Creating SQL Azure login for single database

Question 1

I want to create separate logins for each database we create on a SQL Azure database server which only have read / edit permissions for a single database and do not have drop permissions, and to automate this process as much as possible. One of the main reasons for doing this is to make sure that Entity framework drop and recreate scripts can't accidentally run against the database.

I found the following which looks very similar to what I'm trying to do

Allow user to do anything within his own schema but not create or drop the schema itself

Am I right in thinking I need to first create a login, then create a user, then create a role and add the user to this role?

CREATE LOGIN dblogin WITH password='m77hHmSk';
CREATE USER dbuser FROM LOGIN dblogin;
CREATE ROLE dbuserrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'dbuserrole ', 'dbuser';
CREATE SCHEMA myschema AUTHORIZATION dbo;
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT, UPDATE, VIEW DEFINITION ON SCHEMA::myschema TO dbuserrole ;

I've come up with the above.. am I close? Where would I specify the database which can be accessed?

Question 2

Connect to master database and do the following:

CREATE LOGIN YourNewUser WITH PASSWORD = '&lt;strong password here&gt;';

Connect directly to database that the new user should own:

CREATE USER YourNewUser FOR LOGIN YourNewUser;
EXEC sp_addrolemember 'db_owner', 'YourNewUser';

Question 3

Given the OP's security concerns, I would add that they could also create the user at the database level, and minimize further any "leakage". That does mean that if the database is restored anywhere that the user/password will go with it, however.

Question 4

I've found it a lot easier to work with the Azure Active Directory, instead of SQL Logins. So I've created a group called "my-developers", and added the developers to the group, then I ran this on the database:

Create user [my-developers] from external provider 
alter ROLE db_owner ADD MEMBER [my-developers]

Then someone else can sort out the password problem. Your Grant statement looks as if it will prevent Entity Framework from damaging the database.

Caleb Doise Caleb Doise 1413 bronze badges · Answer 1 · 2015-03-10 20:17:28Z

2

Connect to master database and do the following:

CREATE LOGIN YourNewUser WITH PASSWORD = '&lt;strong password here&gt;';

Connect directly to database that the new user should own:

CREATE USER YourNewUser FOR LOGIN YourNewUser;
EXEC sp_addrolemember 'db_owner', 'YourNewUser';

Share

Improve this answer

answered Mar 10, 2015 at 20:17

Caleb Doise's user avatar

Caleb Doise Caleb Doise

1413 bronze badges

1

Given the OP's security concerns, I would add that they could also create the user at the database level, and minimize further any "leakage". That does mean that if the database is restored anywhere that the user/password will go with it, however.

Jonathan Fite
– Jonathan Fite

2019年09月12日 12:29:00 +00:00
Commented Sep 12, 2019 at 12:29

Add a comment |

score 0 · Answer 2 · 2019-09-12 11:55:18Z

I've found it a lot easier to work with the Azure Active Directory, instead of SQL Logins. So I've created a group called "my-developers", and added the developers to the group, then I ran this on the database:

Create user [my-developers] from external provider 
alter ROLE db_owner ADD MEMBER [my-developers]

Then someone else can sort out the password problem. Your Grant statement looks as if it will prevent Entity Framework from damaging the database.

Stack Exchange Network

Creating SQL Azure login for single database

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Linked

Hot Network Questions

Creating SQL Azure login for single database

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Linked

Related

Hot Network Questions