Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««123»»

db_creator permission not working on SQL Server 2008 r2 Expand / Collapse
Author
Message
Posted Friday, August 31, 2012 9:30 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, July 2, 2014 8:30 AM
Points: 34, Visits: 562
Hi

Yes i did, I have disabled it and it works now. I cannot believe it was a simple thing as that.
Post #1352912
Posted Friday, August 31, 2012 9:37 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Today @ 8:20 AM
Points: 1,225, Visits: 9,643
dbadude78 (8/31/2012)

The reason i put the triggers was to monitor when a new database is created. Any ideas on how i can set the trigger so that the dbcreator works while its on?


Not sure what you're asking? You can obviously change the trigger definition so it just logs the event (to a table/email/wherever) and doesn't prevent it.

I don't see the point of checking whether someone has permission to create a database and only prevent it if they don't, SQL Server will take care of that for you...
Post #1352920
Posted Friday, August 31, 2012 9:38 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 7:35 AM
Points: 12,880, Visits: 31,807
dbadude78 (8/31/2012)
Yes I have got a DDL trigger, I have disabled it and it works now. Thankyou for your help
The reason i put the triggers was to monitor when a new database is created. Any ideas on how i can set the trigger so that the dbcreator works while its on?

thank you once again



well, the only people who can create new databases are those in the sysadmin role, or in dbcreator;

the trigger was created to prevent new databases, so you need to establish the rules, and test accordingly;

for example, I've made DDL triggers where only specific logins, and only from specific hostname(machines) are allowed to perform certain operations...
so only "BobTheSupervisor", myself, or "sa" are allowed, and even then, they must run the command from a specific hostname or IP Address.
, everyone else gets blocked.


something like this example is what i mean:
ALTER TRIGGER [TR_DB_NO_DROPPING_OBJECTS]
on DATABASE
FOR
DROP_PROCEDURE,DROP_FUNCTION,DROP_VIEW,DROP_TABLE
AS
BEGIN
--only two accounts allowed to drop stuff
IF suser_name() IN('sa','BobTheSupervisor','mydomain\lowell' )
BEGIN
--and only from two specific machines on the network
IF host_name() NOT IN('DEV223','PRODUCTION')
BEGIN
RAISERROR('Unauthorized use of drop object from inpermissible host.', 16, 1)
--prevent the drop
ROLLBACK
END
--ELSE --it was the right machine!
--BEGIN
--if it got to here, it was the "right" user from the "right" machine (i hope)
--END
END
ELSE
-- not the right login, Susie Ormand style [DENYED]
BEGIN
RAISERROR('Unauthorized use of drop object from inpermissible user.', 16, 1)
--prevent the drop
ROLLBACK
END
END --DB Trigger



Lowell

--There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son
Post #1352923
Posted Friday, August 31, 2012 9:51 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, July 2, 2014 8:30 AM
Points: 34, Visits: 562
Can i just clarify, the trigger was only created to track when ever a database was created or dropped. See below

CREATE TRIGGER [Audit_Server]
ON ALL SERVER
FOR CREATE_DATABASE , DROP_DATABASE

AS
BEGIN
SET NOCOUNT ON;
DECLARE
@EventData XML = EVENTDATA();

DECLARE
@ip VARCHAR(32) =
(
SELECT client_net_address
FROM sys.dm_exec_connections
WHERE session_id = @@SPID
);

INSERT adminlog.dbo.dba_ddl_events
(
EventType,
EventDDL,
EventXML,
DatabaseName,
SchemaName,
ObjectName,
HostName,
IPAddress,
ProgramName,
LoginName

)
SELECT
@EventData.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'),
@EventData.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'),
@EventData,
DB_NAME(),
@EventData.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'),
@EventData.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'),
HOST_NAME(),
@ip,
PROGRAM_NAME(),
SUSER_SNAME();

END

GO
Post #1352934
Posted Friday, August 31, 2012 9:53 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 7:35 AM
Points: 12,880, Visits: 31,807
in that case, everyone who has CREATE DATABASE permissions must also have INSERT permissions on the logging table

INSERT adminlog.dbo.dba_ddl_events

no insert permissions (line 13, right, like the error said?) would cause the rollback.


you could get around that using EXECUTE AS in my first example.


Lowell

--There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son
Post #1352935
Posted Friday, August 31, 2012 9:58 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Today @ 8:20 AM
Points: 1,225, Visits: 9,643
Lowell (8/31/2012)
in that case, everyone who has CREATE DATABASE permissions must also have INSERT permissions on the logging table


...and permissions on sys.dm_exec_connections (VIEW SERVER STATE permission)
Post #1352943
Posted Friday, August 31, 2012 10:00 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, July 2, 2014 8:30 AM
Points: 34, Visits: 562
I will give it a try thankyou both for your help
Post #1352947
Posted Friday, August 31, 2012 10:36 AM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Thursday, June 5, 2014 10:54 AM
Points: 9,902, Visits: 9,480
You can also add a WITH EXECUTE AS .. clause to the Trigger so that it can run under its own permissions, instead of having to rely on the User's. that's how I usually handle this problem.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Post #1352965
Posted Monday, September 3, 2012 2:37 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Sunday, February 10, 2013 11:41 AM
Points: 1, Visits: 15
Hi

I have tried adding AS EXECUTE to the following trigger but get the following error message
Cannot execute as the server principal because the principal "devtest" does not exist, this type of principal cannot be impersonated, or you do not have permission. This happens when I try to create a table.

I'm not too sure what permission level devtest needs to be to execute the trigger. I gave it sysadmin and got the following error.

CREATE TRIGGER [Audit_Server]
ON ALL SERVER
FOR CREATE_DATABASE , DROP_DATABASE

AS
BEGIN

EXECUTE AS LOGIN = 'devtest'
SET NOCOUNT ON;
DECLARE
@EventData XML = EVENTDATA();

DECLARE
@ip VARCHAR(32) =
(
SELECT client_net_address
FROM sys.dm_exec_connections
WHERE session_id = @@SPID
);

INSERT adminlog.dbo.dba_ddl_events
(
EventType,
EventDDL,
EventXML,
DatabaseName,
SchemaName,
ObjectName,
HostName,
IPAddress,
ProgramName,
LoginName

)
SELECT
@EventData.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'),
@EventData.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'),
@EventData,
DB_NAME(),
@EventData.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'),
@EventData.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'),
HOST_NAME(),
@ip,
PROGRAM_NAME(),
SUSER_SNAME();

END

GO
Post #1353630
Posted Tuesday, September 4, 2012 2:31 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, July 2, 2014 8:30 AM
Points: 34, Visits: 562
Hi Guys

So Far,
- I have given devtest permissions to INSERT into the dba_ddl_events table
- For the DDLTrigger, I have added Execute AS to 'devtest'
- Added View Server State Permissions to devtest from the server

Any ideas on what I have missed out

thanks
Post #1353754
« Prev Topic | Next Topic »

Add to briefcase ««123»»

Permissions Expand / Collapse