In the normal case the logins of the (SQL Server) server are coupled to the users in each of its databases. The logins are stored in its MASTER database. If a database gets restored to another server, then the mapping is lost and you end up with "orphaned users". Those accounts can no longer access the database.
For a contained database on a SQL Server:
- The server logins are not used/required. Users can be created and used without a matching login on the server. These users are called "portable users"
- The database handles the autorization instead of the server. This is called "contained database authentication". Activate this delegation of functionality on the server:
EXEC sp_configure 'contained database authentication',1 GO RECONFIGURE
In SSMS, a new option appears in the->Security->Users->New User... screen: "SQL User with password" - Works for SQL and Active Directory Accounts, e.g. statement for both without logins:
CREATE USER [testdomain\testuser] CREATE USER [biuser]
- Partial containment: in 2012 only the "partial containment" functionality works. In the future a "full containment" option if foreseen
- Connect from SSMS: you need to specify the database, otherwise the connection attempt fails, because the database is now doing the authentication
- Security: once a portable user gains access to a contained database through contained database authentication, that user also ends up gaining guest access to all other databases on the host system
- Conversion: conventional existing users can be converted into portable users through the use of a special stored procedure: sp_migrate_user_to_contained. It provides an argument that you can use to specify whether or not to disable the server-level login -- something you'll typically want to do as a best practice to avoid ugly login problems that can occur when duplicate logins and users overlap each other
- Downsides: no cross-database joins, linked server use, database mail, possible tempdb colation issues. Use "select * from sys.dm_db_uncontained_entities" to check containment readiness
No comments:
Post a Comment