Set up Microsoft SQL Server

Setting up Microsoft SQL Server authentication enables Atlan to securely connect to your database and extract metadata. This process configures the necessary credentials and permissions for Atlan to discover and catalog your SQL Server assets.

Prerequisites

Before you begin, make sure you have:

• Administrative access to your Microsoft SQL Server instance or contact with your SQL Server administrator
• Access to Microsoft Entra ID with Application Administrator or Cloud Application Administrator permissions (required for service principal authentication only)

Set up authentication

Atlan supports two authentication methods for fetching metadata from Microsoft SQL Server. Choose the method that best fits your organization's security requirements:

Basic authentication

Use SQL Server native authentication with username and password credentials.

1. Create a login with a specific password to integrate into Atlan:

   CREATE LOGIN <login_name> WITH PASSWORD = '<password>';

   • Replace <login_name> with the name of the login.
   • Replace <password> with the password for the login.

2. Create a user for that login:

   CREATE USER <username> FOR LOGIN <login_name>;

   • Replace <username> with the username to use when integrating Atlan.
   • Replace <login_name> with the name of the login used in the previous step.

3. Grant permissions for crawling assets and mining view lineage** (minimum required permissions):

   GRANT VIEW DEFINITION ON DATABASE::<database_name> TO <username>;

   • Replace <database_name> with the name of the database.
   • Replace <username> with the username you created.

4. Grant additional permissions to preview and query assets:

   GRANT SELECT ON DATABASE::<database_name> TO <username>;

   • Replace <database_name> with the name of the database.
   • Replace <username> with the username you created.

warning

You must grant permissions to the user for all the databases you want to crawl in Atlan except the system databases (master, tempdb, msdb, model). The Microsoft SQL Server crawler only fetches database and schema names without these permissions and no other metadata for other asset types.

Service principal

Use Microsoft Entra ID (Azure AD) service principal authentication for enhanced security and centralized identity management.

1. You need to register your service principal application with Microsoft Entra ID and note the values of the client ID and client secret:

   1. Log in to the Azure portal.
   2. In the search bar, search for Microsoft Entra ID, and select it from the dropdown list.
   3. From the left menu of the Microsoft Entra ID page, click App registrations.
   4. From the toolbar on the App registrations page, click + New registration.
   5. On the Register an application page, for Name, enter a name for your service principal application and then click Register.
   6. On the homepage of your newly created application, from the Overview screen, copy the value for the following field and store it in a secure location:
      • Application (client) ID
   7. From the left menu of your newly created application page, click Certificates & secrets.
   8. On the Certificates & secrets page, under Client secrets, click + New client secret.
   9. In the Add a client secret screen, enter the following details:
      1. For Description, enter a description for your client secret.
      2. For Expiry, select when the client secret expires.
      3. Click Add.
   10. On the Certificates & secrets page, under Client secrets, for the newly created client secret, click the clipboard icon to copy the Value and store it in a secure location.

2. Create the login at the server level:

   CREATE LOGIN <login_name> FROM EXTERNAL PROVIDER;

   • Replace <login_name> with the display name of your Microsoft Entra application (service principal). This makes SQL Server recognize that Entra principal as a valid login.

3. Grant permissions for each database you want to crawl, create a user mapped to the login and grant permissions:

   • For crawling assets and mining view lineage:

     CREATE USER <username> FOR LOGIN <login_name>;
     GRANT VIEW DEFINITION ON DATABASE::<database_name> TO <username>;

     • <username> can be the same as <login_name> (simpler) or different if you prefer. SQL Server separates server-level logins from database-level users.
     • Replace <database_name> with the name of the database.

   • Grant additional permissions to preview and query assets:

     GRANT SELECT ON DATABASE::<database_name> TO <username>;

     • Replace <database_name> with the name of the database.
     • Replace <username> with the username you created.
     warning

     You must grant permissions to the user for all the databases you want to crawl in Atlan except the system databases (master, tempdb, msdb, model). The Microsoft SQL Server crawler only fetches database and schema names without these permissions and no other metadata for other asset types.

Next steps

Once you have configured authentication and permissions:

• Crawl Microsoft SQL Server assets - Set up and run the crawler to extract metadata from your database into Atlan.