Sometimes you need to create an additional SQL Server Login (user) for your database (databases). Here is a small T-SQL snippet that creates such a login for contained databases in SQL Server and adds memberships.
Use contained database users to authenticate SQL Server and SQL Database connections at the database level. A contained database is a database that is isolated from other databases and from the instance of SQL Server/ SQL Database (and the master database) that hosts the database. SQL Server supports contained database users for both Windows and SQL Server authentication.
SQL Docs - Contained Database Users - Making Your Database Portable
In the following example I have an SQL Server database "exampleorg", an user "exampleorg" and a password known to me ("known_password"). Use this T-SQL to create an addition SQL Server user (login) and memberships. Substitute example values with your values:
USE [exampleorg]
CREATE USER [exampleorg] WITH PASSWORD=N'known_password', DEFAULT_SCHEMA=[dbo]
ALTER ROLE [db_datareader] ADD MEMBER [exampleorg]
ALTER ROLE [db_datawriter] ADD MEMBER [exampleorg]
ALTER ROLE [db_ddladmin] ADD MEMBER [exampleorg]
ALTER ROLE [db_securityadmin] ADD MEMBER [exampleorg]
GO
GRANT EXECUTE ON SCHEMA::dbo TO [exampleorg]
GOWhat this does, in a nutshell:
- a new user is created in the database exampleorg, called exampleorg;
- the new users default schema is the dbo schema;
- the user is added as a member to the following fixed-database roles:
- db_datareader: Members of the db_datareader fixed database role can read all data from all user tables and views. User objects can exist in any schema except sys and INFORMATION_SCHEMA.
- db_datawriter: Members of the db_datawriter fixed database role can add, delete, or change data in all user tables. In most use cases this role will be combined with db_datareader membership to allow reading the data that is to be modified.
- db_ddladmin: Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database. Members of this role can potentially elevate their privileges by manipulating code that may get executed under high privileges and their actions should be monitored.
- db_securityadmin: Members of the db_securityadmin fixed database role can modify role membership for custom roles only and manage permissions. Members of this role can potentially elevate their privileges and their actions should be monitored.
- The newly created user exampleorg gets execute permission on the dbo schema;
Instead of ALTER ROLE statements you can also use sp_addrolemember stored procedures:
exec sp_addrolemember @membername = [exampleorg], @rolename = [db_datareader]
exec sp_addrolemember @membername = [exampleorg], @rolename = [db_datawriter]
exec sp_addrolemember @membername = [exampleorg], @rolename = [db_ddladmin]
exec sp_addrolemember @membername = [exampleorg], @rolename = [db_securityadmin]But remember that ALTER ROLE is preferred.
Thank you very much! <3 ❤️
Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace – The Human Cloud. In the past I worked at CLDIN (CLouDINfra) and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.
