November 21, 2022

SQL Server Logins vs Database Users

Usually there is a confusion over logins and users in SQL Server, especially for new SQL Server users. Here I have summarized the points to help understand the difference between these two concepts.

SQL Login

  • SQL Login is for Authentication. Authentication can decide if we have permissions to access the server or not.
  • Login is created at the SQL Server instance level.
  • The logins will be assigned to server roles (for example, public, serveradmin, sysadmin etc).
  • Create Login:
    CREATE LOGIN [idrees_login] WITH PASSWORD = 'password-goes-here';
    
  • Assign Server-Role to Login:
    ALTER SERVER ROLE [sysadmin] ADD MEMBER [idrees_login]
    

SQL User

  • SQL Server User is for Authorization. Authorization decides what are different operations we can perform in a database. Permissions inside the database are granted to the database users, not the logins.
  • User is created at the SQL Server database level. We can have multiple users from different databases (one user per database) connected to a single login to a server. User will always mapped to a Login.
  • Users will be assigned to roles within that database (eg. db_owner, db_datareader, db_datawriter etc).
  • Create User:
    CREATE USER [idrees_user] FOR LOGIN [idrees_login];
    
  • Assign Database-Role to User:
    ALTER ROLE [db_owner] ADD MEMBER [idrees_user]
    

General:

  • Logins only allow you to access to server. If the login is not mapped to any database user, then it will not be allowed to access any objects in the database.
  • You can not have a (database) user without a (server) login.
  • You cannot speficy the crendentials for user. Since user is mapped to a login, the login credentials are user for connection access. The same login credentials will be used to access all the databases for which a user is mapped.
  • Within a database, the objects-level permissions will be granted/revoked on user.

SQL Server - Change Authentication mode from Windows to Sql Server Authentication

During SQL Server installation, the wizard allows to select the authentication mode. At that time you can pick the required authentication scheme as per your needs.

In case if you have selected the Windows Authentication, the server will not configure the SQL Authentication mode and will not setup the default 'sa' account.

At later time if you want to enable the SQL Authentication, following steps will be required:

  1. Enable SQL Server Authentication Mode:

    • In SQL Server Management Studio Object Explorer, right-click the Server node, and then click Properties.

    • On the Security page, under Server authentication, select SQL Server and Windows Authentication mode. Then click OK.

    • When it asks you to restart the SQL Server, click OK.
  2. Enable Existing Login account sa:

    • By default, the sa account remains disable (if Windows Authentication mode is selected during SQL Server installation).

      First step is to enable sa login.

      ALTER LOGIN sa ENABLE ;
      GO
      
    • Second step is to set strong password for login sa.

      ALTER LOGIN sa WITH PASSWORD = '[enter-strong-password-here]';
      GO