   name = @LoginName )
        BEGIN
            SET @SQL = 'CREATE LOGIN [' + @LoginName + '] WITH PASSWORD = '''
                + @Password + ''', DEFAULT_DATABASE=[' + @DBNAME
                + '], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF';
            EXECUTE(@SQL);
        END

    IF NOT EXISTS ( SELECT  name
                    FROM    sys.database_principals
                    WHERE   name = @LoginName )
        BEGIN
            SET @SQL = 'CREATE USER [' + @LoginName + '] FOR LOGIN ['
                + @LoginName + ']';
            EXECUTE(@SQL);
        END

    IF EXISTS ( SELECT  name
                FROM    sys.server_principals
                WHERE   name = @LoginName )
        BEGIN
            EXEC sp_addsrvrolemember @LoginName, 'securityadmin'
        END
END
GO

GRANT EXECUTE ON [dbo].[usp_testproc] TO [appRole]
GO


sp_setapprole   @rolename='appRole',
                @password='Passw0rd!'



EXEC usp_testproc 'testlogin','password23@','stefaan'

Now for an example of option 2 I'd like to point out a answer a gave on another question: Msg 4834 “You do not have permission to use the bulk load statement”

Best Answer

Related Solutions

SQL Server Schema Ownership – How to Transfer Ownership of dbo Schema

SQL Server – Using sp_setapprole for Creating Users and Logins

Related Question