I use asp.net 4 C# and entity framework 4 with MS SQL 2008. I'm trying to set up my web application locally using IIS 7.
For my website I user Asp membership provider which has installed different tables and sprocs in my db (aspnet_).
Running the script we receive this error:
The EXECUTE permission was denied on the object 'aspnet_CheckSchemaVersion', database 'XXX', schema 'dbo'. at System.Data.SqlClient.SqlConnection.OnError
How can I solve the problem?
There should be some db roles related to the membership tables, eg aspnet_profile_fullaccess. Make sure the account you're using is a member of the appropriate role.
You should NOT assign the user you connect to the DB as dbowner privilege. The account should have only the rights it needs & nothing more. If you grant dbo & someone were to exploit a flaw in your website they would have full uncontrolled access to your entire db to what they wanted - delete tables, change data at will.
I don't think you should make the user the db_owner. I had the same problem, and it was sufficient to grand the 4 roles with BasicAccess to my user + to give him EXECUTE permission on all stored proc:
GRANT EXECUTE TO [theUserName];
I know this is not ideal. One should grant EXECUTE permissions only on the required stored proc, but if you need a quick solution until you find which SP's your user needs to be able to execute, this should work.
The problem is that the User ID the application is logging in with doesn't have enough privileges in the database. It either needs to be the database owner or be granted permissions on all the aspnet_ stored procedures.
So please check the permissions in SQL server 2008 for this particular user. and if possible make this user as a dbowner.
Hope this helps...
Edit : i wanted you to make it as dbowner just to verify that there are some permission issues,once you are sure about the problem, you can assign permissions to that user. hence knowing the exact cause and the exact solution.
I agree that one can test by adding the db_owner role to verify the permission error. But should be reminded with all urgency to test only and be sure to remove the role.
Right click on the Login User >> select properties >> then User Mapping.
Looking at the SQL error provided, you can surmise this is the issue based on "Execute Permission was denied". After using db_owner role as a test and confirmation, one can then look at the various SQL statements to see what stored procedures are getting called. For example consider the following
SQL As String = "EXEC [EAC].[myStoredProcedure] " etc . . . "
After you find out the various stored procedures used by the application, you can then grant execute on those specific executes. For example, considering the following SQL.
USE DATABASE
GRANT EXECUTE ON OBJECT::EAC.myStoredProcedure
TO myRoleorUser;
Note that the EAC.myStoredProcedure mentioned in the code is found when expanding the database and then Programmability and then expand Stored Procedures.
Here is the Microsoft KB for further help on targeting the specific stored procedures on SQL server.
https://learn.microsoft.com/en-us/sql/relational-databases/stored-procedures/grant-permissions-on-a-stored-procedure?view=sql-server-2017
Related
I need to import a sql. database to Wordpress through phpMyAdmin.
Anytime I want to create a new database this error happens (#1044 - Access denied for user 'xxx' to database 'zzz').
Thanks for your help.
You can check all privileges permission of database user and also check our sql file. May be mention there "CAEATE DATABASE '*******'" if you have that then you remove that. Most of this #1044 refer you to check your database user and permission of your database. I think this suggestion will help you.
As the others have mentioned, shared hosting environments generally don't allow you to create any arbitrary database name, sometimes you're limited to only one database and sometimes it has to be a subset of your username or something. If that's the case, you'll need to edit the .sql file to force it to use the database name you've been assigned.
If that's not the case, it's likely the user you are logged in as doesn't have the privileges to create a new database, so you'll need to log in as a user that does have privileges. Perhaps you're not logged in as the user you think you are. Note that the username and host value need to match, otherwise you could be logged in as the anonymous user instead of one that has permissions (for instance, if your user account is mia with host field 127.0.0.1 but you're logged in via the socket connection to 'localhost', it doesn't match.
I need to know end date of role in Teradata. I know how I get create date
select * from dbc.rolemembers a
join dbc.allrights b
a.rolename=b.rolename
But I can't find where is the end of role. In Teradata Administrator I can't find it too. Please, can you help me?
Thank you
What you are trying to explain is an audit process for the creation of a role, the rights it was assigned and to whom the role was assigned. That is above and beyond the DCL statements to CREATE {role}, GRANT {access} TO {role}, REVOKE {access} FROM {role}, GRANT {role} TO {member}, REVOKE {role} FROM {member}, DROP {role}. It also falls outside the scope of Teradata Administrator or Teradata Studio to track that information.
If you have a security requirement that stipulates you need to track this level of detail, you can either piece it together from sufficient DBQL history or you can create a set of stored procedures that are used by your Security Administrator and/or DBA team to administer role based privileges and user administration.
Beyond that, you can also use Access Logging to track the successful or denied execution of CREATE/DROP USER, CREATE/DROP ROLE, and GRANT statements that are run outside the context of the stored procedures you have put in place to audit the administration of privileges in your environment.
I am wondering what would be the best practice to logging when a user inserts or updates some data from my ASP.NET application.
In my application I need to know which user made the change, I think I have to options:
Register my ASP.NET users into the SQL Server adding them the rights for the tables needed, and store for each of my users
individual connectionstring. Thus I could use the currently logged in
user's connectionstring when connecting to the database, so that I
could write T-SQL triggers for SELECT and UPDATE.
The other option I thought of is that I can write stored procedures that get the ASP.NET user name as input parameter and makes
the log for me, (I use only one connectionstring in the application).
After modifying the database from the application I would call this
procedure giving the currently logged in user's username.
The second option seems simpler to me, but I think that for that purpose I should choose the first option.
Go for the second option. Managing users in a database creates more of a headache for you and what happens if you have to move the database server? You would need to update all of the connection strings for all the users. It just creates an extra admin overhead.
Furthermore, if you need to log all the changes in the database then I have come up with something that I have used in the past to store all changes made to a database over time. Have a look, it might be useful.
http://richhooper.wordpress.com/2012/06/11/sql-server-row-level-versioning/
I am transitioning an application from Dev to QA. I have created an sql file to populate the database in the QA environment. In the QA environment I am using windows authentication on the db. My user has minimal permissions. I am comin up with the error
EXECUTE permission denied on object 'aspnet_CheckSchemaVersion', database 'QADB', schema 'dbo'.
when I try an log in. I noticed my db creation script has:
"CREATE ROLE [aspnet_Membership_BasicAccess] AUTHORIZATION [dbo]"
When I change the permissions of my user to dbo, the problem goes away.
I do not wish for my user to be dbo. Does anybody know what I can do to remedy this?
Grant the user the execute permission on the stored procedure, or better still, make sure the user is a member of the role and grant execute permissions to the role.
GRANT EXECUTE ON aspnet_checkscemaversion TO aspnet_membership_basicaccess
I always wonder what are the exact access rights and permissions I need to give to a sql login which I use from my asp.net application to access database. The application execute some stored procedures which insert, update and delete data into tables. I do select, delete, update directly on the tables also. Also there are some triggers.
Wonder if there is a comprehensive list of the permission matrix to help.
Well, it depends on how complicated you want to make it :-)
Simplest solution:
make your login / db user have the db_datareader role to read all tables
make your login / db user have the db_datawriter role to write all tables
As for executing stored procs, what we did is create a new custom database role "db_executor" in our database like this:
CREATE ROLE [db_executor] AUTHORIZATION [dbo]
GRANT EXECUTE TO [db_executor]
and then we grant this role to the db user as well. This new custom database role will have execute rights on all existing AND on all future stored procs/funcs in your database.
With this, your db user can read and write any table and execute any stored proc and stored func.
More complex solution:
You can of course also GRANT permissions on individual tables, views, procs, funcs to inidividual db users and/or db roles. But it can get quite messy and complicated.
Marc