Security2:Create User

User 用于访问DB

Users based on logins in master (This is the most common type of user.)

• User based on a login based on a Windows user.

• User based on a login based on a Windows group.

• User based on a login using SQL Server authentication.

Users based on Windows principals that connect through Windows group logins

• User based on a Windows user that has no login, but can connect to the Database Engine through membership in a Windows group.

• User based on a Windows group that has no login, but can connect to the Database Engine through membership in a different Windows group.

1，Syntax

Users based on logins in master

CREATE USER user_name
[
    { FOR | FROM } LOGIN login_name
]
[ WITH DEFAULT_SCHEMA = schema_name ]
[ ; ]

Users based on Windows principals that connect through Windows group logins

CREATE USER
    {
          windows_principal [ { FOR | FROM } LOGIN windows_principal ]
        | user_name { FOR | FROM } LOGIN windows_principal
    }
    [ WITH DEFAULT_SCHEMA = schema_name ]
[ ; ]

user_name

Specifies the name by which the user is identified inside this database. user_name is a sysname. It can be up to 128 characters long. When creating a user based on a Windows principal, the Windows principal name becomes the user name unless another user name is specified.

LOGIN login_name 

Specifies the login for which the database user is being created. login_name must be a valid login in the server. Can be a login based on a Windows principal (user or group), or a login using SQL Server authentication. When this SQL Server login enters the database, it acquires the name and ID of the database user that is being created. When creating a login mapped from a Windows principal, use the format [<domainName>\<loginName>].

WITH DEFAULT_SCHEMA = schema_name  

Specifies the first schema that will be searched by the server when it resolves the names of objects for this database user.

The default schema will be the first schema that will be searched by the server when it resolves the names of objects for this database user. Unless otherwise specified, the default schema will be the owner of objects created by this database user.

If the user has a default schema, that default schema will used. If the user does not have a default schema, but the user is a member of a group that has a default schema, the default schema of the group will be used. If the user does not have a default schema, and is a member of more than one group, the default schema for the user will be that of the Windows group with the lowest principal_id and an explicitly set default schema. (It is not possible to explicitly select one of the available default schemas as the preferred schema.) If no default schema can be determined for a user, the dbo schema will be used.

DEFAULT_SCHEMA can be set before the schema that it points to is created.

The value of DEFAULT_SCHEMA is ignored if the user is a member of the sysadmin fixed server role. All members of the sysadmin fixed server role have a default schema of dbo.

windows_principal'   

Specifies the Windows principal for which the database user is being created. The windows_principal can be a Windows user, or a Windows group. The user will be created even if the windows_principal does not have a login. When connecting to SQL Server, if the windows_principal does not have a login, the Windows principal must authenticate at the Database Engine through membership in a Windows group that has a login, or the connection string must specify the contained database as the initial catalog. When creating a user from a Windows principal, use the format [<domainName>\<loginName>].

2，Users based on logins in master

Creating a database user with a default schema

CREATE LOGIN WanidaBenshoof
    WITH PASSWORD = '8fdKJl3$nlNv3049jsKK';
USE AdventureWorks2012;
CREATE USER Wanida FOR LOGIN WanidaBenshoof
    WITH DEFAULT_SCHEMA = Marketing;
GO

3，Users based on Windows principals without logins in master  

The following list shows possible syntax for users that have access to the Database Engine through a Windows group but do not have a login in master. This syntax can be used in all types of databases. The default schema and language options are not listed.

This syntax is similar to users based on logins in master, but this category of user does not have a login in master. The user must have access to the Database Engine through a Windows group login.

CREATE USER [Domain1\WindowsUserBarry]
FOR LOGIN Domain1\WindowsUserBarry;
 
CREATE USER [Domain1\WindowsGroupManagers]
FOR LOGIN [Domain1\WindowsGroupManagers];

4，Security  

Creating a user grants access to a database but does not automatically grant any access to the objects in a database. After creating a user, common actions are to add users to database roles which have permission to access database objects, or grant object permissions to the user.

参考文档：

https://msdn.microsoft.com/en-us/library/ms173463(v=sql.110).aspx