problem with login list

Hi,

I'm using the 64-bit version of SQL Server 2005, SP2, on Windows
Server 2003 R2 X64 Enterprise Edition. I've got a bunch of users out
there who are the db_owner, db_accessadmin and db_securityadmin of
their different respective databases. I would expect that they would
be able to add users to their databases, given that a login exists on
the server. However, when they go to browse logins to add a user in
Management Studio, they are only shown a very short list (like,
themselves and sa, and that's it). We have hundreds of logins on the
server, and they should be able to add any one of them to their
databases if they wish. And if they try to type in the login name
directly, they get a permission denied error.

I am the system administrator, so thankfully I've not experienced this
problem, and I can add users for them. But I'd rather they be able to
do it themselves as they see fit. I have experimented by creating a
test SQL-authenticated login, and making it db_owner of a test
database. When I login with that test login and try to add a user, I
see the exact same behavior. The only logins viewable are my test
login and sa. The only other thing I can add is it's not just
occurring with the GUI interface; the same thing happens when I do a
direct query on the master.sys.syslogins view: I only see the same two
logins. So it appears it's happening at that level and the result
appears up in the GUI.

It appears this is a security/permissions thing. Anyone know if
there's a configuration setting or something that might be preventing
non-privileged users from being able to view all the server logins
when attempting to add users to their databases, in which they are
assigned the db_owner role?

Thanks
GringoSkyGringo (doug@.bu.edu) writes:

Quote:

Originally Posted by

>
I'm using the 64-bit version of SQL Server 2005, SP2, on Windows
Server 2003 R2 X64 Enterprise Edition. I've got a bunch of users out
there who are the db_owner, db_accessadmin and db_securityadmin of
their different respective databases. I would expect that they would
be able to add users to their databases, given that a login exists on
the server. However, when they go to browse logins to add a user in
Management Studio, they are only shown a very short list (like,
themselves and sa, and that's it). We have hundreds of logins on the
server, and they should be able to add any one of them to their
databases if they wish. And if they try to type in the login name
directly, they get a permission denied error.

They need to have VIEW DEFINITION on the logins they need to add. There
is no permission VIEW ANY LOGIN, but there is a server-level VIEW ANY
DEFINITION you can grant to them, but I would think twice before you
did.

Quote:

Originally Posted by

The only other thing I can add is it's not just occurring with the GUI
interface; the same thing happens when I do a direct query on the
master.sys.syslogins view: I only see the same two logins. So it
appears it's happening at that level and the result appears up in the
GUI.

It appears that you are of the old SQL 2000 school. :-)

Microsoft did a lot around security in SQL 2005, and one thing is
that objects are no longer visible to everyone. Essentially, you
can only see an object, if you have permission to it.

And the place to look for logins these days, is sys.server_principals.
While the old system tables are around for compatibility, they may not
show aspects that are new to SQL 2005.

--
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx

Problem with identity user in a report

Hi,

I use forms authentication with my Report manager. The problem is that I can't display the same information to all the users into the report. For example, in my report, i have one dataset that give me a list of all the store of a compagny. And i have to display only the store onto the user is working. If the user is a boss, he can see the information of all the stores. So i have to know in my report what is the login he uses in the form authetication and i don't know how to do.

Excuse me for my bad english and thank you.

Regards,

Shaouk.

Well Shaouk what i have understand from your point is that for that you must have your data base structure like that you must know which company is the user associated to. Means your company table should have column of user id Or if user can be associated with mulitiple companies then third table with comanyID and UserID should exist SO you may know that the logged in user is dealing with this or those comapnies.

Then after user logged in send userID to the stored procedure from which you are geting the company list so you may filter them on basis of that userId or if using dataset with already populated companies with userId's associated with them then filter that dataset on the basis of that logged in UserID

I Hope that works

Regards

Nabil Khalid

|||

Hello Shaouk,

From within your report, you can make use of User!UserID to determine who is running the report.

Hope this helps.

Jarret

Problem with droping users, please help

Hi

I'm trying to write a script that will make sure the user accounts are set up correctly after de attaching a database moving it to another machine and reattaching it. The problem is the user example1 had a login Name of example1 but after I've copied it over and re attached it the user example1 has No user at all, throught EM all I have to do is Delete the Database user and recreate it correctly, but We need to do this as part on a script, However I don't seem to be able to do the same thing through SQL.

The way I was attempting to drop and recreate the user was like this:

Execute sp_dropuser example1
Execute sp_addlogin example1
Execute sp_adduser example1
Execute sp_addrolemember @.rolename = db_datareader, @.membername = example1
Execute sp_addrolemember @.rolename = db_datawriter, @.membername = example1

However it comes back with this error:

Server: Msg 15175, Level 16, State 1, Procedure sp_droplogin, Line 93
Login 'example1' is aliased or mapped to a user in one or more database(s). Drop the user or alias before dropping the login.

Server: Msg 15025, Level 16, State 1, Procedure sp_addlogin, Line 56
The login 'example1' already exists.

Does any one now how I can get it too work like the EM version!

My eternal gratitude, NixiesYou need to exec sp_grantdbaccess first before you do exec sp_addrolemember.|||Originally posted by joejcheng
You need to exec sp_grantdbaccess first before you do exec sp_addrolemember.

Just doubled checked, dbaccess is fine and the sp_addrolemember went through with out any errors. My big problem is that I can't drop the user to recreate them. Any ideas?|||I had a similar problem a while back and was able to use the procedures from Microsoft to fix. Check out:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;298897.

Basically, you need to resynchronize the login SID's before you can perform any security edits. Hope this helps.