Liquibase Enterprise was formerly known as Datical DB.

Roles and Permissions for Liquibase Enterprise on SQL Server

See Database Users, Roles, and Passwords for a general discussion of database setup for Datical DB. 

Create Login User

Ensure the user has access to read the metadata.

USE [master]
GO
CREATE LOGIN [datical_login] WITH PASSWORD=N'password_goes_here', DEFAULT_DATABASE=[datical_db], CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
GO
GRANT VIEW ANY DEFINITION TO datical_login
GO

Create Database User

Create a user (datical_user) for databases under Datical DB management. Assign the needed Microsoft SQL Server fixed roles to the user. 

Step 1: Identify the appropriate permissions for the Datical User

DATICAL PERMISSIONS

  • Needed for all environments (note, some of the permissions are optional depending on criteria shown beside each one).
Role/PermissionWhen is this required?Permissions

db_ddladmin  

This is required if not connecting as the database owner.

Run any Data Definition Language (DDL) command in a database.

db_datawriter

This is required if not connecting as the database owner.

Add, delete, or change data in all user tables.

db_datareader

This is required if not connecting as the database owner.

Read all data from all user tables.

db_securityadminThis is required if grants are allowed in scripts.Perform grants to all objects in the database.
VIEW DATABASE STATEThis is required for Datical operations.Read data from dynamic management views scoped to the database.

DATICAL PACKAGER PERMISSIONS

  • Required on Reference DB environments only. These permissions are in addition to the above DATICAL_ROLE permissions.
RoleWhen is this required?Permissions
db_backupoperatorThis is required on the Reference Database if not connecting as the database owner.Perform backups of the database.
dbcreatorThis is required on the Reference Database Server if you are not a sysadmin or the database owner.

Perform database restores.

“If the database being restored does not exist, the user must have CREATE DATABASE permissions to be able to execute RESTORE. If the database exists, RESTORE permissions default to members of the sysadmin and dbcreator fixed server roles and the owner (dbo) of the database.”

“RESTORE permissions are given to roles in which membership information is always readily available to the server. Because fixed database role membership can be checked only when the database is accessible and undamaged, which is not always the case when RESTORE is executed, members of the db_owner fixed database role do not have RESTORE permissions.”

sysadminThis is required if using Ephemeral Database for MSSQL and copy without data mode. See Configure Deployment Packager to Use a SQL Server Ephemeral Database.Perform the DBCC CLONEDATABASE command to create a schema-only copy of the database.

Step 2: Grant The Appropriate Permissions As Defined Above to the Datical User

  • Note, additional permissions are typically added to the Reference DB environments as discussed above.

Example script to assign roles to datical_user.

DATICAL_USER
USE [database_1]
GO
CREATE USER [datical_user] FOR LOGIN [datical_login]
GO
EXEC sp_addrolemember N'db_ddladmin', N'datical_user'
GO
EXEC sp_addrolemember N'db_datareader', N'datical_user'
GO
EXEC sp_addrolemember N'db_datawriter', N'datical_user'
GO
EXEC sp_addrolemember N'db_securityadmin', N'datical_user'
GO
GRANT VIEW DATABASE STATE to [datical_user]
GO
ALTER SERVER ROLE [dbcreator] ADD MEMBER [datical_user]
GO

Example script to assign additional roles to datical_user for the Reference DB (and packaging) environments only.

DATICAL_USER
USE [database_1]
GO
EXEC sp_addrolemember N'db_backupoperator', N'datical_user'
GO
EXEC sp_addrolemember N'dbcreator', N'datical_user'
GO

Copyright © Liquibase 2012-2022 - Proprietary and Confidential