Sql-server – SQL Management Studio user permissions with multiple databases

sql serverssms

I'm trying to create SQL Management Studio user permissions for different users and different databases. I want to make sure that every user can only see one database and this user will also have to be able to backup and restore their databases. I have been playing around with the server roles and user mapping, but I cannot seem to find the right settings. With the sysdmin server role, a user is able to perform a restore, but then that user is also able to access other databases.

Best Answer

Privilege to backup the database part is straight forward.

You create 2 database:

CREATE DATABASE dbuser1
GO
CREATE DATABASE dbuser2
GO

Create 2 login:

CREATE LOGIN loginuser1 WITH PASSWORD ='Aa123456789!@#'
GO
CREATE LOGIN loginuser2 WITH PASSWORD ='Aa123456789!@#'
GO

Create 2 user from the login created above:

USE [dbuser1]
GO
CREATE USER [user1] FOR LOGIN [loginuser1]
GO
USE [dbuser2]
GO
CREATE USER [user2] FOR LOGIN [loginuser2]
GO

Make the users member of db_backupoperator in corresponding databases:

USE [dbuser1]
GO
EXEC sp_addrolemember db_backupoperator, [user1]
GO
USE [dbuser2]
GO
EXEC sp_addrolemember db_backupoperator, [user2]
GO

Now user1 can only take backup up of dbuser and user2 for dbuser2. If user2 attempt to backup dbuser1 following error message will be issued. Msg 916, Level 14, State 1, Line 1

The server principal "user2" is not able to access the database "user1" under the current security context. Msg 3013, Level 16, State 1, Line 1 BACKUP DATABASE is terminating abnormally.

For restore you have to add the users to dbcreator fixed server role. Then user2 can restore dbuser1 with REPLACE option. That is something you do not want.

There is few solution discussed here and hope you can implement one of these for restricting restore.

Related Solutions

Sql-server – After moving database (backup, restore), I have to re-add user

This is the difference between logins and users and how they relate to each other:

Logins - Instance level principals that allow an entity to connect to the SQL Server instance. They do not, by their nature, grant any access to databases on the instance. The exception to this is a login with sysadmin rights can use a database because they are sysadmin, but because of sysadmin level permissions.
Users - Database level principals that allow an entity to connect to a SQL Server database. Users are associated with logins via SIDs, creating a relationship between the two and allowing a login to connect to the instance and then use the associated user to connect to the database.

What commonly happens with SQL authenticated logins and database users on a restore is that the SIDS will be out of sync, thus breaking the relationship. This relationship must be repaired before you can connect to the database using that login, because in the eyes of SQL Server those principals are no longer connected. You can fix this with the following SQL:

ALTER USER [foo] WITH LOGIN=[foo]

You can use the following query in the context of your database to check for orphans:

select
    dp.name [user_name]
    ,dp.type_desc [user_type]
    ,isnull(sp.name,'Orhphaned!') [login_name]
    ,sp.type_desc [login_type]
from   
    sys.database_principals dp
    left join sys.server_principals sp on (dp.sid = sp.sid)
where
    dp.type in ('S','U','G')
    and dp.principal_id >4
order by sp.name

Sql-server – hide system databases sql server management studio

By default, all logins can see all databases. This is done through the "public" role. To change that, you just have to revoke the permission from the public role.

REVOKE VIEW ANY DATABASE FROM PUBLIC

However, master and tempdb will always be visible to the public role. See here for more information: VIEW ANY DATABASE Permission

As far as logins is concerned, each login can see the logins on which has been granted permissions.

Best Answer

Related Solutions

Sql-server – After moving database (backup, restore), I have to re-add user

Sql-server – hide system databases sql server management studio

Related Question