syntax = "proto3";

package yandex.cloud.mdb.sqlserver.v1;

import "yandex/cloud/validation.proto";

option go_package = "github.com/yandex-cloud/go-genproto/yandex/cloud/mdb/sqlserver/v1;sqlserver";
option java_outer_classname = "PSU";
option java_package = "yandex.cloud.api.mdb.sqlserver.v1";

// An SQL Server user.
message User {
  // Name of the SQL Server user.
  string name = 1;

  // ID of the SQL Server cluster the user belongs to.
  string cluster_id = 2;

  // Set of permissions granted to the user.
  repeated Permission permissions = 3;
}

message Permission {
  enum Role {
    ROLE_UNSPECIFIED = 0;

    // Members of this fixed database role can perform all configuration and maintenance activities on the database, and can also drop the database in SQL Server.
    DB_OWNER = 1;

    // Members of this fixed database role can modify role membership for custom roles only and manage permissions. They can potentially elevate their privileges and their actions should be monitored.
    DB_SECURITYADMIN = 2;

    // Members of this fixed database role can add or remove access to the database for Windows logins, Windows groups, and SQL Server logins.
    DB_ACCESSADMIN = 3;

    // Members of this fixed database role can back up the database.
    DB_BACKUPOPERATOR = 4;

    // Members of this fixed database role can run any Data Definition Language (DDL) command in a database.
    DB_DDLADMIN = 5;

    // Members of this fixed database role can add, delete, or change data in all user tables.
    DB_DATAWRITER = 6;

    // Members of this fixed database role can read all data from all user tables.
    DB_DATAREADER = 7;
      
    // Members of this fixed database role cannot add, modify, or delete any data in the user tables within a database. Denial has a higher priority than a grant, so you can use this role to quickly restrict one's privileges without explicitly revoking permissions or roles.
    DB_DENYDATAWRITER = 8;

    // Members of this fixed database role cannot read any data in the user tables within a database. Denial has a higher priority than a grant, so you can use this role to quickly restrict one's privileges without explicitly revoking permissions or roles.
    DB_DENYDATAREADER = 9;
  }

  // Name of the database the permission grants access to.
  string database_name = 1;

  // Roles granted to the user within the database.
  repeated Role roles = 2 [(size) = ">=1"];
}

message UserSpec {
  // Name of the SQL Server user.
  string name = 1 [(required) = true, (length) = "<=32", (pattern) = "[a-zA-Z0-9_]*"];

  // Password of the SQL Server user.
  string password = 2 [(required) = true, (length) = "8-128"];

  // Set of permissions to grant to the user.
  repeated Permission permissions = 3;
}
