-- Create a new login at the server level CREATE LOGIN mcp_user WITH PASSWORD = 'Your_Secure_Password'; -- Switch to your database USE your_database; -- Create a user inside the database linked to the login CREATE USER mcp_user FOR LOGIN mcp_user;

-- Grant SELECT permission only ALTER ROLE db_datareader ADD MEMBER mcp_user;

-- Grant read and write access, but prevent schema modifications ALTER ROLE db_datareader ADD MEMBER mcp_user; ALTER ROLE db_datawriter ADD MEMBER mcp_user;

-- Grant additional permission for temporary table creation GRANT CREATE TABLE TO mcp_user; GRANT CREATE PROCEDURE TO mcp_user;

GRANT SELECT, INSERT, UPDATE, DELETE ON dbo.specific_table TO mcp_user;

-- Limit queries and updates per hour ALTER LOGIN mcp_user WITH CHECK_POLICY = ON, CHECK_EXPIRATION = ON; -- Set resource governor limits (if applicable) EXEC sp_configure 'user connections', 100;

GRANT SELECT (public_column1, public_column2) ON dbo.sensitive_table TO mcp_user;

-- Enable audit logging (available in Enterprise Edition) CREATE SERVER AUDIT MCP_Audit TO FILE ( FILEPATH = 'C:\SQL_Audit\' );  -- Attach to the database CREATE DATABASE AUDIT SPECIFICATION MCP_DB_Audit FOR SERVER AUDIT MCP_Audit ADD (SELECT, INSERT, UPDATE, DELETE ON DATABASE::your_database BY mcp_user);  ALTER DATABASE AUDIT SPECIFICATION MCP_DB_Audit WITH (STATE = ON);

SELECT session_id, login_name, status, host_name, program_name FROM sys.dm_exec_sessions WHERE login_name = 'mcp_user';

EXEC sp_helprotect NULL, 'mcp_user';

SELECT session_id, start_time, status, command, text FROM sys.dm_exec_requests r JOIN sys.dm_exec_sessions s ON r.session_id = s.session_id JOIN sys.dm_exec_sql_text(r.sql_handle) AS sql_text ON 1=1 WHERE login_name = 'mcp_user';