2022年1月26日 星期三

Azure SQL

 Azure SQL


  1. SQL Server on Azure Virtual Machines
  2. Azure SQL Database
  3. Azure SQL Managed Instance (Azure SQL MI)
  4. Azure SQL Edge
  5. Azure Synapse Analytics - dedicated SQL Pool (formerly SQL DW)


Azure SQL Database

1.建立SQL Server resource時選擇驗證模式

  • SQL authentication
  • Azure Active Directory Authentication
  • Both SQL and Azure Active Directory Authentication

2.設定Active Directory Admin 

可以在Resource建立時設定

設定一個Azure Directory User Account成為SQL Server管理員

只能設定一位

3.建立一個SQL驗證的SQL Server管理員帳號與密碼

4.建立帳號SQL Account for Developer or App

  • 擁有Login帳號的登入方式
  • 沒有Login帳號的登入方式 (Contained DB user) - SQL Authentication
  • 沒有Login帳號的登入方式 (Contained DB user) - AD Authentication


(1)擁有Login帳號的登入方式

-- create SQL auth login from master 

USE [master]

CREATE LOGIN [User1] 

WITH PASSWORD = 'SuperSecret!' 

-- create a user mapped to a login in user db

USE [MyDB]

CREATE USER [User1] 

FOR LOGIN [User1]  

WITH DEFAULT_SCHEMA = dbo; 

  

-- add user to role(s) in YourDb

EXEC sp_addrolemember 'db_owner', 'User1';

EXEC sp_addrolemember 'db_datawriter', 'User1';

EXEC sp_addrolemember 'db_datareader’, 'User1';


(2)沒有Login帳號的登入方式 (Contained DB user) - SQL Authentication

-- create a contained user in user YourDb

USE [MyDB]

CREATE USER [User1] 

WITH PASSWORD = 'SuperSecret!', 

DEFAULT_SCHEMA = dbo; 


-- add user to role(s) in UserDb

EXEC sp_addrolemember 'db_owner', 'User1';

EXEC sp_addrolemember 'db_datawriter', 'User1';

EXEC sp_addrolemember 'db_datareader’, 'User1';


(3)沒有Login帳號的登入方式 (Contained DB user) - AD Authentication

-- add contained Azure AD user 

USE [MyDB]

CREATE USER [name@domain.com] 

FROM EXTERNAL PROVIDER 

WITH DEFAULT_SCHEMA = dbo;  

  

-- add user to role(s) in YourDb 

EXEC sp_addrolemember 'db_owner', 'name@domain.com';

EXEC sp_addrolemember 'db_datawriter', 'name@domain.com';

EXEC sp_addrolemember 'db_datareader’, 'name@domain.com';



5.建立帳號SQL Account for 受限制的DB管理員

-- create login  

USE [master]

CREATE LOGIN [dbadmin] 

WITH PASSWORD='SuperSecret!';  


-- create a user for login

CREATE USER [dbadmin

FOR LOGIN [dbadmin] ;


-- add user to Database-level role

-- 管理資料庫權限,可以建立刪除使用者資料庫

ALTER ROLE dbmanager ADD MEMBER [dbadmin]; 

-- 管理登入帳號,可以建立刪除登入帳號

ALTER ROLE loginmanager ADD MEMBER [dbadmin]; 


Role nameDescription
dbmanagerCan create and delete databases. A member of the dbmanager role that creates a database, becomes the owner of that database, which allows that user to connect to that database as the dbo user. The dbo user has all database permissions in the database. Members of the dbmanager role don't necessarily have permission to access databases that they don't own.
db_exporterApplies only to Azure Synapse Analytics dedicated SQL pools (formerly SQL DW).
Members of the db_exporter fixed database role can perform all data export activities. Permissions granted via this role are CREATE TABLE, ALTER ANY SCHEMA, ALTER ANY EXTERNAL DATA SOURCE, ALTER ANY EXTERNAL FILE FORMAT.
loginmanagerCan create and delete logins in the virtual master database.


Reference:

Configure and manage Azure AD authentication with Azure SQL

https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell

Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics

https://docs.microsoft.com/en-us/azure/azure-sql/database/logins-create-manage

CREATE LOGIN (Transact-SQL)

https://docs.microsoft.com/en-us/sql/t-sql/statements/create-login-transact-sql

Database-level roles

https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15


授予Schema權限,則該使用者只能對此schema能夠建立修改與刪除資料庫物件

授權物件給使用者

C. Setting the owner of a schema

CREATE SCHEMA Production AUTHORIZATION [Contoso\Mary];  

GO

CREATE SCHEMA (Transact-SQL)

C. Transfer ownership of a schema to a user

ALTER AUTHORIZATION ON SCHEMA::SeattleProduction11 TO SandraAlayo;

GO

ALTER AUTHORIZATION (Transact-SQL)


Reference:

Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics

https://docs.microsoft.com/en-us/azure/azure-sql/database/logins-create-manage?view=azuresql


-
標籤: , ,

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)

SQL Server Planning, Pricing and License

  Server-CALs授權模式 1.需購買的量應該是所有終端用戶的電腦 例如:一台Data warehouse主機 與 一台Web報表主機,但公司有50人或電腦會連進Web報表主機開啟報表,則應該每一台用戶端電腦都需要有CALs授權,Data warehouse主機購買Ser...

  • Oracle TNS連線設定(Tnsnames.ora)
    1.安裝了Oracle Client,就可以用Oracle Net Manager工具來設定TNS連線設定(Tnsnames.ora)       Oracle Client 18.3 Installation 安裝Oracle Client 18.3 2.啟動Oracle Ne...
  • SSIS Oracle Source and Destination
    SQL Server Integration Service可以透過內建的OLE DB Source連線到Oracle匯出資料,但無法寫入資料到Oracle,Attunity公司針對這個功能提供了SSIS的連結Source,並且聽說資料傳送效率非常好,本人沒有測試過效能,有興趣的...
  • ASP.NET MVC Web App啟用SSL (Https連線)
    ASP.NET MVC Web App啟用SSL (Https連線) 1.在Web專案屬性 (1)將SSL已啟用改為True (2)複製或記下SSL URL路徑  2.Web專案屬性視窗,將專案URL改成上一個步驟複製的SSL URL路徑  3.在需要使用Https的Contro...