Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Roderick Bowser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel7

See Database Users, Roles, and Passwords for a general database setup for Datical DB. 

Create a Login User

Create a login user (datical_login) for databases under Datical DB management.

Step 1: Identify the appropriate permissions for the Datical Login User

You must have the VIEW SERVER STATE permission, which is required for all environments and Datical operations. The permission allows reading data from dynamic management views scoped to the server.

You can use the VIEW SERVER STATE permission to monitor the health of a server instance, tune performance, or diagnose problems.

Step 2: Grant the appropriate permissions to the Datical Login User

Make sure that you are connected to the master database and the user you will create has access to read the metadata.

Code Block
USE [master]
GO
CREATE LOGIN [datical_login] WITH PASSWORD=N'password_goes_hereN'
GO
GRANT VIEW SERVER STATE to [datical_login]
GO
Info

The default Azure password complexity rules are the following: minimum length of 8 characters, minimum of 1 uppercase character, minimum of 1 lowercase character, minimum of 1 number.

Create a Database User

Create a user (datical_user) for databases under Datical DB management and assign the needed roles to the user:.

Step 1: Identify the appropriate permissions for the Datical User

Datical permissions , which that are needed required for all environments.:

Info

Some of the permissions are optional depending on the criteria shown in the table.

Role/Permission

When is this required?

PermissionsDescription

db_owner

This The role is required if you need to perform all configuration configurations and some maintenance activities on the database.

Manage Manages fixed-database role membership, configuration, and maintenance activities.

db_ddladmin  

This The role is required if you do not connect as the a database owner.

Run Runs any Data Definition Language (DDL) command in a database.

db_datawriter

This The role is required if you do not connect as the a database owner.

AddAdds, deletedeletes, or change changes data in all user tables.

db_datareader

This The role is required if do not connect as the a database owner.

Read Reads all data from all user tables.db_loginmanager

This is required if grants are allowed in scripts. If you have this role, you can create and delete logins in the virtual master database.      

Perform grants to all objects in the database.

VIEW DATABASE STATE

This The permission is required for Datical operations.

Read Reads data from dynamic management views scoped to the database.

Datical packager permissions, which are Packager permission that is required on reference database environments only. These permissions are :

Info

This permission is additional to the DATICAL_ROLE permissions.

Role

When is this required?

PermissionsDescription

dbcreator

This The role is required to create an ephemeral copy of the database.   

Can create and delete databases. A member of the dbcreator role that creates a database , becomes the owner of that database, which allows that user to connect to that database as the dbo user. The dbo user has all database permissions in the database. Members of the dbcreator role do not necessarily have permission to access databases that they do not own.

Also, a user with the dbcreator role can perform database restores.

If the database being restored does not exist, the user must have CREATE DATABASE permissions to be able to execute RESTORE. If the database exists, RESTORE permissions are default to members of the sysadmin and dbcreator fixed server roles and the owner (dbo) of the database.

RESTORE permissions are given to roles in which membership information is always available to the server. You can check a fixed database role membership only when the database is accessible and undamaged, which is not always the case when RESTORE is executed. For this reason, members of the db_owner fixed database role do not have RESTORE permissions.

...

Code Block
ALTER ANY ASSEMBLY
ALTER ANY ASYMMETRIC KEY
ALTER ANY CERTIFICATE
ALTER ANY CONTRACT
ALTER ANY DATABASE DDL TRIGGER
ALTER ANY DATABASE EVENT NOTIFICATION
ALTER ANY DATASPACE
ALTER ANY FULLTEXT CATALOG
ALTER ANY MESSAGE TYPE
ALTER ANY REMOTE SERVICE BINDING
ALTER ANY ROUTE
ALTER ANY SCHEMA
ALTER ANY SERVICE
ALTER ANY SYMMETRIC KEY
CHECKPOINT
CREATE AGGREGATE
CREATE DEFAULT
CREATE FUNCTION
CREATE PROCEDURE
CREATE QUEUE
CREATE RULE
CREATE SYNONYM
CREATE TABLE
CREATE TYPE
CREATE VIEW
CREATE XML SCHEMA COLLECTION 
REFERENCES

Step 2: Grant the appropriate permissions as defined to the Datical User

Info

Additional permissions are typically added to the reference database environments.

Example See the script example to assign roles to datical_user.DATICAL_USER:

Code Block
USE [database_1]
GO
CREATE USER [datical_user] FOR LOGIN [datical_login]
GO
EXEC sp_addrolemember N'db_ddladmin', N'datical_user'
GO
EXEC sp_addrolemember N'db_datareader', N'datical_user'
GO
EXEC sp_addrolemember N'db_datawriter', N'datical_user'
GO
EXEC sp_addrolemember N'db_loginmanager', N'datical_user'
GO
GRANT VIEW DATABASE STATE to [datical_user]
GO
ALTER SERVER ROLE [db_owner] ADD MEMBER [datical_user]
GO

...

To assign the additional role to datical_user for the reference database environments and packaging only:DATICAL_USER, you can use the following example:
 Code Block
USE [database_1]
GO
EXEC sp_addrolemember N'db_owner', N'datical_user'
GO
...