Liquibase Enterprise was formerly known as Datical DB.

Roles and Permissions for Liquibase Enterprise and Azure SQL Managed Instance

Owned by Former user (Deleted)
Last updated: Oct 19, 2022 by Roderick Bowser
3 min read

See Database Users, Roles, and Passwords for a general database setup for Datical DB. 

Create a Login User

Create a login user (datical_login) for databases under Datical DB management.

Step 1: Identify the appropriate permissions for the Datical Login User

You must have the VIEW SERVER STATE permission, which is required for all environments and Datical operations. The permission allows reading data from dynamic management views scoped to the server.

You can use the VIEW SERVER STATE permission to monitor the health of a server instance, tune performance, or diagnose problems.

Step 2: Grant the appropriate permissions to the Datical Login User

Make sure that you are connected to the master database and the user you will create has access to read the metadata.

USE [master] GO CREATE LOGIN [datical_login] WITH PASSWORD=N'password_goes_hereN' GO GRANT VIEW SERVER STATE to [datical_login] GO

The default Azure password complexity rules are the following: minimum length of 8 characters, minimum of 1 uppercase character, minimum of 1 lowercase character, minimum of 1 number.

Create a Database User

Create a user (datical_user) for databases under Datical DB management and assign the needed roles to the user.

Step 1: Identify the appropriate permissions for the Datical User

Datical permissions that are required for all environments:

Some of the permissions are optional depending on the criteria shown in the table.

Role/Permission

When is this required?

Description

Role/Permission

When is this required?

Description

db_owner

The role is required if you need to perform all configurations and some maintenance activities on the database.

Manages fixed-database role membership, configuration, and maintenance activities.

db_ddladmin  

The role is required if you do not connect as a database owner.

Runs any Data Definition Language (DDL) command in a database.

db_datawriter

The role is required if you do not connect as a database owner.

Adds, deletes, or changes data in all user tables.

db_datareader

The role is required if do not connect as a database owner.

Reads all data from all user tables.

VIEW DATABASE STATE

The permission is required for Datical operations.

Reads data from dynamic management views scoped to the database.

Datical Packager permission that is required on reference database environments only:

This permission is additional to the DATICAL_ROLE permissions.

Role

When is this required?

Description

Role

When is this required?

Description

dbcreator

The role is required to create an ephemeral copy of the database.   

Can create and delete databases. A member of the dbcreator role that creates a database becomes the owner of that database, which allows that user to connect to that database as the dbo user. The dbo user has all database permissions in the database. Members of the dbcreator role do not necessarily have permission to access databases that they do not own.

Also, a user with the dbcreator role can perform database restores.

If the database being restored does not exist, the user must have CREATE DATABASE permissions to be able to execute RESTORE. If the database exists, RESTORE permissions are default to members of the sysadmin and dbcreator fixed server roles and the owner (dbo) of the database.

RESTORE permissions are given to roles in which membership information is always available to the server. You can check a fixed database role membership only when the database is accessible and undamaged, which is not always the case when RESTORE is executed. For this reason, members of the db_owner fixed database role do not have RESTORE permissions.

If you want to use Deploy Packager, assign the role of db_owner to the user. If you don’t want to use Deploy Packager, assign the roles of db_datawriter or db_datareader. Additionally, if you need to deploy the objects listed below, grant the db_ddladmin role to the user.

ALTER ANY ASSEMBLY ALTER ANY ASYMMETRIC KEY ALTER ANY CERTIFICATE ALTER ANY CONTRACT ALTER ANY DATABASE DDL TRIGGER ALTER ANY DATABASE EVENT NOTIFICATION ALTER ANY DATASPACE ALTER ANY FULLTEXT CATALOG ALTER ANY MESSAGE TYPE ALTER ANY REMOTE SERVICE BINDING ALTER ANY ROUTE ALTER ANY SCHEMA ALTER ANY SERVICE ALTER ANY SYMMETRIC KEY CHECKPOINT CREATE AGGREGATE CREATE DEFAULT CREATE FUNCTION CREATE PROCEDURE CREATE QUEUE CREATE RULE CREATE SYNONYM CREATE TABLE CREATE TYPE CREATE VIEW CREATE XML SCHEMA COLLECTION REFERENCES

Step 2: Grant the appropriate permissions as defined to the Datical User

See the script example to assign roles to datical_user:

USE [database_1] GO CREATE USER [datical_user] FOR LOGIN [datical_login] GO EXEC sp_addrolemember N'db_ddladmin', N'datical_user' GO EXEC sp_addrolemember N'db_datareader', N'datical_user' GO EXEC sp_addrolemember N'db_datawriter', N'datical_user' GO GRANT VIEW DATABASE STATE to [datical_user] GO

To assign the additional role to datical_user for the reference database environments and packaging, you can use the following example:

 

Copyright © Liquibase 2012-2022 - Proprietary and Confidential