From newsgrps at dalyn.co.nz Thu Feb 3 17:39:01 2011 From: newsgrps at dalyn.co.nz (David Emerson) Date: Fri, 04 Feb 2011 12:39:01 +1300 Subject: [dba-SQLServer] Running Access XP ade With Access 10 and SQL2008 upgrade Message-ID: <20110203233916.SWTF5781.mta02.xtra.co.nz@David-PC.dalyn.co.nz> I have a client who is looking at upgrading their SQL2005 to SQL2008. Currently we are running an Access XP ade connected to SQL2005. Does anyone have any experience or know if an Access XP ade will connect to an SQL2008 database Will an Access XP ade run in Access 2010? Can Access 2010 be used to create an ade? Are there any issues I should be aware of in upgrading an SQL2005 database to SQL2008? Regards David Emerson Dalyn Software Ltd Wellington, New Zealand From pcs.accessd at gmail.com Thu Feb 10 23:02:30 2011 From: pcs.accessd at gmail.com (Borge Hansen) Date: Fri, 11 Feb 2011 15:02:30 +1000 Subject: [dba-SQLServer] Restoring a SQL2008 Db with 2005 Compatibility Level back on to SQL2005 Message-ID: Hi All, I have problems doing a simple restore of a SQL2008 Db back on to an SQL2005 Server. The Db originated from the SQL2005, was restored on to SQL2008 R2, have the Compatibility level to SQL2005; haven't created any additonal object other than some views and SPs... Why do I have problems? Complains about the media being incorrectly formed ..... ?? Regards Borge From paul.hartland at googlemail.com Fri Feb 11 04:03:56 2011 From: paul.hartland at googlemail.com (Paul Hartland) Date: Fri, 11 Feb 2011 10:03:56 +0000 Subject: [dba-SQLServer] Upgrading SSRS 2005 To SSRS 2008 On Different Server Message-ID: To all, I am getting an error when reports have been migrated from SSRS 2005 to SSRS 2008 which is 'The data source 'Connection_To_AL_SQL_Genesis' cannot be found. The data source name in SSRS 2005 is actually 'Connection To AL-SQL Genesis', I looked around on the internet and apparently when migrating to SSRS 2008 any spaces and hyphens in the connection name get replaced by underscores. So I went back to the data sources on SSRS 2005 and renamed my connection to 'ConnectionToALSQLGenesis' and relinked all the reports to the new name. So then went through the process of backing up the reportserver and reportservertempdb databases, and the reporting services encryption keys, copied the files to the new server, restored the databases and the reporting services encryption keys. However I am still getting the same error message when trying to open the reports, if I go to the properties of the report and re-connect to the data source I still get the same error. However if I reload the report and connect to the data source then it works !!!!! Can anyone shed any light as to what I am doing wrong or what I need to do to resolve this, as I dont really want to reload all the reports and re-connect the data sources. -- Paul Hartland paul.hartland at googlemail.com From ab-mi at post3.tele.dk Sun Feb 13 17:19:17 2011 From: ab-mi at post3.tele.dk (Asger Blond) Date: Mon, 14 Feb 2011 00:19:17 +0100 Subject: [dba-SQLServer] List politeness - responding to answers Message-ID: <0F8BD7692AB44F10B32BD340D22E5211@abpc> Often enough I?ve seen people on this list responding questions and never getting any response as to whether their answer was helpful or not. This is not polite. And it sure isn?t getting our understanding and knowledge any further. Questioners are often busy and need quick and dirty answers. But remind that the persons responding you also are also busy. And also remind that we have a great amount of lurkers who would like to know the right answer or at least know if the answer provided is sound. So please be polite and respond to answers. Asger From ab-mi at post3.tele.dk Sun Feb 13 17:21:59 2011 From: ab-mi at post3.tele.dk (Asger Blond) Date: Mon, 14 Feb 2011 00:21:59 +0100 Subject: [dba-SQLServer] RV: Change default backup destination and reductionof log file size In-Reply-To: <7682A8AF4B3A4592BD08BB824249BFCA@abpc> References: <7682A8AF4B3A4592BD08BB824249BFCA@abpc> Message-ID: <8D95B4B18CEB4E6E852AAE29F29642C1@abpc> Was this response of any help to you? Asger -----Oprindelig meddelelse----- Fra: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] P? vegne af Asger Blond Sendt: 26. januar 2011 11:29 Til: 'Discussion concerning MS SQL Server' Emne: Re: [dba-SQLServer] Change default backup destination and reductionof log file size In SSMS rightclick the server name - choose Facets - then in BackupDirectory enter the destination folder. Notice that this will only be the default backup folder for databases you have not previously backed up - for previously backed up database you have to change the destination manually. As for reducing the log file you have to make a BACKUP LOG - a full database backup won't reduce the log file. Asger -----Oprindelig meddelelse----- Fra: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] P? vegne af Borge Hansen Sendt: 26. januar 2011 05:24 Til: Discussion concerning MS SQL Server Emne: [dba-SQLServer] Change default backup destination and reduction of log file size I recently installed the web server version of SQL 2008 R2, and as part of installation I must have specified the default backup destination folder. I've restored three SQL 2005 DBs and all is good. I moved the backup destination folder though in the file / folder system. Now whenever I do a simple full backup the Management Studio is serving up the location of the old now non existing backup folder. Simple question: How and where do I change the default backup destination setting? Also, One Db has a mdf file of 750mb and the logfile is about 500mb. How do I reduce the size of the logfile? I thought that performing a simple full backup would automatically reduce the logfile. Thanks, borge _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com From fhtapia at gmail.com Sun Feb 13 19:05:23 2011 From: fhtapia at gmail.com (Francisco) Date: Mon, 14 Feb 2011 01:05:23 +0000 Subject: [dba-SQLServer] List politeness - responding to answers In-Reply-To: <0F8BD7692AB44F10B32BD340D22E5211@abpc> References: <0F8BD7692AB44F10B32BD340D22E5211@abpc> Message-ID: <995622360-1297645523-cardhu_decombobulator_blackberry.rim.net-558400175-@bda854.bisx.prod.on.blackberry> Agreed Sent from my mobile -----Original Message----- From: "Asger Blond" Sender: dba-sqlserver-bounces at databaseadvisors.comDate: Mon, 14 Feb 2011 00:19:17 To: 'Discussion concerning MS SQL Server'; 'Access Developers discussion and problem solving' Reply-To: Discussion concerning MS SQL Server Subject: [dba-SQLServer] List politeness - responding to answers Often enough I?ve seen people on this list responding questions and never getting any response as to whether their answer was helpful or not. This is not polite. And it sure isn?t getting our understanding and knowledge any further. Questioners are often busy and need quick and dirty answers. But remind that the persons responding you also are also busy. And also remind that we have a great amount of lurkers who would like to know the right answer or at least know if the answer provided is sound. So please be polite and respond to answers. Asger _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com From pcs.accessd at gmail.com Mon Feb 14 00:21:11 2011 From: pcs.accessd at gmail.com (Borge Hansen) Date: Mon, 14 Feb 2011 16:21:11 +1000 Subject: [dba-SQLServer] RV: Change default backup destination and reductionof log file size In-Reply-To: <8D95B4B18CEB4E6E852AAE29F29642C1@abpc> References: <7682A8AF4B3A4592BD08BB824249BFCA@abpc> <8D95B4B18CEB4E6E852AAE29F29642C1@abpc> Message-ID: Asger, Yes, it was! Very helpful. In SSMS it's not that intuitive - and searching BOL got me nowhere. That's why this list is what it is: indispensable I've been on this list for about 10 years and it has been a life saver on many occasions. I agree that it would be a good idea to follow up with a 'problem solved' message when appropriate with a summary of the issue and how it was solved, or just a heads up when a reply was helpful. Regards Borge On Monday, February 14, 2011, Asger Blond wrote: > Was this response of any help to you? > Asger > > -----Oprindelig meddelelse----- > Fra: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] P? vegne af Asger Blond > Sendt: 26. januar 2011 11:29 > Til: 'Discussion concerning MS SQL Server' > Emne: Re: [dba-SQLServer] Change default backup destination and reductionof log file size > > In SSMS rightclick the server name - choose Facets - then in BackupDirectory enter the destination folder. > Notice that this will only be the default backup folder for databases you have not previously backed up - for previously backed up database you have to change the destination manually. > > As for reducing the log file you have to make a BACKUP LOG - a full database backup won't reduce the log file. > > Asger > > -----Oprindelig meddelelse----- > Fra: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] P? vegne af Borge Hansen > Sendt: 26. januar 2011 05:24 > Til: Discussion concerning MS SQL Server > Emne: [dba-SQLServer] Change default backup destination and reduction of log file size > > I recently installed the web server version of SQL 2008 R2, and as > part of installation I must have specified the default backup > destination folder. > I've restored three SQL 2005 DBs and all is good. > I moved the backup destination folder though in the file / folder system. > Now whenever I do a simple full backup the Management Studio is > serving up the location of the old now non existing backup folder. > Simple question: How and where do I change the default backup > destination setting? > > Also, One Db has a mdf file of 750mb and the logfile is about 500mb. > How do I reduce the size of the logfile? I thought that performing a > simple full backup would automatically reduce the logfile. > > Thanks, > borge > _______________________________________________ From jwcolby at colbyconsulting.com Sat Feb 19 13:53:30 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Sat, 19 Feb 2011 14:53:30 -0500 Subject: [dba-SQLServer] I'm getting nowhere Message-ID: <4D601FBA.5020302@colbyconsulting.com> I am getting nowhere on understanding SQL Server security. Microsoft provides us with SQL Server Express which implies that joe blow (me) is going to install / maintain it. I am not a SQL Server Admin and I cannot afford to spend the time to be one. Google is my friend. BOL is not. Except that Google is taking me to these places where I am expected to already know how this stuff works, and then wants to make me a *better* administrator. Which of course is useless because I am not an administrator at all. OTOH I am not stupid. If I could find something that started at the "This is SQL Server security" basics I could learn this stuff. Before anyone says "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it simply sucks for my level of expertise (my opinion of course). If that is your advice, simply stay out of this thread. Thanks! So... my needs: I need to set up several SQL Server databases for use by different, very small groups (5-20 people) of entirely unrelated people. What I mean by that is that each DB is for a different "company" if you will. I need to access these databases from C#. I understand the group / user paradigm. I would like to create groups and users. Specific groups can do specific things in the database, some can see data but not modify it. Some can add records in specific tables but not others. Some can run reports (view). I do *NOT* want to create windows level groups and users if I can avoid it. These are people that I do not necessarily know and I do not want to give them any rights at the machine level, and I prefer to not maintain such lists at the machine level. Unfortunately SQL Server does not seem to model Groups / users. I go into SQL Server and see a security tab. It has "logins". Is that a user? A specific ability to log in with a password? To what? The server itself? A specific database? Groups of databases? I see "roles" but these appear to be aimed at the server and none of these people are going to be doing anything at the server level. Can I safely ignore everything under the server security tab? I go to a database and I see a security tab. It has users and roles. Hmm... better (I would think). I would like to add users "under" the specific database that the user will access. So I try to add a new user but I do not see anywhere to require a password. Hmmm... I go into roles and I do not see any predefined role that looks like it would be useful to me in meeting my needs described above. If I look at "add new role" it asks for a password. The User / group model does nto assign passwords at the group level which implies that a role is not a group at the user / group paradigm. Is it just me, or is SQL Server security just... different? Am I correct in assuming that it doesn't implement a user / group paradigm? And more importantly, where can I go to get a plain, simple, English description of how this mess works? And please excuse the tone that results from my frustration. The only help documents that I have found (and I have extensive lists of bookmarked web pages) so far assume that I am an administrator. I am not, and cannot afford to become one. And yet MS pushes SQL Express as if I (non-admin) should be able to use this as a data store pool. Help! -- John W. Colby www.ColbyConsulting.com From fuller.artful at gmail.com Sat Feb 19 15:38:21 2011 From: fuller.artful at gmail.com (Arthur Fuller) Date: Sat, 19 Feb 2011 16:38:21 -0500 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: <4D601FBA.5020302@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com> Message-ID: The hierarchy goes like this: Roles -- Users What is not obvious from the docs is that you can add a role to a role. The reason you would want to do this is to "include" lower-level capabilities within a higher-level group (without bothering to have to re-define these). You can grant select, update, delete and inserts on any combination of tables, views and sprocs. The approach I typically use is to deny table access to everyone but me, and then to grant various levels of access to views and sprocs to various roles. That way, no one but you can directly hit a table. So, your bottom level might define Select capability and nothing else (to one or more views and sprocs). The next level up might permit Updates, and the next Inserts and Deletes. Actually I mean granting this privileges on the sprocs/views created for those purposes. As you move up the hierarchy, you can "stack" the abilities (i.e. add the lowest level role to the next up, and so on, until you reach the top, where the only member of that role is you. HTH, and if not feel free to ask. Arthur On Sat, Feb 19, 2011 at 2:53 PM, jwcolby wrote: > I am getting nowhere on understanding SQL Server security. Microsoft > provides us with SQL Server Express which implies that joe blow (me) is > going to install / maintain it. > > I am not a SQL Server Admin and I cannot afford to spend the time to be > one. > > Google is my friend. BOL is not. > > Except that Google is taking me to these places where I am expected to > already know how this stuff works, and then wants to make me a *better* > administrator. Which of course is useless because I am not an administrator > at all. > > OTOH I am not stupid. If I could find something that started at the "This > is SQL Server security" basics I could learn this stuff. Before anyone says > "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it > simply sucks for my level of expertise (my opinion of course). If that is > your advice, simply stay out of this thread. Thanks! > > So... my needs: > > I need to set up several SQL Server databases for use by different, very > small groups (5-20 people) of entirely unrelated people. What I mean by > that is that each DB is for a different "company" if you will. I need to > access these databases from C#. I understand the group / user paradigm. I > would like to create groups and users. Specific groups can do specific > things in the database, some can see data but not modify it. Some can add > records in specific tables but not others. Some can run reports (view). > > I do *NOT* want to create windows level groups and users if I can avoid it. > These are people that I do not necessarily know and I do not want to give > them any rights at the machine level, and I prefer to not maintain such > lists at the machine level. > > Unfortunately SQL Server does not seem to model Groups / users. I go into > SQL Server and see a security tab. It has "logins". Is that a user? A > specific ability to log in with a password? To what? The server itself? A > specific database? Groups of databases? > > I see "roles" but these appear to be aimed at the server and none of these > people are going to be doing anything at the server level. > > Can I safely ignore everything under the server security tab? > > I go to a database and I see a security tab. It has users and roles. > Hmm... better (I would think). I would like to add users "under" the > specific database that the user will access. > > So I try to add a new user but I do not see anywhere to require a password. > Hmmm... > > I go into roles and I do not see any predefined role that looks like it > would be useful to me in meeting my needs described above. If I look at > "add new role" it asks for a password. The User / group model does nto > assign passwords at the group level which implies that a role is not a group > at the user / group paradigm. > > Is it just me, or is SQL Server security just... different? Am I correct > in assuming that it doesn't implement a user / group paradigm? > > And more importantly, where can I go to get a plain, simple, English > description of how this mess works? > > And please excuse the tone that results from my frustration. The only help > documents that I have found (and I have extensive lists of bookmarked web > pages) so far assume that I am an administrator. I am not, and cannot > afford to become one. And yet MS pushes SQL Express as if I (non-admin) > should be able to use this as a data store pool. > > Help! > > -- > John W. Colby > www.ColbyConsulting.com > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From davidmcafee at gmail.com Sat Feb 19 16:29:13 2011 From: davidmcafee at gmail.com (David McAfee) Date: Sat, 19 Feb 2011 14:29:13 -0800 Subject: [dba-SQLServer] I'm getting nowhere Message-ID: John, I'm at a reggae fest right now and the air isn't very clear, so excuse me if I'm not very clear right now. Try something like: --Select the database USE yourdatabasenamehere --Adds the following roles to the database above EXEC sp_addrole 'Accounting' EXEC sp_addrole 'AccountingMgr' --Makes the accounting manager role a part of the --accounting role so you don't have to recreate all of those privileges EXEC sp_addrolemember 'Accounting', 'AccountingMgr' --adds an existing user to the role accounting EXEC sp_addrolemember 'Accounting', 'JColby' Look up sp_grantdbaccess and CREATE USER for more info. HTH David Sent from my Droid phone. On Feb 19, 2011 11:54 AM, "jwcolby" wrote: From jwcolby at colbyconsulting.com Sat Feb 19 18:18:04 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Sat, 19 Feb 2011 19:18:04 -0500 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: References: <4D601FBA.5020302@colbyconsulting.com> Message-ID: <4D605DBC.3080006@colbyconsulting.com> > The hierarchy goes like this: > > Roles > -- Users But why does the user have no (apparent) password but the role does? I found a vague (to me) reference to schemas and assigning schemas to users... Now that makes sense. I assume in all this that if a user goes away I just delete the user? I don't see any way to enable / disable the user. This whole thing just seems real hokey. John W. Colby www.ColbyConsulting.com On 2/19/2011 4:38 PM, Arthur Fuller wrote: > The hierarchy goes like this: > > Roles > -- Users > > What is not obvious from the docs is that you can add a role to a role. The > reason you would want to do this is to "include" lower-level capabilities > within a higher-level group (without bothering to have to re-define these). > > You can grant select, update, delete and inserts on any combination of > tables, views and sprocs. The approach I typically use is to deny table > access to everyone but me, and then to grant various levels of access to > views and sprocs to various roles. That way, no one but you can directly hit > a table. > > So, your bottom level might define Select capability and nothing else (to > one or more views and sprocs). The next level up might permit Updates, and > the next Inserts and Deletes. Actually I mean granting this privileges on > the sprocs/views created for those purposes. > > As you move up the hierarchy, you can "stack" the abilities (i.e. add the > lowest level role to the next up, and so on, until you reach the top, where > the only member of that role is you. > > HTH, and if not feel free to ask. > Arthur > > On Sat, Feb 19, 2011 at 2:53 PM, jwcolbywrote: > >> I am getting nowhere on understanding SQL Server security. Microsoft >> provides us with SQL Server Express which implies that joe blow (me) is >> going to install / maintain it. >> >> I am not a SQL Server Admin and I cannot afford to spend the time to be >> one. >> >> Google is my friend. BOL is not. >> >> Except that Google is taking me to these places where I am expected to >> already know how this stuff works, and then wants to make me a *better* >> administrator. Which of course is useless because I am not an administrator >> at all. >> >> OTOH I am not stupid. If I could find something that started at the "This >> is SQL Server security" basics I could learn this stuff. Before anyone says >> "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it >> simply sucks for my level of expertise (my opinion of course). If that is >> your advice, simply stay out of this thread. Thanks! >> >> So... my needs: >> >> I need to set up several SQL Server databases for use by different, very >> small groups (5-20 people) of entirely unrelated people. What I mean by >> that is that each DB is for a different "company" if you will. I need to >> access these databases from C#. I understand the group / user paradigm. I >> would like to create groups and users. Specific groups can do specific >> things in the database, some can see data but not modify it. Some can add >> records in specific tables but not others. Some can run reports (view). >> >> I do *NOT* want to create windows level groups and users if I can avoid it. >> These are people that I do not necessarily know and I do not want to give >> them any rights at the machine level, and I prefer to not maintain such >> lists at the machine level. >> >> Unfortunately SQL Server does not seem to model Groups / users. I go into >> SQL Server and see a security tab. It has "logins". Is that a user? A >> specific ability to log in with a password? To what? The server itself? A >> specific database? Groups of databases? >> >> I see "roles" but these appear to be aimed at the server and none of these >> people are going to be doing anything at the server level. >> >> Can I safely ignore everything under the server security tab? >> >> I go to a database and I see a security tab. It has users and roles. >> Hmm... better (I would think). I would like to add users "under" the >> specific database that the user will access. >> >> So I try to add a new user but I do not see anywhere to require a password. >> Hmmm... >> >> I go into roles and I do not see any predefined role that looks like it >> would be useful to me in meeting my needs described above. If I look at >> "add new role" it asks for a password. The User / group model does nto >> assign passwords at the group level which implies that a role is not a group >> at the user / group paradigm. >> >> Is it just me, or is SQL Server security just... different? Am I correct >> in assuming that it doesn't implement a user / group paradigm? >> >> And more importantly, where can I go to get a plain, simple, English >> description of how this mess works? >> >> And please excuse the tone that results from my frustration. The only help >> documents that I have found (and I have extensive lists of bookmarked web >> pages) so far assume that I am an administrator. I am not, and cannot >> afford to become one. And yet MS pushes SQL Express as if I (non-admin) >> should be able to use this as a data store pool. >> >> Help! >> >> -- >> John W. Colby >> www.ColbyConsulting.com >> _______________________________________________ >> dba-SQLServer mailing list >> dba-SQLServer at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >> http://www.databaseadvisors.com >> >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From stuart at lexacorp.com.pg Sat Feb 19 18:22:49 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sun, 20 Feb 2011 10:22:49 +1000 Subject: [dba-SQLServer] [AccessD] I'm getting nowhere In-Reply-To: <4D601FBA.5020302@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com> Message-ID: <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg> On 19 Feb 2011 at 14:53, jwcolby wrote: > If I could find something that started at the > "This is SQL Server security" basics I could learn this stuff. Maybe this will help. (This is "my" understanding of it - corrections from others welcome .) There are two levels of "Security" in SQL Server: 1. SQL Server Instance (Server name) level 2. Database level At the Instance Level, you have: 1. Server Roles 2. Logins At the Database level you have: 1. Database Roles 2. Users INSTANCE LEVEL ============== SERVER ROLES These are generic sets of "rights" which apply to the entire Instance. "Server role is used to grant server-wide privileges to a user" . Generally, use Public for all logins unless you need admin rights on the server. LOGIN To allow anyone to access SQL Server, you need to create a login at instance level for them and then define what that login can do in terms of individual databases Login = an entity that can log in to SQL Server. In your situation, you are using SQL Secruity so a Login needs a Username and Password. If using Windows/Mixed security, it could also be an Active Drectory user. Note the use of the word "entity" - not person. With SQL Security, an entity is entirely identified by the username/password pair. If you embed a standard username/password in a connection string for an application that connects to SQL Server, then that application itself is the logged in entity. Alternatively, if you collect the username/password from the person using that application and put that the in the connection string, the individual user is the entity. On creation, you can define the "Default Database" for the login - this is the one they automatically access (so your don't need to specify it in your connection string.) DATABASE LEVEL =============== DATABASE ROLE Role = a definition a what entities with that role can do in the database.. There are a number of predefined roles, which are useful for things like "read only" users but you frequently need to create your own and assign rights to specific database objects for that role. i.e. allow read only on some tables and write access on others. You can also do things like prevent users from directly writing to any tables and only allow them to run specfic stored prcedures to update data. Once you have defined a new role within the database, you can assign that role to specific users within that database. You can think of a role as similar to a Group, it defines a set of rights and you can assign roles to users in the same way you assign "group membership" to Windows users. USER Once you have created a Login, you go the relevant database ( or databases) and assign rights to that login in that database. You do that by adding the Login as a User in that database. User = The definition of what a particular login entity can do in the database. To make a specific login a user in the database, you create a new user and select the existing Login name. Note that you can give that user the same name as the Login name or use a completely different one. Unless you have a good reason, I'd use the same as the login name. You then assign Databse Roles to the User to control what the user can do in the database. -- Stuart From davidmcafee at gmail.com Sat Feb 19 18:24:16 2011 From: davidmcafee at gmail.com (David McAfee) Date: Sat, 19 Feb 2011 16:24:16 -0800 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: <4D605DBC.3080006@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com> <4D605DBC.3080006@colbyconsulting.com> Message-ID: Server logins have to already exit before you can add them as a user. See CREATE USER in Bol / msdn / Google Sent from my Droid phone. On Feb 19, 2011 4:19 PM, "jwcolby" wrote: > > The hierarchy goes like this: > > > > Roles > > -- Users > > But why does the user have no (apparent) password but the role does? > > I found a vague (to me) reference to schemas and assigning schemas to users... Now that makes sense. > > I assume in all this that if a user goes away I just delete the user? I don't see any way to enable > / disable the user. > > This whole thing just seems real hokey. > > John W. Colby > www.ColbyConsulting.com > > On 2/19/2011 4:38 PM, Arthur Fuller wrote: >> The hierarchy goes like this: >> >> Roles >> -- Users >> >> What is not obvious from the docs is that you can add a role to a role. The >> reason you would want to do this is to "include" lower-level capabilities >> within a higher-level group (without bothering to have to re-define these). >> >> You can grant select, update, delete and inserts on any combination of >> tables, views and sprocs. The approach I typically use is to deny table >> access to everyone but me, and then to grant various levels of access to >> views and sprocs to various roles. That way, no one but you can directly hit >> a table. >> >> So, your bottom level might define Select capability and nothing else (to >> one or more views and sprocs). The next level up might permit Updates, and >> the next Inserts and Deletes. Actually I mean granting this privileges on >> the sprocs/views created for those purposes. >> >> As you move up the hierarchy, you can "stack" the abilities (i.e. add the >> lowest level role to the next up, and so on, until you reach the top, where >> the only member of that role is you. >> >> HTH, and if not feel free to ask. >> Arthur >> >> On Sat, Feb 19, 2011 at 2:53 PM, jwcolbywrote: >> >>> I am getting nowhere on understanding SQL Server security. Microsoft >>> provides us with SQL Server Express which implies that joe blow (me) is >>> going to install / maintain it. >>> >>> I am not a SQL Server Admin and I cannot afford to spend the time to be >>> one. >>> >>> Google is my friend. BOL is not. >>> >>> Except that Google is taking me to these places where I am expected to >>> already know how this stuff works, and then wants to make me a *better* >>> administrator. Which of course is useless because I am not an administrator >>> at all. >>> >>> OTOH I am not stupid. If I could find something that started at the "This >>> is SQL Server security" basics I could learn this stuff. Before anyone says >>> "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it >>> simply sucks for my level of expertise (my opinion of course). If that is >>> your advice, simply stay out of this thread. Thanks! >>> >>> So... my needs: >>> >>> I need to set up several SQL Server databases for use by different, very >>> small groups (5-20 people) of entirely unrelated people. What I mean by >>> that is that each DB is for a different "company" if you will. I need to >>> access these databases from C#. I understand the group / user paradigm. I >>> would like to create groups and users. Specific groups can do specific >>> things in the database, some can see data but not modify it. Some can add >>> records in specific tables but not others. Some can run reports (view). >>> >>> I do *NOT* want to create windows level groups and users if I can avoid it. >>> These are people that I do not necessarily know and I do not want to give >>> them any rights at the machine level, and I prefer to not maintain such >>> lists at the machine level. >>> >>> Unfortunately SQL Server does not seem to model Groups / users. I go into >>> SQL Server and see a security tab. It has "logins". Is that a user? A >>> specific ability to log in with a password? To what? The server itself? A >>> specific database? Groups of databases? >>> >>> I see "roles" but these appear to be aimed at the server and none of these >>> people are going to be doing anything at the server level. >>> >>> Can I safely ignore everything under the server security tab? >>> >>> I go to a database and I see a security tab. It has users and roles. >>> Hmm... better (I would think). I would like to add users "under" the >>> specific database that the user will access. >>> >>> So I try to add a new user but I do not see anywhere to require a password. >>> Hmmm... >>> >>> I go into roles and I do not see any predefined role that looks like it >>> would be useful to me in meeting my needs described above. If I look at >>> "add new role" it asks for a password. The User / group model does nto >>> assign passwords at the group level which implies that a role is not a group >>> at the user / group paradigm. >>> >>> Is it just me, or is SQL Server security just... different? Am I correct >>> in assuming that it doesn't implement a user / group paradigm? >>> >>> And more importantly, where can I go to get a plain, simple, English >>> description of how this mess works? >>> >>> And please excuse the tone that results from my frustration. The only help >>> documents that I have found (and I have extensive lists of bookmarked web >>> pages) so far assume that I am an administrator. I am not, and cannot >>> afford to become one. And yet MS pushes SQL Express as if I (non-admin) >>> should be able to use this as a data store pool. >>> >>> Help! >>> >>> -- >>> John W. Colby >>> www.ColbyConsulting.com >>> _______________________________________________ >>> dba-SQLServer mailing list >>> dba-SQLServer at databaseadvisors.com >>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>> http://www.databaseadvisors.com >>> >>> >> _______________________________________________ >> dba-SQLServer mailing list >> dba-SQLServer at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >> http://www.databaseadvisors.com >> >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > From jwcolby at colbyconsulting.com Sat Feb 19 19:14:52 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Sat, 19 Feb 2011 20:14:52 -0500 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: References: <4D601FBA.5020302@colbyconsulting.com> <4D605DBC.3080006@colbyconsulting.com> Message-ID: <4D606B0C.5010608@colbyconsulting.com> > Server logins have to already exit before you can add them as a user. Are you talking about Windows users? I specifically don't want to do that. Imagine a web app where the world might come in and read a table. It makes no sense to require a windows user before database access. In my case I will have perhaps 40-80 people coming in to 3 or 4 different databases. A handful of these will be able to do "database maintenance", things like adding to list tables. Most will only be able to run reports. Some will add time sheet records. I have no intention of adding 40-80 people that I do not know to my Windows users if I can avoid it. Or are you talking about SQL Server Logins? This is my problem, everyone starts discussing this in the middle. Start with either "Go to this web page to learn this stuff" or "A server login is... and you add one by..." If I don't know what you mean by "a server login" then knowing that one needs to exist first is... not useful. John W. Colby www.ColbyConsulting.com On 2/19/2011 7:24 PM, David McAfee wrote: > Server logins have to already exit before you can add them as a user. > > See CREATE USER in Bol / msdn / Google > > Sent from my Droid phone. > On Feb 19, 2011 4:19 PM, "jwcolby" wrote: >>> The hierarchy goes like this: >>> >>> Roles >>> -- Users >> >> But why does the user have no (apparent) password but the role does? >> >> I found a vague (to me) reference to schemas and assigning schemas to > users... Now that makes sense. >> >> I assume in all this that if a user goes away I just delete the user? I > don't see any way to enable >> / disable the user. >> >> This whole thing just seems real hokey. >> >> John W. Colby >> www.ColbyConsulting.com >> >> On 2/19/2011 4:38 PM, Arthur Fuller wrote: >>> The hierarchy goes like this: >>> >>> Roles >>> -- Users >>> >>> What is not obvious from the docs is that you can add a role to a role. > The >>> reason you would want to do this is to "include" lower-level capabilities >>> within a higher-level group (without bothering to have to re-define > these). >>> >>> You can grant select, update, delete and inserts on any combination of >>> tables, views and sprocs. The approach I typically use is to deny table >>> access to everyone but me, and then to grant various levels of access to >>> views and sprocs to various roles. That way, no one but you can directly > hit >>> a table. >>> >>> So, your bottom level might define Select capability and nothing else (to >>> one or more views and sprocs). The next level up might permit Updates, > and >>> the next Inserts and Deletes. Actually I mean granting this privileges on >>> the sprocs/views created for those purposes. >>> >>> As you move up the hierarchy, you can "stack" the abilities (i.e. add the >>> lowest level role to the next up, and so on, until you reach the top, > where >>> the only member of that role is you. >>> >>> HTH, and if not feel free to ask. >>> Arthur >>> >>> On Sat, Feb 19, 2011 at 2:53 PM, jwcolby> wrote: >>> >>>> I am getting nowhere on understanding SQL Server security. Microsoft >>>> provides us with SQL Server Express which implies that joe blow (me) is >>>> going to install / maintain it. >>>> >>>> I am not a SQL Server Admin and I cannot afford to spend the time to be >>>> one. >>>> >>>> Google is my friend. BOL is not. >>>> >>>> Except that Google is taking me to these places where I am expected to >>>> already know how this stuff works, and then wants to make me a *better* >>>> administrator. Which of course is useless because I am not an > administrator >>>> at all. >>>> >>>> OTOH I am not stupid. If I could find something that started at the > "This >>>> is SQL Server security" basics I could learn this stuff. Before anyone > says >>>> "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it >>>> simply sucks for my level of expertise (my opinion of course). If that > is >>>> your advice, simply stay out of this thread. Thanks! >>>> >>>> So... my needs: >>>> >>>> I need to set up several SQL Server databases for use by different, very >>>> small groups (5-20 people) of entirely unrelated people. What I mean by >>>> that is that each DB is for a different "company" if you will. I need to >>>> access these databases from C#. I understand the group / user paradigm. > I >>>> would like to create groups and users. Specific groups can do specific >>>> things in the database, some can see data but not modify it. Some can > add >>>> records in specific tables but not others. Some can run reports (view). >>>> >>>> I do *NOT* want to create windows level groups and users if I can avoid > it. >>>> These are people that I do not necessarily know and I do not want to > give >>>> them any rights at the machine level, and I prefer to not maintain such >>>> lists at the machine level. >>>> >>>> Unfortunately SQL Server does not seem to model Groups / users. I go > into >>>> SQL Server and see a security tab. It has "logins". Is that a user? A >>>> specific ability to log in with a password? To what? The server itself? > A >>>> specific database? Groups of databases? >>>> >>>> I see "roles" but these appear to be aimed at the server and none of > these >>>> people are going to be doing anything at the server level. >>>> >>>> Can I safely ignore everything under the server security tab? >>>> >>>> I go to a database and I see a security tab. It has users and roles. >>>> Hmm... better (I would think). I would like to add users "under" the >>>> specific database that the user will access. >>>> >>>> So I try to add a new user but I do not see anywhere to require a > password. >>>> Hmmm... >>>> >>>> I go into roles and I do not see any predefined role that looks like it >>>> would be useful to me in meeting my needs described above. If I look at >>>> "add new role" it asks for a password. The User / group model does nto >>>> assign passwords at the group level which implies that a role is not a > group >>>> at the user / group paradigm. >>>> >>>> Is it just me, or is SQL Server security just... different? Am I correct >>>> in assuming that it doesn't implement a user / group paradigm? >>>> >>>> And more importantly, where can I go to get a plain, simple, English >>>> description of how this mess works? >>>> >>>> And please excuse the tone that results from my frustration. The only > help >>>> documents that I have found (and I have extensive lists of bookmarked > web >>>> pages) so far assume that I am an administrator. I am not, and cannot >>>> afford to become one. And yet MS pushes SQL Express as if I (non-admin) >>>> should be able to use this as a data store pool. >>>> >>>> Help! >>>> >>>> -- >>>> John W. Colby >>>> www.ColbyConsulting.com >>>> _______________________________________________ >>>> dba-SQLServer mailing list >>>> dba-SQLServer at databaseadvisors.com >>>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>>> http://www.databaseadvisors.com >>>> >>>> >>> _______________________________________________ >>> dba-SQLServer mailing list >>> dba-SQLServer at databaseadvisors.com >>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>> http://www.databaseadvisors.com >>> >>> >> _______________________________________________ >> dba-SQLServer mailing list >> dba-SQLServer at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >> http://www.databaseadvisors.com >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From stuart at lexacorp.com.pg Sat Feb 19 19:29:21 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sun, 20 Feb 2011 11:29:21 +1000 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: <4D606B0C.5010608@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com>, , <4D606B0C.5010608@colbyconsulting.com> Message-ID: <4D606E71.19585.1F3942EC@stuart.lexacorp.com.pg> To be more explicit: "SQL Server logins have to already exist before you can add them as a Database User." Hopefully my earlier post has clarified the concept of "Server Login" for you. -- Stuart On 19 Feb 2011 at 20:14, jwcolby wrote: > > Server logins have to already exit before you can add them as a > user. > > Are you talking about Windows users? I specifically don't want to do > that. Imagine a web app where the world might come in and read a > table. It makes no sense to require a windows user before database > access. > > In my case I will have perhaps 40-80 people coming in to 3 or 4 > different databases. A handful of these will be able to do "database > maintenance", things like adding to list tables. Most will only be > able to run reports. Some will add time sheet records. > > I have no intention of adding 40-80 people that I do not know to my > Windows users if I can avoid it. > > Or are you talking about SQL Server Logins? > > This is my problem, everyone starts discussing this in the middle. > Start with either "Go to this web page to learn this stuff" or "A > server login is... and you add one by..." > > If I don't know what you mean by "a server login" then knowing that > one needs to exist first is... not useful. From jwcolby at colbyconsulting.com Sun Feb 20 06:59:37 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Sun, 20 Feb 2011 07:59:37 -0500 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: <4D606E71.19585.1F3942EC@stuart.lexacorp.com.pg> References: <4D601FBA.5020302@colbyconsulting.com>, , <4D606B0C.5010608@colbyconsulting.com> <4D606E71.19585.1F3942EC@stuart.lexacorp.com.pg> Message-ID: <4D611039.4080807@colbyconsulting.com> Stuart, Thanks for your explanation, it does help. I'll be asking more questions later. Thanks again! John W. Colby www.ColbyConsulting.com On 2/19/2011 8:29 PM, Stuart McLachlan wrote: > To be more explicit: > > "SQL Server logins have to already exist before you can add them as a Database User." > > Hopefully my earlier post has clarified the concept of "Server Login" for you. > From jwcolby at colbyconsulting.com Fri Feb 25 15:22:56 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 16:22:56 -0500 Subject: [dba-SQLServer] [AccessD] I'm getting nowhere In-Reply-To: <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg> References: <4D601FBA.5020302@colbyconsulting.com> <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg> Message-ID: <4D681DB0.5070607@colbyconsulting.com> OK, Stuart (or anyone capable) - can you walk me through this? I go into SQL Server Management Studio (Express). I click the Security folder / logins. I create a new login called DiscoApp. I select SQL Server security. I enter a password (twice). I select a default database. Now comes my first question, can this login work with many different databases? I assume I just set that in mapping? In server roles I leave it "Public" In User Mapping I select the two (so far) databases that this "user" is mapped to. In Database role membership for each database I select Public, db_DataReader and db_DataWriter. In Securables I do nothing In Status I leave "permission to connect = Grant" and "Login = enabled" Now I try to connect in my Access database and: I select New datasource. I select SQL Server as the driver I type in DiscoApp as the connection name I type in a description and select the server instance I select With SQL Server authentication and type in the username and password from above and... I get: Connection failed: SQL State 28000 SQL Server error 18452 {bunch of stuff here] Login failed for user DiscoApp. The user is not associated with a trusted SQL Server connection. And here we sit. If you have any idea what I am doing wrong, please let me know. I can go no further. Thanks, John W. Colby www.ColbyConsulting.com On 2/19/2011 7:22 PM, Stuart McLachlan wrote: > On 19 Feb 2011 at 14:53, jwcolby wrote: > >> If I could find something that started at the >> "This is SQL Server security" basics I could learn this stuff. > > Maybe this will help. > (This is "my" understanding of it - corrections from others welcome .) > > There are two levels of "Security" in SQL Server: > > 1. SQL Server Instance (Server name) level > 2. Database level > > At the Instance Level, you have: > 1. Server Roles > 2. Logins > > > At the Database level you have: > 1. Database Roles > 2. Users > > > INSTANCE LEVEL > ============== > > SERVER ROLES > These are generic sets of "rights" which apply to the entire Instance. "Server role is used to > grant server-wide privileges to a user" . Generally, use Public for all logins unless you need > admin rights on the server. > > > LOGIN > To allow anyone to access SQL Server, you need to create a login at instance level for them > and then define what that login can do in terms of individual databases > > Login = an entity that can log in to SQL Server. In your situation, you are using SQL Secruity > so a Login needs a Username and Password. If using Windows/Mixed security, it could > also be an Active Drectory user. Note the use of the word "entity" - not person. > > With SQL Security, an entity is entirely identified by the username/password pair. > > If you embed a standard username/password in a connection string for an application that > connects to SQL Server, then that application itself is the logged in entity. > > Alternatively, if you collect the username/password from the person using that application > and put that the in the connection string, the individual user is the entity. > > On creation, you can define the "Default Database" for the login - this is the one they > automatically access (so your don't need to specify it in your connection string.) > > > DATABASE LEVEL > =============== > > DATABASE ROLE > Role = a definition a what entities with that role can do in the database.. There are a number > of predefined roles, which are useful for things like "read only" users but you frequently need > to create your own and assign rights to specific database objects for that role. i.e. allow read > only on some tables and write access on others. You can also do things like prevent users > from directly writing to any tables and only allow them to run specfic stored prcedures to > update data. > > Once you have defined a new role within the database, you can assign that role to specific > users within that database. You can think of a role as similar to a Group, it defines a set of > rights and you can assign roles to users in the same way you assign "group membership" to > Windows users. > > USER > Once you have created a Login, you go the relevant database ( or databases) and assign > rights to that login in that database. You do that by adding the Login as a User in that > database. > > User = The definition of what a particular login entity can do in the database. > To make a specific login a user in the database, you create a new user and select the > existing Login name. Note that you can give that user the same name as the Login name or > use a completely different one. Unless you have a good reason, I'd use the same as the > login name. You then assign Databse Roles to the User to control what the user can do in > the database. > > > From stuart at lexacorp.com.pg Fri Feb 25 16:09:54 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sat, 26 Feb 2011 08:09:54 +1000 Subject: [dba-SQLServer] [AccessD] I'm getting nowhere In-Reply-To: <4D681DB0.5070607@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com>, <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg>, <4D681DB0.5070607@colbyconsulting.com> Message-ID: <4D6828B2.22813.7E545A0@stuart.lexacorp.com.pg> That all sounds correct. In Management Studio, right click on the Server (top level Connection) and select Security. Make sure that "SQL Server and Windows Authentication mode" is ticked. Note that you can still create SQL Server Authenticated logins even if "Windows Authentication" is ticked - they just can't log in while that options is toggled. -- Stuart On 25 Feb 2011 at 16:22, jwcolby wrote: > OK, Stuart (or anyone capable) - can you walk me through this? > > I go into SQL Server Management Studio (Express).. > I click the Security folder / logins. > I create a new login called DiscoApp. > I select SQL Server security. > I enter a password (twice). > I select a default database. > > Now comes my first question, can this login work with many different > databases? I assume I just set that in mapping? > > In server roles I leave it "Public" > In User Mapping I select the two (so far) databases that this "user" > is mapped to. In Database role membership for each database I select > Public, db_DataReader and db_DataWriter. In Securables I do nothing In > Status I leave "permission to connect = Grant" and "Login = enabled" > > > Now I try to connect in my Access database and: > > I select New datasource. > I select SQL Server as the driver > I type in DiscoApp as the connection name > I type in a description and select the server instance > I select With SQL Server authentication and type in the username and > password from above > > and... I get: > > Connection failed: > SQL State 28000 > SQL Server error 18452 > {bunch of stuff here] Login failed for user DiscoApp. The user is not > associated with a trusted SQL Server connection. > > And here we sit. > > If you have any idea what I am doing wrong, please let me know. I can > go no further. > > Thanks, > > > John W. Colby > www.ColbyConsulting.com > > On 2/19/2011 7:22 PM, Stuart McLachlan wrote: > > On 19 Feb 2011 at 14:53, jwcolby wrote: > > > >> If I could find something that started at the > >> "This is SQL Server security" basics I could learn this stuff. > > > > Maybe this will help. > > (This is "my" understanding of it - corrections from others welcome > > .) > > > > There are two levels of "Security" in SQL Server: > > > > 1. SQL Server Instance (Server name) level > > 2. Database level > > > > At the Instance Level, you have: > > 1. Server Roles > > 2. Logins > > > > > > At the Database level you have: > > 1. Database Roles > > 2. Users > > > > > > INSTANCE LEVEL > > ============== > > > > SERVER ROLES > > These are generic sets of "rights" which apply to the entire > > Instance. "Server role is used to grant server-wide privileges to a > > user" . Generally, use Public for all logins unless you need admin > > rights on the server. > > > > > > LOGIN > > To allow anyone to access SQL Server, you need to create a login at > > instance level for them and then define what that login can do in > > terms of individual databases > > > > Login = an entity that can log in to SQL Server. In your situation, > > you are using SQL Secruity so a Login needs a Username and > > Password. If using Windows/Mixed security, it could also be an > > Active Drectory user. Note the use of the word "entity" - not > > person. > > > > With SQL Security, an entity is entirely identified by the > > username/password pair. > > > > If you embed a standard username/password in a connection string for > > an application that connects to SQL Server, then that application > > itself is the logged in entity. > > > > Alternatively, if you collect the username/password from the person > > using that application and put that the in the connection string, > > the individual user is the entity. > > > > On creation, you can define the "Default Database" for the login - > > this is the one they automatically access (so your don't need to > > specify it in your connection string.) > > > > > > DATABASE LEVEL > > =============== > > > > DATABASE ROLE > > Role = a definition a what entities with that role can do in the > > database.. There are a number of predefined roles, which are useful > > for things like "read only" users but you frequently need to create > > your own and assign rights to specific database objects for that > > role. i.e. allow read only on some tables and write access on > > others. You can also do things like prevent users from directly > > writing to any tables and only allow them to run specfic stored > > prcedures to update data. > > > > Once you have defined a new role within the database, you can > > assign that role to specific users within that database. You can > > think of a role as similar to a Group, it defines a set of rights > > and you can assign roles to users in the same way you assign "group > > membership" to Windows users. > > > > USER > > Once you have created a Login, you go the relevant database ( or > > databases) and assign rights to that login in that database. You do > > that by adding the Login as a User in that database. > > > > User = The definition of what a particular login entity can do in > > the database. To make a specific login a user in the database, you > > create a new user and select the existing Login name. Note that you > > can give that user the same name as the Login name or use a > > completely different one. Unless you have a good reason, I'd use > > the same as the login name. You then assign Databse Roles to the > > User to control what the user can do in the database. > > > > > > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From jwcolby at colbyconsulting.com Fri Feb 25 20:05:59 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:05:59 -0500 Subject: [dba-SQLServer] [AccessD] I'm getting nowhere In-Reply-To: <4D6828B2.22813.7E545A0@stuart.lexacorp.com.pg> References: <4D601FBA.5020302@colbyconsulting.com>, <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg>, <4D681DB0.5070607@colbyconsulting.com> <4D6828B2.22813.7E545A0@stuart.lexacorp.com.pg> Message-ID: <4D686007.5020901@colbyconsulting.com> That was it, or at least I can now log in with SQL Server security. The server instance was set to Windows Authentication mode. Now it is mixed mode. John W. Colby www.ColbyConsulting.com On 2/25/2011 5:09 PM, Stuart McLachlan wrote: > That all sounds correct. > > In Management Studio, right click on the Server (top level Connection) and select Security. > Make sure that "SQL Server and Windows Authentication mode" is ticked. > > Note that you can still create SQL Server Authenticated logins even if "Windows > Authentication" is ticked - they just can't log in while that options is toggled. > From jwcolby at colbyconsulting.com Fri Feb 25 20:22:43 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:22:43 -0500 Subject: [dba-SQLServer] I'm getting somewhere - still not sure where Message-ID: <4D6863F3.7080902@colbyconsulting.com> With Stuarts suggestion I am now able to log in as the sa, enter a password for the sa and actually do stuff. I am trying to upsize a single fairly simple table. I can create the table structure but the upsize fails immediately (and with no useful info in the miserable upsizing report) if I select to upsize the data. I am going to use the "create table structure" and then try just appending the data to see if that provides a clue. -- John W. Colby www.ColbyConsulting.com From jwcolby at colbyconsulting.com Fri Feb 25 20:28:36 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:28:36 -0500 Subject: [dba-SQLServer] I'm getting somewhere In-Reply-To: <4D681DB0.5070607@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com> <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg> <4D681DB0.5070607@colbyconsulting.com> Message-ID: <4D686554.3090908@colbyconsulting.com> Well I finally got to connect and link a table. I did so by editing a DSN file and adding the username / password there. John W. Colby www.ColbyConsulting.com On 2/25/2011 4:22 PM, jwcolby wrote: > OK, Stuart (or anyone capable) - can you walk me through this? > > I go into SQL Server Management Studio (Express). > I click the Security folder / logins. > I create a new login called DiscoApp. > I select SQL Server security. > I enter a password (twice). > I select a default database. > > Now comes my first question, can this login work with many different databases? I assume I just set > that in mapping? > > In server roles I leave it "Public" > In User Mapping I select the two (so far) databases that this "user" is mapped to. > In Database role membership for each database I select Public, db_DataReader and db_DataWriter. > In Securables I do nothing > In Status I leave "permission to connect = Grant" and "Login = enabled" > > > Now I try to connect in my Access database and: > > I select New datasource. > I select SQL Server as the driver > I type in DiscoApp as the connection name > I type in a description and select the server instance > I select With SQL Server authentication and type in the username and password from above > > and... I get: > > Connection failed: > SQL State 28000 > SQL Server error 18452 > {bunch of stuff here] Login failed for user DiscoApp. The user is not associated with a trusted SQL > Server connection. > > And here we sit. > > If you have any idea what I am doing wrong, please let me know. I can go no further. > > Thanks, > > > John W. Colby > www.ColbyConsulting.com > > On 2/19/2011 7:22 PM, Stuart McLachlan wrote: >> On 19 Feb 2011 at 14:53, jwcolby wrote: >> >>> If I could find something that started at the >>> "This is SQL Server security" basics I could learn this stuff. >> >> Maybe this will help. >> (This is "my" understanding of it - corrections from others welcome .) >> >> There are two levels of "Security" in SQL Server: >> >> 1. SQL Server Instance (Server name) level >> 2. Database level >> >> At the Instance Level, you have: >> 1. Server Roles >> 2. Logins >> >> >> At the Database level you have: >> 1. Database Roles >> 2. Users >> >> >> INSTANCE LEVEL >> ============== >> >> SERVER ROLES >> These are generic sets of "rights" which apply to the entire Instance. "Server role is used to >> grant server-wide privileges to a user" . Generally, use Public for all logins unless you need >> admin rights on the server. >> >> >> LOGIN >> To allow anyone to access SQL Server, you need to create a login at instance level for them >> and then define what that login can do in terms of individual databases >> >> Login = an entity that can log in to SQL Server. In your situation, you are using SQL Secruity >> so a Login needs a Username and Password. If using Windows/Mixed security, it could >> also be an Active Drectory user. Note the use of the word "entity" - not person. >> >> With SQL Security, an entity is entirely identified by the username/password pair. >> >> If you embed a standard username/password in a connection string for an application that >> connects to SQL Server, then that application itself is the logged in entity. >> >> Alternatively, if you collect the username/password from the person using that application >> and put that the in the connection string, the individual user is the entity. >> >> On creation, you can define the "Default Database" for the login - this is the one they >> automatically access (so your don't need to specify it in your connection string.) >> >> >> DATABASE LEVEL >> =============== >> >> DATABASE ROLE >> Role = a definition a what entities with that role can do in the database.. There are a number >> of predefined roles, which are useful for things like "read only" users but you frequently need >> to create your own and assign rights to specific database objects for that role. i.e. allow read >> only on some tables and write access on others. You can also do things like prevent users >> from directly writing to any tables and only allow them to run specfic stored prcedures to >> update data. >> >> Once you have defined a new role within the database, you can assign that role to specific >> users within that database. You can think of a role as similar to a Group, it defines a set of >> rights and you can assign roles to users in the same way you assign "group membership" to >> Windows users. >> >> USER >> Once you have created a Login, you go the relevant database ( or databases) and assign >> rights to that login in that database. You do that by adding the Login as a User in that >> database. >> >> User = The definition of what a particular login entity can do in the database. >> To make a specific login a user in the database, you create a new user and select the >> existing Login name. Note that you can give that user the same name as the Login name or >> use a completely different one. Unless you have a good reason, I'd use the same as the >> login name. You then assign Databse Roles to the User to control what the user can do in >> the database. >> >> >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From jwcolby at colbyconsulting.com Fri Feb 25 20:38:14 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:38:14 -0500 Subject: [dba-SQLServer] Access upsize Message-ID: <4D686796.2090503@colbyconsulting.com> Trying to upsize on the server fails with a "overflow" message. It seems this is a well known issue with Access 2000 which exists on the server. So I move to my workstation which has Access 2002 (XP). I create the table structure. i then have to remove the PK as well as the autonumber (SQL Equiv) and then try to simply append the data from Access to SQL Server. ~900K records, ~1 gig MDB size. My workstation fails with "resources exceeded". Of course my workstation only has a gig of ram running Windows XP x32. But hey, I am making progress anyway. -- John W. Colby www.ColbyConsulting.com From jwcolby at colbyconsulting.com Fri Feb 25 20:48:09 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:48:09 -0500 Subject: [dba-SQLServer] Is it possible Message-ID: <4D6869E9.1050709@colbyconsulting.com> The upsize from Access to SQL Server is not going to be trivial. I might be able to zip and upload to my office where I have servers with office 2003 and Windows 2008 x64 and 16 or 32 gig RAM. However I am wondering whether it is possible to build the table structure of this one table over in SQL Server (express 2005) which (back in Access) contains an autonumber PK. In SQL Server, remove the PK as well as the autoincrement property from the table. Append the data into the table in SQL Server, then put the autoincrement / PK property back on the PK field in SQL Server. -- John W. Colby www.ColbyConsulting.com From stuart at lexacorp.com.pg Fri Feb 25 21:15:50 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sat, 26 Feb 2011 13:15:50 +1000 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D6869E9.1050709@colbyconsulting.com> References: <4D6869E9.1050709@colbyconsulting.com> Message-ID: <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> Hi John, Yes, unlike Acces, in SQL Server you can switch autoincrement on and off regardless of whether or not there are existing records in the table. -- Stuart On 25 Feb 2011 at 21:48, jwcolby wrote: > The upsize from Access to SQL Server is not going to be trivial. I > might be able to zip and upload to my office where I have servers with > office 2003 and Windows 2008 x64 and 16 or 32 gig RAM. > > However I am wondering whether it is possible to build the table > structure of this one table over in SQL Server (express 2005) which > (back in Access) contains an autonumber PK. In SQL Server, remove the > PK as well as the autoincrement property from the table. Append the > data into the table in SQL Server, then put the autoincrement / PK > property back on the PK field in SQL Server. > > -- > John W. Colby > www.ColbyConsulting.com > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From jwcolby at colbyconsulting.com Fri Feb 25 21:21:44 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 22:21:44 -0500 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> References: <4D6869E9.1050709@colbyconsulting.com> <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> Message-ID: <4D6871C8.80508@colbyconsulting.com> Cool! John W. Colby www.ColbyConsulting.com On 2/25/2011 10:15 PM, Stuart McLachlan wrote: > Hi John, > > Yes, unlike Acces, in SQL Server you can switch autoincrement on and off regardless of > whether or not there are existing records in the table. > From jwcolby at colbyconsulting.com Fri Feb 25 21:24:18 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 22:24:18 -0500 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> References: <4D6869E9.1050709@colbyconsulting.com> <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> Message-ID: <4D687262.2080108@colbyconsulting.com> Does it just figure out the last value and start from there? John W. Colby www.ColbyConsulting.com On 2/25/2011 10:15 PM, Stuart McLachlan wrote: > Hi John, > > Yes, unlike Acces, in SQL Server you can switch autoincrement on and off regardless of > whether or not there are existing records in the table. > From stuart at lexacorp.com.pg Fri Feb 25 22:03:46 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sat, 26 Feb 2011 14:03:46 +1000 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D687262.2080108@colbyconsulting.com> References: <4D6869E9.1050709@colbyconsulting.com>, <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg>, <4D687262.2080108@colbyconsulting.com> Message-ID: <4D687BA2.24516.9293F60@stuart.lexacorp.com.pg> Basically, yes but you have lots of flexibility. If you change the column's Identity Seed to be larger than the current largest PK, it will start from that instead. (If it is smaller, it will use the current largest PK as it's start point). You can also set the size of the Increment, so you can have your PKs going up by 10 each time if you want :-) Just right click on the column, select Modify, click on Identity Specification in the lower panel and it will expand to show the various settings. -- Stuart On 25 Feb 2011 at 22:24, jwcolby wrote: > Does it just figure out the last value and start from there? > > John W. Colby > www.ColbyConsulting.com > > On 2/25/2011 10:15 PM, Stuart McLachlan wrote: > > Hi John, > > > > Yes, unlike Acces, in SQL Server you can switch autoincrement on and > > off regardless of whether or not there are existing records in the > > table. > > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From stuart at lexacorp.com.pg Fri Feb 25 22:23:36 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sat, 26 Feb 2011 14:23:36 +1000 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D687BA2.24516.9293F60@stuart.lexacorp.com.pg> References: <4D6869E9.1050709@colbyconsulting.com>, <4D687262.2080108@colbyconsulting.com>, <4D687BA2.24516.9293F60@stuart.lexacorp.com.pg> Message-ID: <4D688048.12797.93B669F@stuart.lexacorp.com.pg> I forgot to mention, it also means that you can create records with a "0" or negative values in your "autoincrement" field any time you like if you need to create special cases. That can be useful at times. -- Stuart On 26 Feb 2011 at 14:03, Stuart McLachlan wrote: > Basically, yes but you have lots of flexibility. > > If you change the column's Identity Seed to be larger than the current > largest PK, it will start from that instead. (If it is smaller, it > will use the current largest PK as it's start point). > > You can also set the size of the Increment, so you can have your PKs > going up by 10 each time if you want :-) > > Just right click on the column, select Modify, click on Identity > Specification in the lower panel and it will expand to show the > various settings. > > -- > Stuart > > On 25 Feb 2011 at 22:24, jwcolby wrote: > > > Does it just figure out the last value and start from there? > > > > John W. Colby > > www.ColbyConsulting.com > > > > On 2/25/2011 10:15 PM, Stuart McLachlan wrote: > > > Hi John, > > > > > > Yes, unlike Acces, in SQL Server you can switch autoincrement on > > > and off regardless of whether or not there are existing records in > > > the table. > > > > > _______________________________________________ > > dba-SQLServer mailing list > > dba-SQLServer at databaseadvisors.com > > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > > http://www.databaseadvisors.com > > > > > > > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From jwcolby at colbyconsulting.com Mon Feb 28 17:58:15 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Mon, 28 Feb 2011 18:58:15 -0500 Subject: [dba-SQLServer] Where are foreign key constraints? Message-ID: <4D6C3697.6030708@colbyconsulting.com> I built a database diagram where i dragged and dropped my PKs out onto FKs. Now I am getting error messages like: The insert statement conflicted with the foreign key constraint... I look at the constraints folder in each table and there is no FK_ constraints listed. I assume that they are stored somewhere else? Am I doing something wrong somewhere? -- John W. Colby www.ColbyConsulting.com From michael at ddisolutions.com.au Mon Feb 28 18:26:03 2011 From: michael at ddisolutions.com.au (Michael Maddison) Date: Tue, 1 Mar 2011 11:26:03 +1100 Subject: [dba-SQLServer] Where are foreign key constraints? References: <4D6C3697.6030708@colbyconsulting.com> Message-ID: <99266C61B516644D9727F983FAFAB465046A5B@remote.ddisolutions.com.au> Hi John, In 2005, in diagram, right click the table and select relationships. You should see the FK's for that table. In object explorer, expand Tables, expand Keys... cheers Michael M From: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of jwcolby Sent: Tuesday, 1 March 2011 10:58 AM To: Sqlserver-Dba Subject: [dba-SQLServer] Where are foreign key constraints? I built a database diagram where i dragged and dropped my PKs out onto FKs. Now I am getting error messages like: The insert statement conflicted with the foreign key constraint... I look at the constraints folder in each table and there is no FK_ constraints listed. I assume that they are stored somewhere else? Am I doing something wrong somewhere? -- John W. Colby www.ColbyConsulting.com _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com ________________________________ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3474 - Release Date: 02/28/11 From stuart at lexacorp.com.pg Mon Feb 28 18:43:00 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Tue, 01 Mar 2011 10:43:00 +1000 Subject: [dba-SQLServer] Where are foreign key constraints? In-Reply-To: <4D6C3697.6030708@colbyconsulting.com> References: <4D6C3697.6030708@colbyconsulting.com> Message-ID: <4D6C4114.7640.17E48C83@stuart.lexacorp.com.pg> That folder is for general constraints which you create (FieldA > x and FieldB < y) Table Relationship constraints are not stored there. Go to Database - Tables - TableName. Right click, select modify. In the right hand pane, right click and select Relationships. -- Stuart On 28 Feb 2011 at 18:58, jwcolby wrote: > I built a database diagram where i dragged and dropped my PKs out onto > FKs. Now I am getting error messages like: > > The insert statement conflicted with the foreign key constraint... > > I look at the constraints folder in each table and there is no FK_ > constraints listed. I assume that they are stored somewhere else? Am > I doing something wrong somewhere? > I > -- > John W. Colby > www.ColbyConsulting.com > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From stuart at lexacorp.com.pg Mon Feb 28 18:49:29 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Tue, 01 Mar 2011 10:49:29 +1000 Subject: [dba-SQLServer] Where are foreign key constraints? In-Reply-To: <99266C61B516644D9727F983FAFAB465046A5B@remote.ddisolutions.com.au> References: <4D6C3697.6030708@colbyconsulting.com>, <99266C61B516644D9727F983FAFAB465046A5B@remote.ddisolutions.com.au> Message-ID: <4D6C4299.31292.17EA7E31@stuart.lexacorp.com.pg> Yep, that works too. On 1 Mar 2011 at 11:26, Michael Maddison wrote: > > In object explorer, expand Tables, expand Keys... > From michael at ddisolutions.com.au Mon Feb 28 18:52:49 2011 From: michael at ddisolutions.com.au (Michael Maddison) Date: Tue, 1 Mar 2011 11:52:49 +1100 Subject: [dba-SQLServer] Where are foreign key constraints? References: <4D6C3697.6030708@colbyconsulting.com>, <99266C61B516644D9727F983FAFAB465046A5B@remote.ddisolutions.com.au> <4D6C4299.31292.17EA7E31@stuart.lexacorp.com.pg> Message-ID: <99266C61B516644D9727F983FAFAB465046A5F@remote.ddisolutions.com.au> Hey it's MS so there HAS to be at least 3 ways to do any task... MM Yep, that works too. On 1 Mar 2011 at 11:26, Michael Maddison wrote: > > In object explorer, expand Tables, expand Keys... > _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com ________________________________ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3474 - Release Date: 02/28/11 From newsgrps at dalyn.co.nz Thu Feb 3 17:39:01 2011 From: newsgrps at dalyn.co.nz (David Emerson) Date: Fri, 04 Feb 2011 12:39:01 +1300 Subject: [dba-SQLServer] Running Access XP ade With Access 10 and SQL2008 upgrade Message-ID: <20110203233916.SWTF5781.mta02.xtra.co.nz@David-PC.dalyn.co.nz> I have a client who is looking at upgrading their SQL2005 to SQL2008. Currently we are running an Access XP ade connected to SQL2005. Does anyone have any experience or know if an Access XP ade will connect to an SQL2008 database Will an Access XP ade run in Access 2010? Can Access 2010 be used to create an ade? Are there any issues I should be aware of in upgrading an SQL2005 database to SQL2008? Regards David Emerson Dalyn Software Ltd Wellington, New Zealand From pcs.accessd at gmail.com Thu Feb 10 23:02:30 2011 From: pcs.accessd at gmail.com (Borge Hansen) Date: Fri, 11 Feb 2011 15:02:30 +1000 Subject: [dba-SQLServer] Restoring a SQL2008 Db with 2005 Compatibility Level back on to SQL2005 Message-ID: Hi All, I have problems doing a simple restore of a SQL2008 Db back on to an SQL2005 Server. The Db originated from the SQL2005, was restored on to SQL2008 R2, have the Compatibility level to SQL2005; haven't created any additonal object other than some views and SPs... Why do I have problems? Complains about the media being incorrectly formed ..... ?? Regards Borge From paul.hartland at googlemail.com Fri Feb 11 04:03:56 2011 From: paul.hartland at googlemail.com (Paul Hartland) Date: Fri, 11 Feb 2011 10:03:56 +0000 Subject: [dba-SQLServer] Upgrading SSRS 2005 To SSRS 2008 On Different Server Message-ID: To all, I am getting an error when reports have been migrated from SSRS 2005 to SSRS 2008 which is 'The data source 'Connection_To_AL_SQL_Genesis' cannot be found. The data source name in SSRS 2005 is actually 'Connection To AL-SQL Genesis', I looked around on the internet and apparently when migrating to SSRS 2008 any spaces and hyphens in the connection name get replaced by underscores. So I went back to the data sources on SSRS 2005 and renamed my connection to 'ConnectionToALSQLGenesis' and relinked all the reports to the new name. So then went through the process of backing up the reportserver and reportservertempdb databases, and the reporting services encryption keys, copied the files to the new server, restored the databases and the reporting services encryption keys. However I am still getting the same error message when trying to open the reports, if I go to the properties of the report and re-connect to the data source I still get the same error. However if I reload the report and connect to the data source then it works !!!!! Can anyone shed any light as to what I am doing wrong or what I need to do to resolve this, as I dont really want to reload all the reports and re-connect the data sources. -- Paul Hartland paul.hartland at googlemail.com From ab-mi at post3.tele.dk Sun Feb 13 17:19:17 2011 From: ab-mi at post3.tele.dk (Asger Blond) Date: Mon, 14 Feb 2011 00:19:17 +0100 Subject: [dba-SQLServer] List politeness - responding to answers Message-ID: <0F8BD7692AB44F10B32BD340D22E5211@abpc> Often enough I?ve seen people on this list responding questions and never getting any response as to whether their answer was helpful or not. This is not polite. And it sure isn?t getting our understanding and knowledge any further. Questioners are often busy and need quick and dirty answers. But remind that the persons responding you also are also busy. And also remind that we have a great amount of lurkers who would like to know the right answer or at least know if the answer provided is sound. So please be polite and respond to answers. Asger From ab-mi at post3.tele.dk Sun Feb 13 17:21:59 2011 From: ab-mi at post3.tele.dk (Asger Blond) Date: Mon, 14 Feb 2011 00:21:59 +0100 Subject: [dba-SQLServer] RV: Change default backup destination and reductionof log file size In-Reply-To: <7682A8AF4B3A4592BD08BB824249BFCA@abpc> References: <7682A8AF4B3A4592BD08BB824249BFCA@abpc> Message-ID: <8D95B4B18CEB4E6E852AAE29F29642C1@abpc> Was this response of any help to you? Asger -----Oprindelig meddelelse----- Fra: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] P? vegne af Asger Blond Sendt: 26. januar 2011 11:29 Til: 'Discussion concerning MS SQL Server' Emne: Re: [dba-SQLServer] Change default backup destination and reductionof log file size In SSMS rightclick the server name - choose Facets - then in BackupDirectory enter the destination folder. Notice that this will only be the default backup folder for databases you have not previously backed up - for previously backed up database you have to change the destination manually. As for reducing the log file you have to make a BACKUP LOG - a full database backup won't reduce the log file. Asger -----Oprindelig meddelelse----- Fra: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] P? vegne af Borge Hansen Sendt: 26. januar 2011 05:24 Til: Discussion concerning MS SQL Server Emne: [dba-SQLServer] Change default backup destination and reduction of log file size I recently installed the web server version of SQL 2008 R2, and as part of installation I must have specified the default backup destination folder. I've restored three SQL 2005 DBs and all is good. I moved the backup destination folder though in the file / folder system. Now whenever I do a simple full backup the Management Studio is serving up the location of the old now non existing backup folder. Simple question: How and where do I change the default backup destination setting? Also, One Db has a mdf file of 750mb and the logfile is about 500mb. How do I reduce the size of the logfile? I thought that performing a simple full backup would automatically reduce the logfile. Thanks, borge _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com From fhtapia at gmail.com Sun Feb 13 19:05:23 2011 From: fhtapia at gmail.com (Francisco) Date: Mon, 14 Feb 2011 01:05:23 +0000 Subject: [dba-SQLServer] List politeness - responding to answers In-Reply-To: <0F8BD7692AB44F10B32BD340D22E5211@abpc> References: <0F8BD7692AB44F10B32BD340D22E5211@abpc> Message-ID: <995622360-1297645523-cardhu_decombobulator_blackberry.rim.net-558400175-@bda854.bisx.prod.on.blackberry> Agreed Sent from my mobile -----Original Message----- From: "Asger Blond" Sender: dba-sqlserver-bounces at databaseadvisors.comDate: Mon, 14 Feb 2011 00:19:17 To: 'Discussion concerning MS SQL Server'; 'Access Developers discussion and problem solving' Reply-To: Discussion concerning MS SQL Server Subject: [dba-SQLServer] List politeness - responding to answers Often enough I?ve seen people on this list responding questions and never getting any response as to whether their answer was helpful or not. This is not polite. And it sure isn?t getting our understanding and knowledge any further. Questioners are often busy and need quick and dirty answers. But remind that the persons responding you also are also busy. And also remind that we have a great amount of lurkers who would like to know the right answer or at least know if the answer provided is sound. So please be polite and respond to answers. Asger _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com From pcs.accessd at gmail.com Mon Feb 14 00:21:11 2011 From: pcs.accessd at gmail.com (Borge Hansen) Date: Mon, 14 Feb 2011 16:21:11 +1000 Subject: [dba-SQLServer] RV: Change default backup destination and reductionof log file size In-Reply-To: <8D95B4B18CEB4E6E852AAE29F29642C1@abpc> References: <7682A8AF4B3A4592BD08BB824249BFCA@abpc> <8D95B4B18CEB4E6E852AAE29F29642C1@abpc> Message-ID: Asger, Yes, it was! Very helpful. In SSMS it's not that intuitive - and searching BOL got me nowhere. That's why this list is what it is: indispensable I've been on this list for about 10 years and it has been a life saver on many occasions. I agree that it would be a good idea to follow up with a 'problem solved' message when appropriate with a summary of the issue and how it was solved, or just a heads up when a reply was helpful. Regards Borge On Monday, February 14, 2011, Asger Blond wrote: > Was this response of any help to you? > Asger > > -----Oprindelig meddelelse----- > Fra: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] P? vegne af Asger Blond > Sendt: 26. januar 2011 11:29 > Til: 'Discussion concerning MS SQL Server' > Emne: Re: [dba-SQLServer] Change default backup destination and reductionof log file size > > In SSMS rightclick the server name - choose Facets - then in BackupDirectory enter the destination folder. > Notice that this will only be the default backup folder for databases you have not previously backed up - for previously backed up database you have to change the destination manually. > > As for reducing the log file you have to make a BACKUP LOG - a full database backup won't reduce the log file. > > Asger > > -----Oprindelig meddelelse----- > Fra: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] P? vegne af Borge Hansen > Sendt: 26. januar 2011 05:24 > Til: Discussion concerning MS SQL Server > Emne: [dba-SQLServer] Change default backup destination and reduction of log file size > > I recently installed the web server version of SQL 2008 R2, and as > part of installation I must have specified the default backup > destination folder. > I've restored three SQL 2005 DBs and all is good. > I moved the backup destination folder though in the file / folder system. > Now whenever I do a simple full backup the Management Studio is > serving up the location of the old now non existing backup folder. > Simple question: How and where do I change the default backup > destination setting? > > Also, One Db has a mdf file of 750mb and the logfile is about 500mb. > How do I reduce the size of the logfile? I thought that performing a > simple full backup would automatically reduce the logfile. > > Thanks, > borge > _______________________________________________ From jwcolby at colbyconsulting.com Sat Feb 19 13:53:30 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Sat, 19 Feb 2011 14:53:30 -0500 Subject: [dba-SQLServer] I'm getting nowhere Message-ID: <4D601FBA.5020302@colbyconsulting.com> I am getting nowhere on understanding SQL Server security. Microsoft provides us with SQL Server Express which implies that joe blow (me) is going to install / maintain it. I am not a SQL Server Admin and I cannot afford to spend the time to be one. Google is my friend. BOL is not. Except that Google is taking me to these places where I am expected to already know how this stuff works, and then wants to make me a *better* administrator. Which of course is useless because I am not an administrator at all. OTOH I am not stupid. If I could find something that started at the "This is SQL Server security" basics I could learn this stuff. Before anyone says "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it simply sucks for my level of expertise (my opinion of course). If that is your advice, simply stay out of this thread. Thanks! So... my needs: I need to set up several SQL Server databases for use by different, very small groups (5-20 people) of entirely unrelated people. What I mean by that is that each DB is for a different "company" if you will. I need to access these databases from C#. I understand the group / user paradigm. I would like to create groups and users. Specific groups can do specific things in the database, some can see data but not modify it. Some can add records in specific tables but not others. Some can run reports (view). I do *NOT* want to create windows level groups and users if I can avoid it. These are people that I do not necessarily know and I do not want to give them any rights at the machine level, and I prefer to not maintain such lists at the machine level. Unfortunately SQL Server does not seem to model Groups / users. I go into SQL Server and see a security tab. It has "logins". Is that a user? A specific ability to log in with a password? To what? The server itself? A specific database? Groups of databases? I see "roles" but these appear to be aimed at the server and none of these people are going to be doing anything at the server level. Can I safely ignore everything under the server security tab? I go to a database and I see a security tab. It has users and roles. Hmm... better (I would think). I would like to add users "under" the specific database that the user will access. So I try to add a new user but I do not see anywhere to require a password. Hmmm... I go into roles and I do not see any predefined role that looks like it would be useful to me in meeting my needs described above. If I look at "add new role" it asks for a password. The User / group model does nto assign passwords at the group level which implies that a role is not a group at the user / group paradigm. Is it just me, or is SQL Server security just... different? Am I correct in assuming that it doesn't implement a user / group paradigm? And more importantly, where can I go to get a plain, simple, English description of how this mess works? And please excuse the tone that results from my frustration. The only help documents that I have found (and I have extensive lists of bookmarked web pages) so far assume that I am an administrator. I am not, and cannot afford to become one. And yet MS pushes SQL Express as if I (non-admin) should be able to use this as a data store pool. Help! -- John W. Colby www.ColbyConsulting.com From fuller.artful at gmail.com Sat Feb 19 15:38:21 2011 From: fuller.artful at gmail.com (Arthur Fuller) Date: Sat, 19 Feb 2011 16:38:21 -0500 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: <4D601FBA.5020302@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com> Message-ID: The hierarchy goes like this: Roles -- Users What is not obvious from the docs is that you can add a role to a role. The reason you would want to do this is to "include" lower-level capabilities within a higher-level group (without bothering to have to re-define these). You can grant select, update, delete and inserts on any combination of tables, views and sprocs. The approach I typically use is to deny table access to everyone but me, and then to grant various levels of access to views and sprocs to various roles. That way, no one but you can directly hit a table. So, your bottom level might define Select capability and nothing else (to one or more views and sprocs). The next level up might permit Updates, and the next Inserts and Deletes. Actually I mean granting this privileges on the sprocs/views created for those purposes. As you move up the hierarchy, you can "stack" the abilities (i.e. add the lowest level role to the next up, and so on, until you reach the top, where the only member of that role is you. HTH, and if not feel free to ask. Arthur On Sat, Feb 19, 2011 at 2:53 PM, jwcolby wrote: > I am getting nowhere on understanding SQL Server security. Microsoft > provides us with SQL Server Express which implies that joe blow (me) is > going to install / maintain it. > > I am not a SQL Server Admin and I cannot afford to spend the time to be > one. > > Google is my friend. BOL is not. > > Except that Google is taking me to these places where I am expected to > already know how this stuff works, and then wants to make me a *better* > administrator. Which of course is useless because I am not an administrator > at all. > > OTOH I am not stupid. If I could find something that started at the "This > is SQL Server security" basics I could learn this stuff. Before anyone says > "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it > simply sucks for my level of expertise (my opinion of course). If that is > your advice, simply stay out of this thread. Thanks! > > So... my needs: > > I need to set up several SQL Server databases for use by different, very > small groups (5-20 people) of entirely unrelated people. What I mean by > that is that each DB is for a different "company" if you will. I need to > access these databases from C#. I understand the group / user paradigm. I > would like to create groups and users. Specific groups can do specific > things in the database, some can see data but not modify it. Some can add > records in specific tables but not others. Some can run reports (view). > > I do *NOT* want to create windows level groups and users if I can avoid it. > These are people that I do not necessarily know and I do not want to give > them any rights at the machine level, and I prefer to not maintain such > lists at the machine level. > > Unfortunately SQL Server does not seem to model Groups / users. I go into > SQL Server and see a security tab. It has "logins". Is that a user? A > specific ability to log in with a password? To what? The server itself? A > specific database? Groups of databases? > > I see "roles" but these appear to be aimed at the server and none of these > people are going to be doing anything at the server level. > > Can I safely ignore everything under the server security tab? > > I go to a database and I see a security tab. It has users and roles. > Hmm... better (I would think). I would like to add users "under" the > specific database that the user will access. > > So I try to add a new user but I do not see anywhere to require a password. > Hmmm... > > I go into roles and I do not see any predefined role that looks like it > would be useful to me in meeting my needs described above. If I look at > "add new role" it asks for a password. The User / group model does nto > assign passwords at the group level which implies that a role is not a group > at the user / group paradigm. > > Is it just me, or is SQL Server security just... different? Am I correct > in assuming that it doesn't implement a user / group paradigm? > > And more importantly, where can I go to get a plain, simple, English > description of how this mess works? > > And please excuse the tone that results from my frustration. The only help > documents that I have found (and I have extensive lists of bookmarked web > pages) so far assume that I am an administrator. I am not, and cannot > afford to become one. And yet MS pushes SQL Express as if I (non-admin) > should be able to use this as a data store pool. > > Help! > > -- > John W. Colby > www.ColbyConsulting.com > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From davidmcafee at gmail.com Sat Feb 19 16:29:13 2011 From: davidmcafee at gmail.com (David McAfee) Date: Sat, 19 Feb 2011 14:29:13 -0800 Subject: [dba-SQLServer] I'm getting nowhere Message-ID: John, I'm at a reggae fest right now and the air isn't very clear, so excuse me if I'm not very clear right now. Try something like: --Select the database USE yourdatabasenamehere --Adds the following roles to the database above EXEC sp_addrole 'Accounting' EXEC sp_addrole 'AccountingMgr' --Makes the accounting manager role a part of the --accounting role so you don't have to recreate all of those privileges EXEC sp_addrolemember 'Accounting', 'AccountingMgr' --adds an existing user to the role accounting EXEC sp_addrolemember 'Accounting', 'JColby' Look up sp_grantdbaccess and CREATE USER for more info. HTH David Sent from my Droid phone. On Feb 19, 2011 11:54 AM, "jwcolby" wrote: From jwcolby at colbyconsulting.com Sat Feb 19 18:18:04 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Sat, 19 Feb 2011 19:18:04 -0500 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: References: <4D601FBA.5020302@colbyconsulting.com> Message-ID: <4D605DBC.3080006@colbyconsulting.com> > The hierarchy goes like this: > > Roles > -- Users But why does the user have no (apparent) password but the role does? I found a vague (to me) reference to schemas and assigning schemas to users... Now that makes sense. I assume in all this that if a user goes away I just delete the user? I don't see any way to enable / disable the user. This whole thing just seems real hokey. John W. Colby www.ColbyConsulting.com On 2/19/2011 4:38 PM, Arthur Fuller wrote: > The hierarchy goes like this: > > Roles > -- Users > > What is not obvious from the docs is that you can add a role to a role. The > reason you would want to do this is to "include" lower-level capabilities > within a higher-level group (without bothering to have to re-define these). > > You can grant select, update, delete and inserts on any combination of > tables, views and sprocs. The approach I typically use is to deny table > access to everyone but me, and then to grant various levels of access to > views and sprocs to various roles. That way, no one but you can directly hit > a table. > > So, your bottom level might define Select capability and nothing else (to > one or more views and sprocs). The next level up might permit Updates, and > the next Inserts and Deletes. Actually I mean granting this privileges on > the sprocs/views created for those purposes. > > As you move up the hierarchy, you can "stack" the abilities (i.e. add the > lowest level role to the next up, and so on, until you reach the top, where > the only member of that role is you. > > HTH, and if not feel free to ask. > Arthur > > On Sat, Feb 19, 2011 at 2:53 PM, jwcolbywrote: > >> I am getting nowhere on understanding SQL Server security. Microsoft >> provides us with SQL Server Express which implies that joe blow (me) is >> going to install / maintain it. >> >> I am not a SQL Server Admin and I cannot afford to spend the time to be >> one. >> >> Google is my friend. BOL is not. >> >> Except that Google is taking me to these places where I am expected to >> already know how this stuff works, and then wants to make me a *better* >> administrator. Which of course is useless because I am not an administrator >> at all. >> >> OTOH I am not stupid. If I could find something that started at the "This >> is SQL Server security" basics I could learn this stuff. Before anyone says >> "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it >> simply sucks for my level of expertise (my opinion of course). If that is >> your advice, simply stay out of this thread. Thanks! >> >> So... my needs: >> >> I need to set up several SQL Server databases for use by different, very >> small groups (5-20 people) of entirely unrelated people. What I mean by >> that is that each DB is for a different "company" if you will. I need to >> access these databases from C#. I understand the group / user paradigm. I >> would like to create groups and users. Specific groups can do specific >> things in the database, some can see data but not modify it. Some can add >> records in specific tables but not others. Some can run reports (view). >> >> I do *NOT* want to create windows level groups and users if I can avoid it. >> These are people that I do not necessarily know and I do not want to give >> them any rights at the machine level, and I prefer to not maintain such >> lists at the machine level. >> >> Unfortunately SQL Server does not seem to model Groups / users. I go into >> SQL Server and see a security tab. It has "logins". Is that a user? A >> specific ability to log in with a password? To what? The server itself? A >> specific database? Groups of databases? >> >> I see "roles" but these appear to be aimed at the server and none of these >> people are going to be doing anything at the server level. >> >> Can I safely ignore everything under the server security tab? >> >> I go to a database and I see a security tab. It has users and roles. >> Hmm... better (I would think). I would like to add users "under" the >> specific database that the user will access. >> >> So I try to add a new user but I do not see anywhere to require a password. >> Hmmm... >> >> I go into roles and I do not see any predefined role that looks like it >> would be useful to me in meeting my needs described above. If I look at >> "add new role" it asks for a password. The User / group model does nto >> assign passwords at the group level which implies that a role is not a group >> at the user / group paradigm. >> >> Is it just me, or is SQL Server security just... different? Am I correct >> in assuming that it doesn't implement a user / group paradigm? >> >> And more importantly, where can I go to get a plain, simple, English >> description of how this mess works? >> >> And please excuse the tone that results from my frustration. The only help >> documents that I have found (and I have extensive lists of bookmarked web >> pages) so far assume that I am an administrator. I am not, and cannot >> afford to become one. And yet MS pushes SQL Express as if I (non-admin) >> should be able to use this as a data store pool. >> >> Help! >> >> -- >> John W. Colby >> www.ColbyConsulting.com >> _______________________________________________ >> dba-SQLServer mailing list >> dba-SQLServer at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >> http://www.databaseadvisors.com >> >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From stuart at lexacorp.com.pg Sat Feb 19 18:22:49 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sun, 20 Feb 2011 10:22:49 +1000 Subject: [dba-SQLServer] [AccessD] I'm getting nowhere In-Reply-To: <4D601FBA.5020302@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com> Message-ID: <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg> On 19 Feb 2011 at 14:53, jwcolby wrote: > If I could find something that started at the > "This is SQL Server security" basics I could learn this stuff. Maybe this will help. (This is "my" understanding of it - corrections from others welcome .) There are two levels of "Security" in SQL Server: 1. SQL Server Instance (Server name) level 2. Database level At the Instance Level, you have: 1. Server Roles 2. Logins At the Database level you have: 1. Database Roles 2. Users INSTANCE LEVEL ============== SERVER ROLES These are generic sets of "rights" which apply to the entire Instance. "Server role is used to grant server-wide privileges to a user" . Generally, use Public for all logins unless you need admin rights on the server. LOGIN To allow anyone to access SQL Server, you need to create a login at instance level for them and then define what that login can do in terms of individual databases Login = an entity that can log in to SQL Server. In your situation, you are using SQL Secruity so a Login needs a Username and Password. If using Windows/Mixed security, it could also be an Active Drectory user. Note the use of the word "entity" - not person. With SQL Security, an entity is entirely identified by the username/password pair. If you embed a standard username/password in a connection string for an application that connects to SQL Server, then that application itself is the logged in entity. Alternatively, if you collect the username/password from the person using that application and put that the in the connection string, the individual user is the entity. On creation, you can define the "Default Database" for the login - this is the one they automatically access (so your don't need to specify it in your connection string.) DATABASE LEVEL =============== DATABASE ROLE Role = a definition a what entities with that role can do in the database.. There are a number of predefined roles, which are useful for things like "read only" users but you frequently need to create your own and assign rights to specific database objects for that role. i.e. allow read only on some tables and write access on others. You can also do things like prevent users from directly writing to any tables and only allow them to run specfic stored prcedures to update data. Once you have defined a new role within the database, you can assign that role to specific users within that database. You can think of a role as similar to a Group, it defines a set of rights and you can assign roles to users in the same way you assign "group membership" to Windows users. USER Once you have created a Login, you go the relevant database ( or databases) and assign rights to that login in that database. You do that by adding the Login as a User in that database. User = The definition of what a particular login entity can do in the database. To make a specific login a user in the database, you create a new user and select the existing Login name. Note that you can give that user the same name as the Login name or use a completely different one. Unless you have a good reason, I'd use the same as the login name. You then assign Databse Roles to the User to control what the user can do in the database. -- Stuart From davidmcafee at gmail.com Sat Feb 19 18:24:16 2011 From: davidmcafee at gmail.com (David McAfee) Date: Sat, 19 Feb 2011 16:24:16 -0800 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: <4D605DBC.3080006@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com> <4D605DBC.3080006@colbyconsulting.com> Message-ID: Server logins have to already exit before you can add them as a user. See CREATE USER in Bol / msdn / Google Sent from my Droid phone. On Feb 19, 2011 4:19 PM, "jwcolby" wrote: > > The hierarchy goes like this: > > > > Roles > > -- Users > > But why does the user have no (apparent) password but the role does? > > I found a vague (to me) reference to schemas and assigning schemas to users... Now that makes sense. > > I assume in all this that if a user goes away I just delete the user? I don't see any way to enable > / disable the user. > > This whole thing just seems real hokey. > > John W. Colby > www.ColbyConsulting.com > > On 2/19/2011 4:38 PM, Arthur Fuller wrote: >> The hierarchy goes like this: >> >> Roles >> -- Users >> >> What is not obvious from the docs is that you can add a role to a role. The >> reason you would want to do this is to "include" lower-level capabilities >> within a higher-level group (without bothering to have to re-define these). >> >> You can grant select, update, delete and inserts on any combination of >> tables, views and sprocs. The approach I typically use is to deny table >> access to everyone but me, and then to grant various levels of access to >> views and sprocs to various roles. That way, no one but you can directly hit >> a table. >> >> So, your bottom level might define Select capability and nothing else (to >> one or more views and sprocs). The next level up might permit Updates, and >> the next Inserts and Deletes. Actually I mean granting this privileges on >> the sprocs/views created for those purposes. >> >> As you move up the hierarchy, you can "stack" the abilities (i.e. add the >> lowest level role to the next up, and so on, until you reach the top, where >> the only member of that role is you. >> >> HTH, and if not feel free to ask. >> Arthur >> >> On Sat, Feb 19, 2011 at 2:53 PM, jwcolbywrote: >> >>> I am getting nowhere on understanding SQL Server security. Microsoft >>> provides us with SQL Server Express which implies that joe blow (me) is >>> going to install / maintain it. >>> >>> I am not a SQL Server Admin and I cannot afford to spend the time to be >>> one. >>> >>> Google is my friend. BOL is not. >>> >>> Except that Google is taking me to these places where I am expected to >>> already know how this stuff works, and then wants to make me a *better* >>> administrator. Which of course is useless because I am not an administrator >>> at all. >>> >>> OTOH I am not stupid. If I could find something that started at the "This >>> is SQL Server security" basics I could learn this stuff. Before anyone says >>> "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it >>> simply sucks for my level of expertise (my opinion of course). If that is >>> your advice, simply stay out of this thread. Thanks! >>> >>> So... my needs: >>> >>> I need to set up several SQL Server databases for use by different, very >>> small groups (5-20 people) of entirely unrelated people. What I mean by >>> that is that each DB is for a different "company" if you will. I need to >>> access these databases from C#. I understand the group / user paradigm. I >>> would like to create groups and users. Specific groups can do specific >>> things in the database, some can see data but not modify it. Some can add >>> records in specific tables but not others. Some can run reports (view). >>> >>> I do *NOT* want to create windows level groups and users if I can avoid it. >>> These are people that I do not necessarily know and I do not want to give >>> them any rights at the machine level, and I prefer to not maintain such >>> lists at the machine level. >>> >>> Unfortunately SQL Server does not seem to model Groups / users. I go into >>> SQL Server and see a security tab. It has "logins". Is that a user? A >>> specific ability to log in with a password? To what? The server itself? A >>> specific database? Groups of databases? >>> >>> I see "roles" but these appear to be aimed at the server and none of these >>> people are going to be doing anything at the server level. >>> >>> Can I safely ignore everything under the server security tab? >>> >>> I go to a database and I see a security tab. It has users and roles. >>> Hmm... better (I would think). I would like to add users "under" the >>> specific database that the user will access. >>> >>> So I try to add a new user but I do not see anywhere to require a password. >>> Hmmm... >>> >>> I go into roles and I do not see any predefined role that looks like it >>> would be useful to me in meeting my needs described above. If I look at >>> "add new role" it asks for a password. The User / group model does nto >>> assign passwords at the group level which implies that a role is not a group >>> at the user / group paradigm. >>> >>> Is it just me, or is SQL Server security just... different? Am I correct >>> in assuming that it doesn't implement a user / group paradigm? >>> >>> And more importantly, where can I go to get a plain, simple, English >>> description of how this mess works? >>> >>> And please excuse the tone that results from my frustration. The only help >>> documents that I have found (and I have extensive lists of bookmarked web >>> pages) so far assume that I am an administrator. I am not, and cannot >>> afford to become one. And yet MS pushes SQL Express as if I (non-admin) >>> should be able to use this as a data store pool. >>> >>> Help! >>> >>> -- >>> John W. Colby >>> www.ColbyConsulting.com >>> _______________________________________________ >>> dba-SQLServer mailing list >>> dba-SQLServer at databaseadvisors.com >>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>> http://www.databaseadvisors.com >>> >>> >> _______________________________________________ >> dba-SQLServer mailing list >> dba-SQLServer at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >> http://www.databaseadvisors.com >> >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > From jwcolby at colbyconsulting.com Sat Feb 19 19:14:52 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Sat, 19 Feb 2011 20:14:52 -0500 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: References: <4D601FBA.5020302@colbyconsulting.com> <4D605DBC.3080006@colbyconsulting.com> Message-ID: <4D606B0C.5010608@colbyconsulting.com> > Server logins have to already exit before you can add them as a user. Are you talking about Windows users? I specifically don't want to do that. Imagine a web app where the world might come in and read a table. It makes no sense to require a windows user before database access. In my case I will have perhaps 40-80 people coming in to 3 or 4 different databases. A handful of these will be able to do "database maintenance", things like adding to list tables. Most will only be able to run reports. Some will add time sheet records. I have no intention of adding 40-80 people that I do not know to my Windows users if I can avoid it. Or are you talking about SQL Server Logins? This is my problem, everyone starts discussing this in the middle. Start with either "Go to this web page to learn this stuff" or "A server login is... and you add one by..." If I don't know what you mean by "a server login" then knowing that one needs to exist first is... not useful. John W. Colby www.ColbyConsulting.com On 2/19/2011 7:24 PM, David McAfee wrote: > Server logins have to already exit before you can add them as a user. > > See CREATE USER in Bol / msdn / Google > > Sent from my Droid phone. > On Feb 19, 2011 4:19 PM, "jwcolby" wrote: >>> The hierarchy goes like this: >>> >>> Roles >>> -- Users >> >> But why does the user have no (apparent) password but the role does? >> >> I found a vague (to me) reference to schemas and assigning schemas to > users... Now that makes sense. >> >> I assume in all this that if a user goes away I just delete the user? I > don't see any way to enable >> / disable the user. >> >> This whole thing just seems real hokey. >> >> John W. Colby >> www.ColbyConsulting.com >> >> On 2/19/2011 4:38 PM, Arthur Fuller wrote: >>> The hierarchy goes like this: >>> >>> Roles >>> -- Users >>> >>> What is not obvious from the docs is that you can add a role to a role. > The >>> reason you would want to do this is to "include" lower-level capabilities >>> within a higher-level group (without bothering to have to re-define > these). >>> >>> You can grant select, update, delete and inserts on any combination of >>> tables, views and sprocs. The approach I typically use is to deny table >>> access to everyone but me, and then to grant various levels of access to >>> views and sprocs to various roles. That way, no one but you can directly > hit >>> a table. >>> >>> So, your bottom level might define Select capability and nothing else (to >>> one or more views and sprocs). The next level up might permit Updates, > and >>> the next Inserts and Deletes. Actually I mean granting this privileges on >>> the sprocs/views created for those purposes. >>> >>> As you move up the hierarchy, you can "stack" the abilities (i.e. add the >>> lowest level role to the next up, and so on, until you reach the top, > where >>> the only member of that role is you. >>> >>> HTH, and if not feel free to ask. >>> Arthur >>> >>> On Sat, Feb 19, 2011 at 2:53 PM, jwcolby> wrote: >>> >>>> I am getting nowhere on understanding SQL Server security. Microsoft >>>> provides us with SQL Server Express which implies that joe blow (me) is >>>> going to install / maintain it. >>>> >>>> I am not a SQL Server Admin and I cannot afford to spend the time to be >>>> one. >>>> >>>> Google is my friend. BOL is not. >>>> >>>> Except that Google is taking me to these places where I am expected to >>>> already know how this stuff works, and then wants to make me a *better* >>>> administrator. Which of course is useless because I am not an > administrator >>>> at all. >>>> >>>> OTOH I am not stupid. If I could find something that started at the > "This >>>> is SQL Server security" basics I could learn this stuff. Before anyone > says >>>> "RTFM (BOL)" let me simply say, "not happening". I have tried BOL and it >>>> simply sucks for my level of expertise (my opinion of course). If that > is >>>> your advice, simply stay out of this thread. Thanks! >>>> >>>> So... my needs: >>>> >>>> I need to set up several SQL Server databases for use by different, very >>>> small groups (5-20 people) of entirely unrelated people. What I mean by >>>> that is that each DB is for a different "company" if you will. I need to >>>> access these databases from C#. I understand the group / user paradigm. > I >>>> would like to create groups and users. Specific groups can do specific >>>> things in the database, some can see data but not modify it. Some can > add >>>> records in specific tables but not others. Some can run reports (view). >>>> >>>> I do *NOT* want to create windows level groups and users if I can avoid > it. >>>> These are people that I do not necessarily know and I do not want to > give >>>> them any rights at the machine level, and I prefer to not maintain such >>>> lists at the machine level. >>>> >>>> Unfortunately SQL Server does not seem to model Groups / users. I go > into >>>> SQL Server and see a security tab. It has "logins". Is that a user? A >>>> specific ability to log in with a password? To what? The server itself? > A >>>> specific database? Groups of databases? >>>> >>>> I see "roles" but these appear to be aimed at the server and none of > these >>>> people are going to be doing anything at the server level. >>>> >>>> Can I safely ignore everything under the server security tab? >>>> >>>> I go to a database and I see a security tab. It has users and roles. >>>> Hmm... better (I would think). I would like to add users "under" the >>>> specific database that the user will access. >>>> >>>> So I try to add a new user but I do not see anywhere to require a > password. >>>> Hmmm... >>>> >>>> I go into roles and I do not see any predefined role that looks like it >>>> would be useful to me in meeting my needs described above. If I look at >>>> "add new role" it asks for a password. The User / group model does nto >>>> assign passwords at the group level which implies that a role is not a > group >>>> at the user / group paradigm. >>>> >>>> Is it just me, or is SQL Server security just... different? Am I correct >>>> in assuming that it doesn't implement a user / group paradigm? >>>> >>>> And more importantly, where can I go to get a plain, simple, English >>>> description of how this mess works? >>>> >>>> And please excuse the tone that results from my frustration. The only > help >>>> documents that I have found (and I have extensive lists of bookmarked > web >>>> pages) so far assume that I am an administrator. I am not, and cannot >>>> afford to become one. And yet MS pushes SQL Express as if I (non-admin) >>>> should be able to use this as a data store pool. >>>> >>>> Help! >>>> >>>> -- >>>> John W. Colby >>>> www.ColbyConsulting.com >>>> _______________________________________________ >>>> dba-SQLServer mailing list >>>> dba-SQLServer at databaseadvisors.com >>>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>>> http://www.databaseadvisors.com >>>> >>>> >>> _______________________________________________ >>> dba-SQLServer mailing list >>> dba-SQLServer at databaseadvisors.com >>> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >>> http://www.databaseadvisors.com >>> >>> >> _______________________________________________ >> dba-SQLServer mailing list >> dba-SQLServer at databaseadvisors.com >> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver >> http://www.databaseadvisors.com >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From stuart at lexacorp.com.pg Sat Feb 19 19:29:21 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sun, 20 Feb 2011 11:29:21 +1000 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: <4D606B0C.5010608@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com>, , <4D606B0C.5010608@colbyconsulting.com> Message-ID: <4D606E71.19585.1F3942EC@stuart.lexacorp.com.pg> To be more explicit: "SQL Server logins have to already exist before you can add them as a Database User." Hopefully my earlier post has clarified the concept of "Server Login" for you. -- Stuart On 19 Feb 2011 at 20:14, jwcolby wrote: > > Server logins have to already exit before you can add them as a > user. > > Are you talking about Windows users? I specifically don't want to do > that. Imagine a web app where the world might come in and read a > table. It makes no sense to require a windows user before database > access. > > In my case I will have perhaps 40-80 people coming in to 3 or 4 > different databases. A handful of these will be able to do "database > maintenance", things like adding to list tables. Most will only be > able to run reports. Some will add time sheet records. > > I have no intention of adding 40-80 people that I do not know to my > Windows users if I can avoid it. > > Or are you talking about SQL Server Logins? > > This is my problem, everyone starts discussing this in the middle. > Start with either "Go to this web page to learn this stuff" or "A > server login is... and you add one by..." > > If I don't know what you mean by "a server login" then knowing that > one needs to exist first is... not useful. From jwcolby at colbyconsulting.com Sun Feb 20 06:59:37 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Sun, 20 Feb 2011 07:59:37 -0500 Subject: [dba-SQLServer] I'm getting nowhere In-Reply-To: <4D606E71.19585.1F3942EC@stuart.lexacorp.com.pg> References: <4D601FBA.5020302@colbyconsulting.com>, , <4D606B0C.5010608@colbyconsulting.com> <4D606E71.19585.1F3942EC@stuart.lexacorp.com.pg> Message-ID: <4D611039.4080807@colbyconsulting.com> Stuart, Thanks for your explanation, it does help. I'll be asking more questions later. Thanks again! John W. Colby www.ColbyConsulting.com On 2/19/2011 8:29 PM, Stuart McLachlan wrote: > To be more explicit: > > "SQL Server logins have to already exist before you can add them as a Database User." > > Hopefully my earlier post has clarified the concept of "Server Login" for you. > From jwcolby at colbyconsulting.com Fri Feb 25 15:22:56 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 16:22:56 -0500 Subject: [dba-SQLServer] [AccessD] I'm getting nowhere In-Reply-To: <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg> References: <4D601FBA.5020302@colbyconsulting.com> <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg> Message-ID: <4D681DB0.5070607@colbyconsulting.com> OK, Stuart (or anyone capable) - can you walk me through this? I go into SQL Server Management Studio (Express). I click the Security folder / logins. I create a new login called DiscoApp. I select SQL Server security. I enter a password (twice). I select a default database. Now comes my first question, can this login work with many different databases? I assume I just set that in mapping? In server roles I leave it "Public" In User Mapping I select the two (so far) databases that this "user" is mapped to. In Database role membership for each database I select Public, db_DataReader and db_DataWriter. In Securables I do nothing In Status I leave "permission to connect = Grant" and "Login = enabled" Now I try to connect in my Access database and: I select New datasource. I select SQL Server as the driver I type in DiscoApp as the connection name I type in a description and select the server instance I select With SQL Server authentication and type in the username and password from above and... I get: Connection failed: SQL State 28000 SQL Server error 18452 {bunch of stuff here] Login failed for user DiscoApp. The user is not associated with a trusted SQL Server connection. And here we sit. If you have any idea what I am doing wrong, please let me know. I can go no further. Thanks, John W. Colby www.ColbyConsulting.com On 2/19/2011 7:22 PM, Stuart McLachlan wrote: > On 19 Feb 2011 at 14:53, jwcolby wrote: > >> If I could find something that started at the >> "This is SQL Server security" basics I could learn this stuff. > > Maybe this will help. > (This is "my" understanding of it - corrections from others welcome .) > > There are two levels of "Security" in SQL Server: > > 1. SQL Server Instance (Server name) level > 2. Database level > > At the Instance Level, you have: > 1. Server Roles > 2. Logins > > > At the Database level you have: > 1. Database Roles > 2. Users > > > INSTANCE LEVEL > ============== > > SERVER ROLES > These are generic sets of "rights" which apply to the entire Instance. "Server role is used to > grant server-wide privileges to a user" . Generally, use Public for all logins unless you need > admin rights on the server. > > > LOGIN > To allow anyone to access SQL Server, you need to create a login at instance level for them > and then define what that login can do in terms of individual databases > > Login = an entity that can log in to SQL Server. In your situation, you are using SQL Secruity > so a Login needs a Username and Password. If using Windows/Mixed security, it could > also be an Active Drectory user. Note the use of the word "entity" - not person. > > With SQL Security, an entity is entirely identified by the username/password pair. > > If you embed a standard username/password in a connection string for an application that > connects to SQL Server, then that application itself is the logged in entity. > > Alternatively, if you collect the username/password from the person using that application > and put that the in the connection string, the individual user is the entity. > > On creation, you can define the "Default Database" for the login - this is the one they > automatically access (so your don't need to specify it in your connection string.) > > > DATABASE LEVEL > =============== > > DATABASE ROLE > Role = a definition a what entities with that role can do in the database.. There are a number > of predefined roles, which are useful for things like "read only" users but you frequently need > to create your own and assign rights to specific database objects for that role. i.e. allow read > only on some tables and write access on others. You can also do things like prevent users > from directly writing to any tables and only allow them to run specfic stored prcedures to > update data. > > Once you have defined a new role within the database, you can assign that role to specific > users within that database. You can think of a role as similar to a Group, it defines a set of > rights and you can assign roles to users in the same way you assign "group membership" to > Windows users. > > USER > Once you have created a Login, you go the relevant database ( or databases) and assign > rights to that login in that database. You do that by adding the Login as a User in that > database. > > User = The definition of what a particular login entity can do in the database. > To make a specific login a user in the database, you create a new user and select the > existing Login name. Note that you can give that user the same name as the Login name or > use a completely different one. Unless you have a good reason, I'd use the same as the > login name. You then assign Databse Roles to the User to control what the user can do in > the database. > > > From stuart at lexacorp.com.pg Fri Feb 25 16:09:54 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sat, 26 Feb 2011 08:09:54 +1000 Subject: [dba-SQLServer] [AccessD] I'm getting nowhere In-Reply-To: <4D681DB0.5070607@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com>, <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg>, <4D681DB0.5070607@colbyconsulting.com> Message-ID: <4D6828B2.22813.7E545A0@stuart.lexacorp.com.pg> That all sounds correct. In Management Studio, right click on the Server (top level Connection) and select Security. Make sure that "SQL Server and Windows Authentication mode" is ticked. Note that you can still create SQL Server Authenticated logins even if "Windows Authentication" is ticked - they just can't log in while that options is toggled. -- Stuart On 25 Feb 2011 at 16:22, jwcolby wrote: > OK, Stuart (or anyone capable) - can you walk me through this? > > I go into SQL Server Management Studio (Express).. > I click the Security folder / logins. > I create a new login called DiscoApp. > I select SQL Server security. > I enter a password (twice). > I select a default database. > > Now comes my first question, can this login work with many different > databases? I assume I just set that in mapping? > > In server roles I leave it "Public" > In User Mapping I select the two (so far) databases that this "user" > is mapped to. In Database role membership for each database I select > Public, db_DataReader and db_DataWriter. In Securables I do nothing In > Status I leave "permission to connect = Grant" and "Login = enabled" > > > Now I try to connect in my Access database and: > > I select New datasource. > I select SQL Server as the driver > I type in DiscoApp as the connection name > I type in a description and select the server instance > I select With SQL Server authentication and type in the username and > password from above > > and... I get: > > Connection failed: > SQL State 28000 > SQL Server error 18452 > {bunch of stuff here] Login failed for user DiscoApp. The user is not > associated with a trusted SQL Server connection. > > And here we sit. > > If you have any idea what I am doing wrong, please let me know. I can > go no further. > > Thanks, > > > John W. Colby > www.ColbyConsulting.com > > On 2/19/2011 7:22 PM, Stuart McLachlan wrote: > > On 19 Feb 2011 at 14:53, jwcolby wrote: > > > >> If I could find something that started at the > >> "This is SQL Server security" basics I could learn this stuff. > > > > Maybe this will help. > > (This is "my" understanding of it - corrections from others welcome > > .) > > > > There are two levels of "Security" in SQL Server: > > > > 1. SQL Server Instance (Server name) level > > 2. Database level > > > > At the Instance Level, you have: > > 1. Server Roles > > 2. Logins > > > > > > At the Database level you have: > > 1. Database Roles > > 2. Users > > > > > > INSTANCE LEVEL > > ============== > > > > SERVER ROLES > > These are generic sets of "rights" which apply to the entire > > Instance. "Server role is used to grant server-wide privileges to a > > user" . Generally, use Public for all logins unless you need admin > > rights on the server. > > > > > > LOGIN > > To allow anyone to access SQL Server, you need to create a login at > > instance level for them and then define what that login can do in > > terms of individual databases > > > > Login = an entity that can log in to SQL Server. In your situation, > > you are using SQL Secruity so a Login needs a Username and > > Password. If using Windows/Mixed security, it could also be an > > Active Drectory user. Note the use of the word "entity" - not > > person. > > > > With SQL Security, an entity is entirely identified by the > > username/password pair. > > > > If you embed a standard username/password in a connection string for > > an application that connects to SQL Server, then that application > > itself is the logged in entity. > > > > Alternatively, if you collect the username/password from the person > > using that application and put that the in the connection string, > > the individual user is the entity. > > > > On creation, you can define the "Default Database" for the login - > > this is the one they automatically access (so your don't need to > > specify it in your connection string.) > > > > > > DATABASE LEVEL > > =============== > > > > DATABASE ROLE > > Role = a definition a what entities with that role can do in the > > database.. There are a number of predefined roles, which are useful > > for things like "read only" users but you frequently need to create > > your own and assign rights to specific database objects for that > > role. i.e. allow read only on some tables and write access on > > others. You can also do things like prevent users from directly > > writing to any tables and only allow them to run specfic stored > > prcedures to update data. > > > > Once you have defined a new role within the database, you can > > assign that role to specific users within that database. You can > > think of a role as similar to a Group, it defines a set of rights > > and you can assign roles to users in the same way you assign "group > > membership" to Windows users. > > > > USER > > Once you have created a Login, you go the relevant database ( or > > databases) and assign rights to that login in that database. You do > > that by adding the Login as a User in that database. > > > > User = The definition of what a particular login entity can do in > > the database. To make a specific login a user in the database, you > > create a new user and select the existing Login name. Note that you > > can give that user the same name as the Login name or use a > > completely different one. Unless you have a good reason, I'd use > > the same as the login name. You then assign Databse Roles to the > > User to control what the user can do in the database. > > > > > > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From jwcolby at colbyconsulting.com Fri Feb 25 20:05:59 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:05:59 -0500 Subject: [dba-SQLServer] [AccessD] I'm getting nowhere In-Reply-To: <4D6828B2.22813.7E545A0@stuart.lexacorp.com.pg> References: <4D601FBA.5020302@colbyconsulting.com>, <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg>, <4D681DB0.5070607@colbyconsulting.com> <4D6828B2.22813.7E545A0@stuart.lexacorp.com.pg> Message-ID: <4D686007.5020901@colbyconsulting.com> That was it, or at least I can now log in with SQL Server security. The server instance was set to Windows Authentication mode. Now it is mixed mode. John W. Colby www.ColbyConsulting.com On 2/25/2011 5:09 PM, Stuart McLachlan wrote: > That all sounds correct. > > In Management Studio, right click on the Server (top level Connection) and select Security. > Make sure that "SQL Server and Windows Authentication mode" is ticked. > > Note that you can still create SQL Server Authenticated logins even if "Windows > Authentication" is ticked - they just can't log in while that options is toggled. > From jwcolby at colbyconsulting.com Fri Feb 25 20:22:43 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:22:43 -0500 Subject: [dba-SQLServer] I'm getting somewhere - still not sure where Message-ID: <4D6863F3.7080902@colbyconsulting.com> With Stuarts suggestion I am now able to log in as the sa, enter a password for the sa and actually do stuff. I am trying to upsize a single fairly simple table. I can create the table structure but the upsize fails immediately (and with no useful info in the miserable upsizing report) if I select to upsize the data. I am going to use the "create table structure" and then try just appending the data to see if that provides a clue. -- John W. Colby www.ColbyConsulting.com From jwcolby at colbyconsulting.com Fri Feb 25 20:28:36 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:28:36 -0500 Subject: [dba-SQLServer] I'm getting somewhere In-Reply-To: <4D681DB0.5070607@colbyconsulting.com> References: <4D601FBA.5020302@colbyconsulting.com> <4D605ED9.11823.1EFC5774@stuart.lexacorp.com.pg> <4D681DB0.5070607@colbyconsulting.com> Message-ID: <4D686554.3090908@colbyconsulting.com> Well I finally got to connect and link a table. I did so by editing a DSN file and adding the username / password there. John W. Colby www.ColbyConsulting.com On 2/25/2011 4:22 PM, jwcolby wrote: > OK, Stuart (or anyone capable) - can you walk me through this? > > I go into SQL Server Management Studio (Express). > I click the Security folder / logins. > I create a new login called DiscoApp. > I select SQL Server security. > I enter a password (twice). > I select a default database. > > Now comes my first question, can this login work with many different databases? I assume I just set > that in mapping? > > In server roles I leave it "Public" > In User Mapping I select the two (so far) databases that this "user" is mapped to. > In Database role membership for each database I select Public, db_DataReader and db_DataWriter. > In Securables I do nothing > In Status I leave "permission to connect = Grant" and "Login = enabled" > > > Now I try to connect in my Access database and: > > I select New datasource. > I select SQL Server as the driver > I type in DiscoApp as the connection name > I type in a description and select the server instance > I select With SQL Server authentication and type in the username and password from above > > and... I get: > > Connection failed: > SQL State 28000 > SQL Server error 18452 > {bunch of stuff here] Login failed for user DiscoApp. The user is not associated with a trusted SQL > Server connection. > > And here we sit. > > If you have any idea what I am doing wrong, please let me know. I can go no further. > > Thanks, > > > John W. Colby > www.ColbyConsulting.com > > On 2/19/2011 7:22 PM, Stuart McLachlan wrote: >> On 19 Feb 2011 at 14:53, jwcolby wrote: >> >>> If I could find something that started at the >>> "This is SQL Server security" basics I could learn this stuff. >> >> Maybe this will help. >> (This is "my" understanding of it - corrections from others welcome .) >> >> There are two levels of "Security" in SQL Server: >> >> 1. SQL Server Instance (Server name) level >> 2. Database level >> >> At the Instance Level, you have: >> 1. Server Roles >> 2. Logins >> >> >> At the Database level you have: >> 1. Database Roles >> 2. Users >> >> >> INSTANCE LEVEL >> ============== >> >> SERVER ROLES >> These are generic sets of "rights" which apply to the entire Instance. "Server role is used to >> grant server-wide privileges to a user" . Generally, use Public for all logins unless you need >> admin rights on the server. >> >> >> LOGIN >> To allow anyone to access SQL Server, you need to create a login at instance level for them >> and then define what that login can do in terms of individual databases >> >> Login = an entity that can log in to SQL Server. In your situation, you are using SQL Secruity >> so a Login needs a Username and Password. If using Windows/Mixed security, it could >> also be an Active Drectory user. Note the use of the word "entity" - not person. >> >> With SQL Security, an entity is entirely identified by the username/password pair. >> >> If you embed a standard username/password in a connection string for an application that >> connects to SQL Server, then that application itself is the logged in entity. >> >> Alternatively, if you collect the username/password from the person using that application >> and put that the in the connection string, the individual user is the entity. >> >> On creation, you can define the "Default Database" for the login - this is the one they >> automatically access (so your don't need to specify it in your connection string.) >> >> >> DATABASE LEVEL >> =============== >> >> DATABASE ROLE >> Role = a definition a what entities with that role can do in the database.. There are a number >> of predefined roles, which are useful for things like "read only" users but you frequently need >> to create your own and assign rights to specific database objects for that role. i.e. allow read >> only on some tables and write access on others. You can also do things like prevent users >> from directly writing to any tables and only allow them to run specfic stored prcedures to >> update data. >> >> Once you have defined a new role within the database, you can assign that role to specific >> users within that database. You can think of a role as similar to a Group, it defines a set of >> rights and you can assign roles to users in the same way you assign "group membership" to >> Windows users. >> >> USER >> Once you have created a Login, you go the relevant database ( or databases) and assign >> rights to that login in that database. You do that by adding the Login as a User in that >> database. >> >> User = The definition of what a particular login entity can do in the database. >> To make a specific login a user in the database, you create a new user and select the >> existing Login name. Note that you can give that user the same name as the Login name or >> use a completely different one. Unless you have a good reason, I'd use the same as the >> login name. You then assign Databse Roles to the User to control what the user can do in >> the database. >> >> >> > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From jwcolby at colbyconsulting.com Fri Feb 25 20:38:14 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:38:14 -0500 Subject: [dba-SQLServer] Access upsize Message-ID: <4D686796.2090503@colbyconsulting.com> Trying to upsize on the server fails with a "overflow" message. It seems this is a well known issue with Access 2000 which exists on the server. So I move to my workstation which has Access 2002 (XP). I create the table structure. i then have to remove the PK as well as the autonumber (SQL Equiv) and then try to simply append the data from Access to SQL Server. ~900K records, ~1 gig MDB size. My workstation fails with "resources exceeded". Of course my workstation only has a gig of ram running Windows XP x32. But hey, I am making progress anyway. -- John W. Colby www.ColbyConsulting.com From jwcolby at colbyconsulting.com Fri Feb 25 20:48:09 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 21:48:09 -0500 Subject: [dba-SQLServer] Is it possible Message-ID: <4D6869E9.1050709@colbyconsulting.com> The upsize from Access to SQL Server is not going to be trivial. I might be able to zip and upload to my office where I have servers with office 2003 and Windows 2008 x64 and 16 or 32 gig RAM. However I am wondering whether it is possible to build the table structure of this one table over in SQL Server (express 2005) which (back in Access) contains an autonumber PK. In SQL Server, remove the PK as well as the autoincrement property from the table. Append the data into the table in SQL Server, then put the autoincrement / PK property back on the PK field in SQL Server. -- John W. Colby www.ColbyConsulting.com From stuart at lexacorp.com.pg Fri Feb 25 21:15:50 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sat, 26 Feb 2011 13:15:50 +1000 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D6869E9.1050709@colbyconsulting.com> References: <4D6869E9.1050709@colbyconsulting.com> Message-ID: <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> Hi John, Yes, unlike Acces, in SQL Server you can switch autoincrement on and off regardless of whether or not there are existing records in the table. -- Stuart On 25 Feb 2011 at 21:48, jwcolby wrote: > The upsize from Access to SQL Server is not going to be trivial. I > might be able to zip and upload to my office where I have servers with > office 2003 and Windows 2008 x64 and 16 or 32 gig RAM. > > However I am wondering whether it is possible to build the table > structure of this one table over in SQL Server (express 2005) which > (back in Access) contains an autonumber PK. In SQL Server, remove the > PK as well as the autoincrement property from the table. Append the > data into the table in SQL Server, then put the autoincrement / PK > property back on the PK field in SQL Server. > > -- > John W. Colby > www.ColbyConsulting.com > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From jwcolby at colbyconsulting.com Fri Feb 25 21:21:44 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 22:21:44 -0500 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> References: <4D6869E9.1050709@colbyconsulting.com> <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> Message-ID: <4D6871C8.80508@colbyconsulting.com> Cool! John W. Colby www.ColbyConsulting.com On 2/25/2011 10:15 PM, Stuart McLachlan wrote: > Hi John, > > Yes, unlike Acces, in SQL Server you can switch autoincrement on and off regardless of > whether or not there are existing records in the table. > From jwcolby at colbyconsulting.com Fri Feb 25 21:24:18 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Fri, 25 Feb 2011 22:24:18 -0500 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> References: <4D6869E9.1050709@colbyconsulting.com> <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg> Message-ID: <4D687262.2080108@colbyconsulting.com> Does it just figure out the last value and start from there? John W. Colby www.ColbyConsulting.com On 2/25/2011 10:15 PM, Stuart McLachlan wrote: > Hi John, > > Yes, unlike Acces, in SQL Server you can switch autoincrement on and off regardless of > whether or not there are existing records in the table. > From stuart at lexacorp.com.pg Fri Feb 25 22:03:46 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sat, 26 Feb 2011 14:03:46 +1000 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D687262.2080108@colbyconsulting.com> References: <4D6869E9.1050709@colbyconsulting.com>, <4D687066.27148.8FD5C22@stuart.lexacorp.com.pg>, <4D687262.2080108@colbyconsulting.com> Message-ID: <4D687BA2.24516.9293F60@stuart.lexacorp.com.pg> Basically, yes but you have lots of flexibility. If you change the column's Identity Seed to be larger than the current largest PK, it will start from that instead. (If it is smaller, it will use the current largest PK as it's start point). You can also set the size of the Increment, so you can have your PKs going up by 10 each time if you want :-) Just right click on the column, select Modify, click on Identity Specification in the lower panel and it will expand to show the various settings. -- Stuart On 25 Feb 2011 at 22:24, jwcolby wrote: > Does it just figure out the last value and start from there? > > John W. Colby > www.ColbyConsulting.com > > On 2/25/2011 10:15 PM, Stuart McLachlan wrote: > > Hi John, > > > > Yes, unlike Acces, in SQL Server you can switch autoincrement on and > > off regardless of whether or not there are existing records in the > > table. > > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From stuart at lexacorp.com.pg Fri Feb 25 22:23:36 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Sat, 26 Feb 2011 14:23:36 +1000 Subject: [dba-SQLServer] Is it possible In-Reply-To: <4D687BA2.24516.9293F60@stuart.lexacorp.com.pg> References: <4D6869E9.1050709@colbyconsulting.com>, <4D687262.2080108@colbyconsulting.com>, <4D687BA2.24516.9293F60@stuart.lexacorp.com.pg> Message-ID: <4D688048.12797.93B669F@stuart.lexacorp.com.pg> I forgot to mention, it also means that you can create records with a "0" or negative values in your "autoincrement" field any time you like if you need to create special cases. That can be useful at times. -- Stuart On 26 Feb 2011 at 14:03, Stuart McLachlan wrote: > Basically, yes but you have lots of flexibility. > > If you change the column's Identity Seed to be larger than the current > largest PK, it will start from that instead. (If it is smaller, it > will use the current largest PK as it's start point). > > You can also set the size of the Increment, so you can have your PKs > going up by 10 each time if you want :-) > > Just right click on the column, select Modify, click on Identity > Specification in the lower panel and it will expand to show the > various settings. > > -- > Stuart > > On 25 Feb 2011 at 22:24, jwcolby wrote: > > > Does it just figure out the last value and start from there? > > > > John W. Colby > > www.ColbyConsulting.com > > > > On 2/25/2011 10:15 PM, Stuart McLachlan wrote: > > > Hi John, > > > > > > Yes, unlike Acces, in SQL Server you can switch autoincrement on > > > and off regardless of whether or not there are existing records in > > > the table. > > > > > _______________________________________________ > > dba-SQLServer mailing list > > dba-SQLServer at databaseadvisors.com > > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > > http://www.databaseadvisors.com > > > > > > > > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From jwcolby at colbyconsulting.com Mon Feb 28 17:58:15 2011 From: jwcolby at colbyconsulting.com (jwcolby) Date: Mon, 28 Feb 2011 18:58:15 -0500 Subject: [dba-SQLServer] Where are foreign key constraints? Message-ID: <4D6C3697.6030708@colbyconsulting.com> I built a database diagram where i dragged and dropped my PKs out onto FKs. Now I am getting error messages like: The insert statement conflicted with the foreign key constraint... I look at the constraints folder in each table and there is no FK_ constraints listed. I assume that they are stored somewhere else? Am I doing something wrong somewhere? -- John W. Colby www.ColbyConsulting.com From michael at ddisolutions.com.au Mon Feb 28 18:26:03 2011 From: michael at ddisolutions.com.au (Michael Maddison) Date: Tue, 1 Mar 2011 11:26:03 +1100 Subject: [dba-SQLServer] Where are foreign key constraints? References: <4D6C3697.6030708@colbyconsulting.com> Message-ID: <99266C61B516644D9727F983FAFAB465046A5B@remote.ddisolutions.com.au> Hi John, In 2005, in diagram, right click the table and select relationships. You should see the FK's for that table. In object explorer, expand Tables, expand Keys... cheers Michael M From: dba-sqlserver-bounces at databaseadvisors.com [mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of jwcolby Sent: Tuesday, 1 March 2011 10:58 AM To: Sqlserver-Dba Subject: [dba-SQLServer] Where are foreign key constraints? I built a database diagram where i dragged and dropped my PKs out onto FKs. Now I am getting error messages like: The insert statement conflicted with the foreign key constraint... I look at the constraints folder in each table and there is no FK_ constraints listed. I assume that they are stored somewhere else? Am I doing something wrong somewhere? -- John W. Colby www.ColbyConsulting.com _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com ________________________________ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3474 - Release Date: 02/28/11 From stuart at lexacorp.com.pg Mon Feb 28 18:43:00 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Tue, 01 Mar 2011 10:43:00 +1000 Subject: [dba-SQLServer] Where are foreign key constraints? In-Reply-To: <4D6C3697.6030708@colbyconsulting.com> References: <4D6C3697.6030708@colbyconsulting.com> Message-ID: <4D6C4114.7640.17E48C83@stuart.lexacorp.com.pg> That folder is for general constraints which you create (FieldA > x and FieldB < y) Table Relationship constraints are not stored there. Go to Database - Tables - TableName. Right click, select modify. In the right hand pane, right click and select Relationships. -- Stuart On 28 Feb 2011 at 18:58, jwcolby wrote: > I built a database diagram where i dragged and dropped my PKs out onto > FKs. Now I am getting error messages like: > > The insert statement conflicted with the foreign key constraint... > > I look at the constraints folder in each table and there is no FK_ > constraints listed. I assume that they are stored somewhere else? Am > I doing something wrong somewhere? > I > -- > John W. Colby > www.ColbyConsulting.com > _______________________________________________ > dba-SQLServer mailing list > dba-SQLServer at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/dba-sqlserver > http://www.databaseadvisors.com > > From stuart at lexacorp.com.pg Mon Feb 28 18:49:29 2011 From: stuart at lexacorp.com.pg (Stuart McLachlan) Date: Tue, 01 Mar 2011 10:49:29 +1000 Subject: [dba-SQLServer] Where are foreign key constraints? In-Reply-To: <99266C61B516644D9727F983FAFAB465046A5B@remote.ddisolutions.com.au> References: <4D6C3697.6030708@colbyconsulting.com>, <99266C61B516644D9727F983FAFAB465046A5B@remote.ddisolutions.com.au> Message-ID: <4D6C4299.31292.17EA7E31@stuart.lexacorp.com.pg> Yep, that works too. On 1 Mar 2011 at 11:26, Michael Maddison wrote: > > In object explorer, expand Tables, expand Keys... > From michael at ddisolutions.com.au Mon Feb 28 18:52:49 2011 From: michael at ddisolutions.com.au (Michael Maddison) Date: Tue, 1 Mar 2011 11:52:49 +1100 Subject: [dba-SQLServer] Where are foreign key constraints? References: <4D6C3697.6030708@colbyconsulting.com>, <99266C61B516644D9727F983FAFAB465046A5B@remote.ddisolutions.com.au> <4D6C4299.31292.17EA7E31@stuart.lexacorp.com.pg> Message-ID: <99266C61B516644D9727F983FAFAB465046A5F@remote.ddisolutions.com.au> Hey it's MS so there HAS to be at least 3 ways to do any task... MM Yep, that works too. On 1 Mar 2011 at 11:26, Michael Maddison wrote: > > In object explorer, expand Tables, expand Keys... > _______________________________________________ dba-SQLServer mailing list dba-SQLServer at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-sqlserver http://www.databaseadvisors.com ________________________________ No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1204 / Virus Database: 1435/3474 - Release Date: 02/28/11