Use contained database users to authenticate SQL Server and SQL Database connections at the database level. A contained database is a database that is isolated from other databases and from the instance of SQL Server/ SQL Database (and the master database) that hosts the database. SQL Server supports contained database users for both Windows and SQL Server authentication.
SQL Docs - Contained Database Users - Making Your Database Portable
In the following example I have an SQL Server database "exampleorg", an user "exampleorg" and a password known to me ("known_password"). Use this T-SQL to create an addition SQL Server user (login) and memberships. Substitute example values with your values:
USE [exampleorg]
CREATE USER [exampleorg] WITH PASSWORD=N'known_password', DEFAULT_SCHEMA=[dbo]
ALTER ROLE [db_datareader] ADD MEMBER [exampleorg]
ALTER ROLE [db_datawriter] ADD MEMBER [exampleorg]
ALTER ROLE [db_ddladmin] ADD MEMBER [exampleorg]
ALTER ROLE [db_securityadmin] ADD MEMBER [exampleorg]GO
GRANT EXECUTE ON SCHEMA::dbo TO [exampleorg]GO
What this does, in a nutshell:
- a new user is created in the database exampleorg, called exampleorg;
- the new users default schema is the dbo schema;
- the user is added as a member to the following fixed-database roles:
- db_datareader: Members of the db_datareader fixed database role can read all data from all user tables and views. User objects can exist in any schema except sys and INFORMATION_SCHEMA.
- db_datawriter: Members of the db_datawriter fixed database role can add, delete, or change data in all user tables. In most use cases this role will be combined with db_datareader membership to allow reading the data that is to be modified.
- db_ddladmin: Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database. Members of this role can potentially elevate their privileges by manipulating code that may get executed under high privileges and their actions should be monitored.
- db_securityadmin: Members of the db_securityadmin fixed database role can modify role membership for custom roles only and manage permissions. Members of this role can potentially elevate their privileges and their actions should be monitored.
- The newly created user exampleorg gets execute permission on the dbo schema;
Instead of ALTER ROLE
statements you can also use sp_addrolemember
stored procedures:
exec sp_addrolemember @membername = [exampleorg], @rolename = [db_datareader]
exec sp_addrolemember @membername = [exampleorg], @rolename = [db_datawriter]
exec sp_addrolemember @membername = [exampleorg], @rolename = [db_ddladmin]
exec sp_addrolemember @membername = [exampleorg], @rolename = [db_securityadmin]
But remember that ALTER ROLE is preferred.