How to create user for spesific IP?

%3CLINGO-SUB%20id%3D%22lingo-sub-3481819%22%20slang%3D%22en-US%22%3EHow%20to%20create%20user%20for%20spesific%20IP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3481819%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3ELike%20the%20title%20said%2C%20how%20to%20achieve%20my%20requirement%3F%20On%20another%20database%20server%2C%20for%20example%20MySQL%2C%20we%20can%20define%20it%20when%20creating%20user%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECREATE%20USER%20'bob'%40'10.1.1.1'%20IDENTIFIED%20BY%20'password123'%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%2C%20in%26nbsp%3B%20PostgreSQL%20we%20can%20define%20it%20on%20pg_hba.conf.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20on%20SQL%20Server%3F%20If%20possible%2C%20how%20to%20do%20that%3F%20FYI%2C%20I%20use%20Microsoft%20SQL%202016.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3485590%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20create%20user%20for%20spesific%20IP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3485590%22%20slang%3D%22en-US%22%3EIn%20MS%20SQL%20Server%20it's%20not%20possible.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3485973%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20create%20user%20for%20spesific%20IP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3485973%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1417691%22%20target%3D%22_blank%22%3E%40riupie%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3EFirst%3C%2FSTRONG%3E%3C%2FFONT%3E%20you%20need%20to%20remember%20that%20in%20SQL%20Server%2C%20a%20USER%20which%20you%20speak%20about%20is%20NOT%20the%20same%20as%20LOGIN%20which%20is%20probably%20what%20you%20want%20since%20you%20mention%20MySQL%20structure%20like%20'%3CSPAN%3Ebob'%40'10.1.1.1'.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20%3CSTRONG%3ELogin%3C%2FSTRONG%3E%20is%20an%20%3CU%3Einstance%20level%3C%2FU%3E%20identity%20which%20is%20used%20to%20connect%20to%20a%20SQL%20Server%20instance.%20SQL%20LOGIN%20is%20for%20%3CU%3EAuthentication%3C%2FU%3E.%3C%2FP%3E%0A%3CP%3EA%20%3CSTRONG%3EUser%3C%2FSTRONG%3E%20is%20a%20%3CU%3Edatabase%20level%3C%2FU%3E%20entity%20which%20allows%20you%20to%20log%20into%20specific%20database.%20SQL%20Server%20USER%20is%20for%20%3CU%3EAuthorization%3C%2FU%3E.%20A%20USER%20can%20be%20mapped%20to%20a%20LOGIN%20but%20not%20necessarily.%20A%20USER%20which%20is%20not%20mapped%20to%20LOGIN%20(guess%20what%3F)%20cannot%20login%20the%20server.%26nbsp%3B%3CSPAN%3EMySQL%20does%20not%20have%20the%20same%20approach.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%225%22%3E%3CSTRONG%3ESecondly%3C%2FSTRONG%3E%3C%2FFONT%3E%2C%20in%20MySQL%20not%20all%20of%20this%26nbsp%3B%3CFONT%20color%3D%22%230000FF%22%3E'%3CSPAN%3Ebob'%40'10.1.1.1'%3CFONT%20color%3D%22%23000000%22%3E%20is%20the%20USER%2C%20but%20only%20the%26nbsp%3B'bob'%20part.%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3EWhen%20execute%20the%20following%20command%20in%20MySQL%20in%20order%20to%20create%20a%20USER%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%0A%3CP%3E%3CSPAN%3E%26gt%3B%20CREATE%20USER%20'%3CFONT%20color%3D%22%230000FF%22%3Ebob%3C%2FFONT%3E'%40'%3CFONT%20color%3D%22%230000FF%22%3E10.1.1.1%3C%2FFONT%3E'%20IDENTIFIED%20WITH%20authentication_plugin%20BY%20'password'%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FBLOCKQUOTE%3E%0A%3CP%3ECREATE%20USER%3A%20Command%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E'%3CFONT%20color%3D%22%230000FF%22%3Ebob%3C%2FFONT%3E'%20is%20the%26nbsp%3B%3C%2FSPAN%3Eusername.%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E'%3CFONT%20color%3D%22%230000FF%22%3E10.1.1.1%3C%2FFONT%3E'%20is%20the%26nbsp%3B%3C%2FSPAN%3Ehostname%20-%20computer%20networking%20name%20or%20ip%20or%20domain%20for%20example%2C%20from%20which%20this%20user%20will%20connect.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-451974423%22%20id%3D%22toc-hId-451854174%22%3EThis%20specific%20exact%20format%20is%20not%20supported%20in%20SQL%20Server%3C%2FH2%3E%0A%3CP%3EBut%20there%20are%20multiple%20options%20to%20get%20what%20you%20are%20asking%20for%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOption%201%3A%20Using%20external%20Firewall%3C%2FP%3E%0A%3CP%3EThe%20approach%20of%20managing%20source%20host%20during%20LOGIN%20is%20done%20in%20SQL%20Server%20using%20external%20firewall.%20You%20simply%20need%20to%20configure%20the%20operating%20system%20firewall%20to%20allow%20specific%20IP%20for%20example.%3C%2FP%3E%0A%3CP%3EPros%3A%20This%20is%20simple%20and%20most%20common%20and%20recommended%20for%20most%20cases%3C%2FP%3E%0A%3CP%3ECons%3A%20SQL%20Server%20LOGIN%20not%20always%20related%20to%20OS%20USER%20and%20in%20such%20cases%20you%20cannot%20configure%20specific%20SQL%20Server%20LOGIN%20in%20the%20firewall.%20This%20mean%20that%20you%20can%20limit%20IP%20but%20this%20will%20work%20on%20all%20people%20that%20try%20to%20connect%20and%20not%20specific%20SQL%20Server%20LOGIN.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOption%202%3A%20Using%20trigger%3C%2FP%3E%0A%3CP%3EThis%20will%20provide%20exactly%20what%20you%20asked%20for.%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20a%20TRIGGER%20on%20LOGIN%20which%20will%20check%20the%20LOGIN%20name%20and%20hostname%20he%20use%20to%20connect%20from.%20If%20these%20not%20in%20the%20list%20(can%20be%20for%20example%20set%20of%20rows%20in%20a%20table%20or%20hardcoded%20list)%2C%20then%20you%20prevent%20the%20login%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ECREATE%20TRIGGER%20ConfirmIP4LOGIN%20ON%20ALL%20SERVER%20FOR%20LOGON%20AS%20%0ABEGIN%0A%20%20%20%20DECLARE%20%40ip_addr%20varchar(48)%0A%20%20%20%20SELECT%20%40ip_addr%20%3D%20client_net_address%0A%20%20%20%20FROM%20sys.dm_exec_connections%0A%20%20%20%20WHERE%20session_id%20%3D%20%40%40SPID%0A%20%20%20%20%0A%20%20%20%20IF%20ORIGINAL_LOGIN()%20%3D%20'bob'%20AND%20%40ip_addr%20%26lt%3B%26gt%3B%20'127.0.0.1'%0A%20%20%20%20%20%20%20%20ROLLBACK%3B%0AEND%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3BFor%20more%20information%20regarding%20connection%20properties%20which%20you%20can%20use%20check%20this%20doc%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fsql%2Ft-sql%2Ffunctions%2Fconnectionproperty-transact-sql%3Fview%3Dsql-server-ver16%26amp%3BWT.mc_id%3DDP-MVP-5001699%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fsql%2Ft-sql%2Ffunctions%2Fconnectionproperty-transact-sql%3Fview%3Dsql-server-ver16%26amp%3BWT.mc_id%3DDP-MVP-5001699%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

Like the title said, how to achieve my requirement? On another database server, for example MySQL, we can define it when creating user:

 

CREATE USER 'bob'@'10.1.1.1' IDENTIFIED BY 'password123';

 

Or, in  PostgreSQL we can define it on pg_hba.conf.

 

Is it possible on SQL Server? If possible, how to do that? FYI, I use Microsoft SQL 2016.

 

2 Replies
In MS SQL Server it's not possible.

Hi @riupie 

First you need to remember that in SQL Server, a USER which you speak about is NOT the same as LOGIN which is probably what you want since you mention MySQL structure like 'bob'@'10.1.1.1'.

 

A Login is an instance level identity which is used to connect to a SQL Server instance. SQL LOGIN is for Authentication.

A User is a database level entity which allows you to log into specific database. SQL Server USER is for Authorization. A USER can be mapped to a LOGIN but not necessarily. A USER which is not mapped to LOGIN (guess what?) cannot login the server. MySQL does not have the same approach.

 

Secondly, in MySQL not all of this 'bob'@'10.1.1.1' is the USER, but only the 'bob' part.

When execute the following command in MySQL in order to create a USER

> CREATE USER 'bob'@'10.1.1.1' IDENTIFIED WITH authentication_plugin BY 'password';

CREATE USER: Command

'bob' is the username.

'10.1.1.1' is the hostname - computer networking name or ip or domain for example, from which this user will connect.

 

This specific exact format is not supported in SQL Server

But there are multiple options to get what you are asking for

 

Option 1: Using external Firewall

The approach of managing source host during LOGIN is done in SQL Server using external firewall. You simply need to configure the operating system firewall to allow specific IP for example.

Pros: This is simple and most common and recommended for most cases

Cons: SQL Server LOGIN not always related to OS USER and in such cases you cannot configure specific SQL Server LOGIN in the firewall. This mean that you can limit IP but this will work on all people that try to connect and not specific SQL Server LOGIN.

 

Option 2: Using trigger

This will provide exactly what you asked for.

You can use a TRIGGER on LOGIN which will check the LOGIN name and hostname he use to connect from. If these not in the list (can be for example set of rows in a table or hardcoded list), then you prevent the login

 

CREATE TRIGGER ConfirmIP4LOGIN ON ALL SERVER FOR LOGON AS 
BEGIN
    DECLARE @ip_addr varchar(48)
    SELECT @ip_addr = client_net_address
    FROM sys.dm_exec_connections
    WHERE session_id = @@SPID
    
    IF ORIGINAL_LOGIN() = 'bob' AND @ip_addr <> '127.0.0.1'
        ROLLBACK;
END

 

 For more information regarding connection properties which you can use check this doc: 

https://docs.microsoft.com/sql/t-sql/functions/connectionproperty-transact-sql?view=sql-server-ver16...