Szerkesztés

Megosztás a következőn keresztül:


sp_migrate_user_to_contained (Transact-SQL)

Applies to: SQL Server

Converts a database user that is mapped to a SQL Server login, to a contained database user with password. In a contained database, use this procedure to remove dependencies on the instance of SQL Server where the database is installed. sp_migrate_user_to_contained separates the user from the original SQL Server login, so that settings such as password and default language can be administered separately for the contained database.

sp_migrate_user_to_contained can be used before moving the contained database to a different instance of the SQL Server Database Engine to eliminate dependencies on the current SQL Server instance logins.

Caution

Be careful when using sp_migrate_user_to_contained, as you'll not be able to reverse the effect. This procedure is only used in a contained database. For more information, see Contained Databases.

Syntax

sp_migrate_user_to_contained [ @username = ] N'user' ,
    [ @rename = ] { N'copy_login_name' | N'keep_name' } ,
    [ @disablelogin = ] { N'disable_login' | N'do_not_disable_login' }
[ ; ]

Arguments

[ @username = ] N'username'

Name of a user in the current contained database that is mapped to a SQL Server authenticated login. The value is sysname, with a default of NULL.

[ @rename = ] N'copy_login_name' | N'keep_name'

When a database user based on a login has a different user name than the login name, use keep_name to retain the database user name during the migration. Use copy_login_name to create the new contained database user with the name of the login, instead of the user. When a database user based on a login has the same user name as the login name, both options create the contained database user without changing the name.

[ @disablelogin = ] N'disable_login' | N'do_not_disable_login'

Used to disable the login in the master database. To connect when the login is disabled, the connection must provide the contained database name as the initial catalog as part of the connection string.

Return code values

0 (success) or 1 (failure).

Remarks

sp_migrate_user_to_contained creates the contained database user with password, regardless of the properties or permissions of the login. For example, the procedure can succeed if the login is disabled or if the user is denied the CONNECT permission to the database.

sp_migrate_user_to_contained has the following restrictions.

  • The user name can't already exist in the database.
  • Built-in users, for example dbo and guest, can't be converted.
  • The user can't be specified in the EXECUTE AS clause of a signed stored procedure.
  • The user can't own a stored procedure that includes the EXECUTE AS OWNER clause.
  • sp_migrate_user_to_contained can't be used in a system database.

Security

When migrating users, be careful not to disable or delete all the administrator logins from the instance of SQL Server. If all logins are deleted, see Connect to SQL Server when system administrators are locked out.

If the BUILTIN\Administrators login is present, administrators can connect by starting their application using the Run as Administrator option.

Permissions

Requires the CONTROL SERVER permission.

Examples

A. Migrate a single user

The following example migrates a SQL Server login named Barry, to a contained database user with password. The example doesn't change the user name, and retains the login as enabled.

EXEC sp_migrate_user_to_contained @username = N'Barry',
    @rename = N'keep_name',
    @disablelogin = N'do_not_disable_login';

B. Migrate all database users with logins to contained database users without logins

The following example migrates all users that are based on SQL Server logins to contained database users with passwords. The example excludes logins that aren't enabled. The example must be executed in the contained database.

DECLARE @username SYSNAME;

DECLARE user_cursor CURSOR
FOR
SELECT dp.name
FROM sys.database_principals AS dp
INNER JOIN sys.server_principals AS sp
    ON dp.sid = sp.sid
WHERE dp.authentication_type = 1
    AND sp.is_disabled = 0;

OPEN user_cursor

FETCH NEXT
FROM user_cursor
INTO @username

WHILE @@FETCH_STATUS = 0
BEGIN
    EXECUTE sp_migrate_user_to_contained @username = @username,
        @rename = N'keep_name',
        @disablelogin = N'disable_login';

    FETCH NEXT
    FROM user_cursor
    INTO @username
END

CLOSE user_cursor;

DEALLOCATE user_cursor;