db_creator permission not working on SQL Server 2008 r2

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2008 » SQL Server 2008 - General » db_creator permission not working on SQL...

21 posts, Page 2 of 3

««1 2 3 »»

db_creator permission not working on SQL Server 2008 r2

Rate Topic

Display Mode

Topic Options

Author

Message

dbadude78

Posted Friday, August 31, 2012 9:30 AM

SSC Rookie

Group: General Forum Members
Last Login: Tuesday, May 14, 2013 9:07 AM
Points: 29, Visits: 436

Hi

Yes i did, I have disabled it and it works now. I cannot believe it was a simple thing as that.

Post #1352912

HowardW

Posted Friday, August 31, 2012 9:37 AM

Ten Centuries

Group: General Forum Members
Last Login: Tuesday, April 30, 2013 5:55 AM
Points: 1,034, Visits: 7,660

dbadude78 (8/31/2012)

The reason i put the triggers was to monitor when a new database is created. Any ideas on how i can set the trigger so that the dbcreator works while its on?

Not sure what you're asking? You can obviously change the trigger definition so it just logs the event (to a table/email/wherever) and doesn't prevent it.

I don't see the point of checking whether someone has permission to create a database and only prevent it if they don't, SQL Server will take care of that for you...

Post #1352920

Lowell

Posted Friday, August 31, 2012 9:38 AM

SSChampion

Group: General Forum Members
Last Login: Yesterday @ 1:11 PM
Points: 11,605, Visits: 27,645

dbadude78 (8/31/2012)

Yes I have got a DDL trigger, I have disabled it and it works now. Thankyou for your help Smile

The reason i put the triggers was to monitor when a new database is created. Any ideas on how i can set the trigger so that the dbcreator works while its on?

thank you once again Smile

well, the only people who can create new databases are those in the sysadmin role, or in dbcreator;

the trigger was created to prevent new databases, so you need to establish the rules, and test accordingly;

for example, I've made DDL triggers where only specific logins, and only from specific hostname(machines) are allowed to perform certain operations...
so only "BobTheSupervisor", myself, or "sa" are allowed, and even then, they must run the command from a specific hostname or IP Address.
, everyone else gets blocked.

something like this example is what i mean:

ALTER TRIGGER [TR_DB_NO_DROPPING_OBJECTS]
on DATABASE
FOR 
 DROP_PROCEDURE,DROP_FUNCTION,DROP_VIEW,DROP_TABLE
 AS
 BEGIN
   --only two accounts allowed to drop stuff
   IF suser_name() IN('sa','BobTheSupervisor','mydomain\lowell' )
     BEGIN
       --and only from two specific machines on the network 
       IF host_name() NOT IN('DEV223','PRODUCTION')
         BEGIN
           RAISERROR('Unauthorized use of drop object from inpermissible host.', 16, 1)
           --prevent the drop
           ROLLBACK
         END
     --ELSE --it was the right machine! 
       --BEGIN
         --if it got to here, it was the "right" user from the "right" machine (i hope)
       --END 
     END
   ELSE
     -- not the right login, Susie Ormand style [DENYED]
     BEGIN
        RAISERROR('Unauthorized use of drop object from inpermissible user.', 16, 1)
        --prevent the drop
        ROLLBACK
     END  
END  --DB Trigger

Lowell

--There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son

Post #1352923

dbadude78

Posted Friday, August 31, 2012 9:51 AM

SSC Rookie

Group: General Forum Members
Last Login: Tuesday, May 14, 2013 9:07 AM
Points: 29, Visits: 436

Can i just clarify, the trigger was only created to track when ever a database was created or dropped. See below

CREATE TRIGGER [Audit_Server]
ON ALL SERVER
FOR CREATE_DATABASE , DROP_DATABASE

AS
BEGIN
SET NOCOUNT ON;
DECLARE
@EventData XML = EVENTDATA();

DECLARE
@ip VARCHAR(32) =
(
SELECT client_net_address
FROM sys.dm_exec_connections
WHERE session_id = @@SPID
);

INSERT adminlog.dbo.dba_ddl_events
(
EventType,
EventDDL,
EventXML,
DatabaseName,
SchemaName,
ObjectName,
HostName,
IPAddress,
ProgramName,
LoginName

)
SELECT
@EventData.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'),
@EventData.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'),
@EventData,
DB_NAME(),
@EventData.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'),
@EventData.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'),
HOST_NAME(),
@ip,
PROGRAM_NAME(),
SUSER_SNAME();

END

GO

Post #1352934

Lowell

Posted Friday, August 31, 2012 9:53 AM

SSChampion

Group: General Forum Members
Last Login: Yesterday @ 1:11 PM
Points: 11,605, Visits: 27,645

in that case, everyone who has CREATE DATABASE permissions must also have INSERT permissions on the logging table

INSERT adminlog.dbo.dba_ddl_events

no insert permissions (line 13, right, like the error said?) would cause the rollback.

you could get around that using EXECUTE AS in my first example.

Lowell

--There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son

Post #1352935

HowardW

Posted Friday, August 31, 2012 9:58 AM

Ten Centuries

Group: General Forum Members
Last Login: Tuesday, April 30, 2013 5:55 AM
Points: 1,034, Visits: 7,660

Lowell (8/31/2012)

in that case, everyone who has CREATE DATABASE permissions must also have INSERT permissions on the logging table

...and permissions on sys.dm_exec_connections (VIEW SERVER STATE permission)

Post #1352943

dbadude78

Posted Friday, August 31, 2012 10:00 AM

SSC Rookie

Group: General Forum Members
Last Login: Tuesday, May 14, 2013 9:07 AM
Points: 29, Visits: 436

I will give it a try thankyou both for your help
Smile

Post #1352947

RBarryYoung

Posted Friday, August 31, 2012 10:36 AM

SSCrazy Eights

Group: General Forum Members
Last Login: Saturday, May 04, 2013 11:13 AM
Points: 9,855, Visits: 9,374

You can also add a WITH EXECUTE AS .. clause to the Trigger so that it can run under its own permissions, instead of having to rely on the User's. that's how I usually handle this problem.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc. "Performance is our middle name."

Post #1352965

pardeep.bhara 4684

Posted Monday, September 03, 2012 2:37 PM

Forum Newbie

Group: General Forum Members
Last Login: Sunday, February 10, 2013 11:41 AM
Points: 1, Visits: 15

Hi

I have tried adding AS EXECUTE to the following trigger but get the following error message
Cannot execute as the server principal because the principal "devtest" does not exist, this type of principal cannot be impersonated, or you do not have permission. This happens when I try to create a table.

I'm not too sure what permission level devtest needs to be to execute the trigger. I gave it sysadmin and got the following error.

CREATE TRIGGER [Audit_Server]
ON ALL SERVER
FOR CREATE_DATABASE , DROP_DATABASE

AS
BEGIN

EXECUTE AS LOGIN = 'devtest'
SET NOCOUNT ON;
DECLARE
@EventData XML = EVENTDATA();

DECLARE
@ip VARCHAR(32) =
(
SELECT client_net_address
FROM sys.dm_exec_connections
WHERE session_id = @@SPID
);

INSERT adminlog.dbo.dba_ddl_events
(
EventType,
EventDDL,
EventXML,
DatabaseName,
SchemaName,
ObjectName,
HostName,
IPAddress,
ProgramName,
LoginName

)
SELECT
@EventData.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'),
@EventData.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'),
@EventData,
DB_NAME(),
@EventData.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'),
@EventData.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'),
HOST_NAME(),
@ip,
PROGRAM_NAME(),
SUSER_SNAME();

END

GO

Post #1353630

dbadude78

Posted Tuesday, September 04, 2012 2:31 AM

SSC Rookie

Group: General Forum Members
Last Login: Tuesday, May 14, 2013 9:07 AM
Points: 29, Visits: 436

Hi Guys

So Far,
- I have given devtest permissions to INSERT into the dba_ddl_events table
- For the DDLTrigger, I have added Execute AS to 'devtest'
- Added View Server State Permissions to devtest from the server

Any ideas on what I have missed out

thanks

Post #1353754

« Prev Topic | Next Topic »

21 posts, Page 2 of 3

««1 2 3 »»

Permissions