Posts: 11,101
Threads: 100
Joined: Aug 2006
Reputation:
201
I do not really understand what are you looking for - you can create as many Security Groups as you want - and then assign your users or User Groups. There are some "global security assignments" that you can set directly in the dialog from your screenshot (Button Details). And then you can assign security right in the Navigation view - just goto "Permissions"-category of any object and add your security groups and assign what ever you want to allow… The Permissions will be inherited to all child objects until you set some new one.
Regards/Gruss
Oliver
Posts: 5
Threads: 1
Joined: Mar 2019
Reputation:
0
Hi Oliver,
Thanks for your reply.
I do get the concept of the Security Groups themselves. My question is mainly about, how to change where new users per default are getting added.
If the users would be part of an AD, they could be selected from the ad group and would get their sec group assignments accordingly. In our case, users are in Azure AD and therefore can't be 'selected' (or can they?).
If we could change where newly logged in users are being created, eg. in a least- privileges group and manually being moved by an admin to a more privileged group would be very nice. As it looks to me, they aren't able to connect at all (User has no access: User with name 'xyz' and SID 'S-1-12-1-xyz' has no access login).
Let me know if there is a need for further clarification.
Regards,
Fabian
Posts: 11,101
Threads: 100
Joined: Aug 2006
Reputation:
201
New users aren't assigned to any Security Group - Administrator needs to add a AD-Group or the users themselves to any of the existing Security Groups - else they won't be able to login.
Goto Settings=>Domains and try to add your AZURE-AD - I think it should be no problem to use the ASZURE-AD - but currently I think it is not possible to use the AZURE-Account for Windows Authentication against a database server (or only AZURE DB?) - just give it a try :-)
Regards/Gruss
Oliver
Posts: 5
Threads: 1
Joined: Mar 2019
Reputation:
0
Oh, okay. That makes that point clear so far.
In that case, I will have to modify our AzureAD a bit since as of today it doesn't support 'Azure AD Domain Services' which would, in my understanding, be required to connect it in the mentioned settings dialog.
The Authentification towards the Azure Database with Azure AD joined devices and 'Windows Authentification' works fine by the way; you just have to use the connection string mentioned in the Azure portal looking something like this: 'Server=tcp:[yourazuresqlserver].database.windows.net,1433;Initial Catalog=[databsename];Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication="Active Directory Integrated";'
Posts: 11,101
Threads: 100
Joined: Aug 2006
Reputation:
201
Can you check your error log for details?
Regards/Gruss
Oliver
Posts: 11,101
Threads: 100
Joined: Aug 2006
Reputation:
201
Currently I have no AZURE test environment - so could you please try to add the port to the server name? like server:636 - is that working - else I have to check that in detail...
Regards/Gruss
Oliver