Little database user account script need help...

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Andy - 28 Mar 2008 18:31 GMT

Hi there, I found this script on Microsoft's site for creating a Database,
User, and Account in SQL 2005, it works really well and I like it alot, does
anyone know how I can modify it to allow that user to view/edit their
database via the Microsoft SQL Server Management Studio?

I tried adding this:

set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'exec sp_addrolemember ''db_owner'', ''' +
REPLACE(@login_name, '''', '''''') + ''''
execute( @sql )

I have

declare @login_name sysname
declare @db_name sysname
declare @password sysname

SET @login_name = 'testuser'
SET @password ='testuserpw'
SET @db_name = 'testuserdb'

declare @sql nvarchar(max)

exec sp_validname @login_name
exec sp_validname @db_name

-- Creating the login
--
set @sql = 'CREATE LOGIN ' + QUOTENAME(@login_name) +
' WITH PASSWORD = ''' + REPLACE(@password, '''', '''''') + ''''
execute( @sql )
set @sql = 'ALTER LOGIN ' + QUOTENAME(@login_name)
+ ' WITH CHECK_POLICY = ON'
execute( @sql )
set @sql = 'ALTER LOGIN ' + QUOTENAME(@login_name) +
' WITH CHECK_EXPIRATION = OFF'
execute( @sql )

-- Allows the user to connect to the server
set @sql = 'GRANT CONNECT SQL TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Removes the ability to select from sys.databases
set @sql = 'DENY VIEW ANY DATABASE TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Creating the database
--
set @sql = 'CREATE DATABASE ' + QUOTENAME(@db_name)
execute( @sql )

set @sql = 'ALTER DATABASE ' + QUOTENAME(@db_name) +
' MODIFY FILE (NAME=''' + @db_name +
''', MAXSIZE=200, SIZE=5, FILEGROWTH=5)' -- Set max data file size
execute( @sql )
set @sql = 'ALTER DATABASE ' + QUOTENAME(@db_name) +
' MODIFY FILE (NAME=''' + @db_name +
'_log'', MAXSIZE=75, SIZE=2, FILEGROWTH=5)' -- set max log file size
execute( @sql )
set @sql = 'ALTER DATABASE ' + QUOTENAME(@db_name) +
' SET TRUSTWORTHY OFF'
execute( @sql )
set @sql = 'ALTER DATABASE ' + QUOTENAME(@db_name) +
' SET AUTO_CLOSE ON'
execute( @sql )
set @sql = 'ALTER DATABASE ' + QUOTENAME(@db_name) +
' SET AUTO_SHRINK ON'
execute( @sql )
set @sql = 'ALTER DATABASE ' + QUOTENAME(@db_name) +
' SET AUTO_UPDATE_STATISTICS ON'
execute( @sql )
set @sql = 'ALTER DATABASE ' + QUOTENAME(@db_name) +
' SET AUTO_UPDATE_STATISTICS_ASYNC ON'
execute( @sql )

set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'CREATE USER ' + QUOTENAME(@login_name) +
' FOR LOGIN ' + QUOTENAME(@login_name)
execute( @sql )

-- Create a default full-text catalog
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'CREATE FULLTEXT CATALOG [' + @db_name + '_fulltext] AS DEFAULT'
execute( @sql )

-- Set the user to use the database created
set @sql = 'ALTER LOGIN ' + QUOTENAME(@login_name) +
' WITH DEFAULT_DATABASE = ' + QUOTENAME(@db_name)
execute( @sql )

-- Add the user and configure
--
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'exec sp_addrolemember ''db_ddladmin'', ''' +
REPLACE(@login_name, '''', '''''') + ''''
execute( @sql )
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'exec sp_addrolemember ''db_datareader'', ''' +
REPLACE(@login_name, '''', '''''') + ''''
execute( @sql )
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'exec sp_addrolemember ''db_datawriter'', ''' +
REPLACE(@login_name, '''', '''''') + ''''
execute( @sql )

-- ******************************
-- Additional privledges granted
-- ******************************

-- Gives user ability control the DBO schema
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'GRANT CONTROL ON SCHEMA::dbo TO ' + QUOTENAME(@login_name)
+ ' WITH GRANT OPTION'
execute( @sql )

-- Needed to execute showplan
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'GRANT SHOWPLAN TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Needed to manipulate application roles
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'GRANT ALTER ANY APPLICATION ROLE TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Needed to manipulate roles
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'GRANT ALTER ANY ROLE TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Needed to view definitions of objects
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'GRANT VIEW DEFINITION TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Needed to create schemas
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'GRANT CREATE SCHEMA TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Needed for database-level DMVs
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'GRANT VIEW DATABASE STATE TO ' + QUOTENAME(@login_name)
execute( @sql )

-- ******************************
-- Additional privledges denied
-- ******************************

-- Can be used to access the file system using SQL Server
-- credentials. (Both CREATE and ALTER.)
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'DENY ALTER ANY ASSEMBLY TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Can be used to access the file system using the SQL Server
-- credentials. (Both CREATE and ALTER)
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'DENY ALTER ANY ASYMMETRIC KEY TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Can be used to access the file system using the SQL Server
-- credentials. (Both CREATE and ALTER)
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'DENY ALTER ANY CERTIFICATE TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Partition, filegroups
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'DENY ALTER ANY DATASPACE TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Database DDL triggers
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'DENY ALTER ANY DATABASE DDL TRIGGER TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Creates files for catalog
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'DENY CREATE FULLTEXT CATALOG TO ' + QUOTENAME(@login_name)
execute( @sql )

-- Can be used to rebuild catalogs and move their locations
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'DENY ALTER ANY FULLTEXT CATALOG TO ' + QUOTENAME(@login_name)
execute( @sql )

-- No need to checkpoint
set @sql = 'USE ' + QUOTENAME(@db_name) + char(10) +
'DENY CHECKPOINT TO ' + QUOTENAME(@login_name)
execute( @sql )
GO

Reply to this Message

Erland Sommarskog - 29 Mar 2008 00:26 GMT

> Hi there, I found this script on Microsoft's site for creating a
> Database, User, and Account in SQL 2005, it works really well and I like
[quoted text clipped - 8 lines]
> REPLACE(@login_name, '''', '''''') + ''''
> execute( @sql )

And? Did it work?

I'm not really sure what your question is, but you do the above a little
bit easier:

SELECT @sp_addrolemember = quotename(@db_name) + '.sys.sp_addrolemember
EXEC @sp_addrolemember db_owner, @login_name

Yes, they don't do that in the MS script, but MS does not always themselves
know of all niceties in their products.

Signature

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Reply to this Message

Uri Dimant - 30 Mar 2008 10:23 GMT

Erland

> SELECT @sp_addrolemember = quotename(@db_name) + '.sys.sp_addrolemember
> EXEC @sp_addrolemember db_owner, @login_name

How does this script work? I cannot run it on SS2005 sp2

>> Hi there, I found this script on Microsoft's site for creating a
>> Database, User, and Account in SQL 2005, it works really well and I like
[quoted text clipped - 20 lines]
> themselves
> know of all niceties in their products.

Reply to this Message

Erland Sommarskog - 30 Mar 2008 12:09 GMT

> Erland
>> SELECT @sp_addrolemember = quotename(@db_name) + '.sys.sp_addrolemember
>> EXEC @sp_addrolemember db_owner, @login_name
>
> How does this script work? I cannot run it on SS2005 sp2

There is a single quote missing on the first line.

The tricks are two:

1) EXEC @var runs the procedure in @var
2) EXEC some_db..sp_systemproc, runs that system procedure in the context of
the some_db database.

What happened when you tried the above?

Signature

Reply to this Message

Uri Dimant - 30 Mar 2008 12:57 GMT

Hmmm, no success
SELECT @sp_addrolemember = quotename(@db_name) + '.sys.sp_addrolemember'

EXEC @sp_addrolemember db_owner, @login_name

/*

Msg 137, Level 15, State 2, Line 1

Must declare the scalar variable "@db_name".

Msg 137, Level 15, State 2, Line 2

Must declare the scalar variable "@sp_addrolemember".

*/

DECLARE @db_name VARCHAR(50),@sp_addrolemember VARCHAR(50),@login_name
VARCHAR(50)

SELECT @sp_addrolemember = quotename(@db_name) + '.sys.sp_addrolemember'

EXEC @sp_addrolemember db_owner, @login_name

/*

Could not find stored procedure ''.

*/

>> Erland
>>> SELECT @sp_addrolemember = quotename(@db_name) +
[quoted text clipped - 13 lines]
>
> What happened when you tried the above?

Reply to this Message

Uri Dimant - 30 Mar 2008 13:03 GMT

Upps it does work . Nice

DECLARE @db_name VARCHAR(50),@sp_addrolemember VARCHAR(50),@login_name
VARCHAR(50)

SET @db_name='dbtemp'

SET @login_name='randd'

SELECT @sp_addrolemember = quotename(@db_name) + '.sys.sp_addrolemember'

EXEC @sp_addrolemember db_owner, @login_name

> Hmmm, no success
> SELECT @sp_addrolemember = quotename(@db_name) + '.sys.sp_addrolemember'
[quoted text clipped - 43 lines]
>>
>> What happened when you tried the above?

Reply to this Message

Andy - 31 Mar 2008 14:13 GMT

Erland,

Ah. No it doesn't work for me because I have set @sql = 'DENY VIEW ANY
DATABASE TO ' + QUOTENAME(@login_name)

is there a way to change it to be:

GRANT VIEW db_name to login_name ?

I've tried like 30 different combinations and looked in the books online
documentation and it didnt seem to work, and no matter how I word the script
it always creates the DB with DBO = administrator

>> Erland
>>> SELECT @sp_addrolemember = quotename(@db_name) +
[quoted text clipped - 13 lines]
>
> What happened when you tried the above?

Reply to this Message

Andy - 31 Mar 2008 14:16 GMT

Oh, and sorry if my question was ambiguous, it was: How can I make it so
that the user can view their database in the Microsoft SQL Server Management
Studio in even though I have:

set @sql = 'DENY VIEW ANY DATABASE TO ' + QUOTENAME(@login_name)

set for them.

thanks,
Andy

Reply to this Message

Erland Sommarskog - 31 Mar 2008 22:42 GMT

> Oh, and sorry if my question was ambiguous, it was: How can I make it so
> that the user can view their database in the Microsoft SQL Server
[quoted text clipped - 3 lines]
>
> set for them.

In this case, the users must be the owner of the databases.

ALTER AUTHORIZATION DATABASE::db TO someuser

Signature

Reply to this Message