See Database Users, Roles, and Passwords for a general database setup for Datical DB.
Create a Login User
Make sure that you are connected to the master database and the user you will create has access to read the metadata.
USE [master] GO CREATE LOGIN [datical_login] WITH PASSWORD=N'password_goes_hereN' GO GRANT VIEW SERVER STATE to [datical_login] GO |
The default Azure password complexity rules are the following: minimum length of 8 characters, minimum of 1 uppercase character, minimum of 1 lowercase character, minimum of 1 number.
Create a Database User
Create a user (datical_user) for databases under Datical DB management and assign the needed roles to the user:
Step 1: Identify the appropriate permissions for the Datical User
Datical permissions, which are needed for all environments.
Some of the permissions are optional depending on the criteria shown in the table.
Role/Permission | When is this required? | Permissions |
|---|---|---|
db_owner | This is required if you need to perform all configuration and some maintenance activities on the database. | Manage fixed-database role membership, configuration, and maintenance activities. |
db_ddladmin | This is required if do not connect as the database owner. | Run any Data Definition Language (DDL) command in a database. |
db_datawriter | This is required if you do not connect as the database owner. | Add, delete, or change data in all user tables. |
db_datareader | This is required if do not connect as the database owner. | Read all data from all user tables. |
VIEW DATABASE STATE | This is required for Datical operations. | Read data from dynamic management views scoped to the database. |
Datical packager permissions, which are required on reference database environments only. These permissions are additional to the DATICAL_ROLE permissions.
Role | When is this required? | Permissions |
|---|---|---|
dbcreator | This is required to create an ephemeral copy of the database. | Can create and delete databases. A member of the Also, a user with the If the database being restored does not exist, the user must have
|
If you want to use Deploy Packager, assign the role of db_owner to the user. If you don’t want to use Deploy Packager, assign the roles of db_datawriter or db_datareader. Additionally, if you need to deploy the objects listed below, grant the db_ddladmin role to the user.
You must be connected to the database instance you want to use with Datical DB while granting permissions.
ALTER ANY ASSEMBLY ALTER ANY ASYMMETRIC KEY ALTER ANY CERTIFICATE ALTER ANY CONTRACT ALTER ANY DATABASE DDL TRIGGER ALTER ANY DATABASE EVENT NOTIFICATION ALTER ANY DATASPACE ALTER ANY FULLTEXT CATALOG ALTER ANY MESSAGE TYPE ALTER ANY REMOTE SERVICE BINDING ALTER ANY ROUTE ALTER ANY SCHEMA ALTER ANY SERVICE ALTER ANY SYMMETRIC KEY CHECKPOINT CREATE AGGREGATE CREATE DEFAULT CREATE FUNCTION CREATE PROCEDURE CREATE QUEUE CREATE RULE CREATE SYNONYM CREATE TABLE CREATE TYPE CREATE VIEW CREATE XML SCHEMA COLLECTION REFERENCES |
Step 2: Grant the appropriate permissions as defined to the Datical User
Additional permissions are typically added to the reference database environments.
Example script to assign roles to datical_user.
DATICAL_USER
USE [database_1] GO CREATE USER [datical_user] FOR LOGIN [datical_login] GO EXEC sp_addrolemember N'db_ddladmin', N'datical_user' GO EXEC sp_addrolemember N'db_datareader', N'datical_user' GO EXEC sp_addrolemember N'db_datawriter', N'datical_user' GO GRANT VIEW DATABASE STATE to [datical_user] GO |
Example script to assign additional roles to datical_user for the reference database environments and packaging only:
DATICAL_USER
USE [database_1] GO EXEC sp_addrolemember N'db_owner', N'datical_user' GO |