-- Create a new login at the server level
CREATE LOGIN mcp_user WITH PASSWORD = 'Your_Secure_Password';

-- Switch to your database
USE your_database;

-- Create a user inside the database linked to the login
CREATE USER mcp_user FOR LOGIN mcp_user;

-- Grant SELECT permission only
ALTER ROLE db_datareader ADD MEMBER mcp_user;

-- Grant read and write access, but prevent schema modifications
ALTER ROLE db_datareader ADD MEMBER mcp_user;
ALTER ROLE db_datawriter ADD MEMBER mcp_user;

-- Grant additional permission for temporary table creation
GRANT CREATE TABLE TO mcp_user;
GRANT CREATE PROCEDURE TO mcp_user;

GRANT SELECT, INSERT, UPDATE, DELETE ON dbo.specific_table TO mcp_user;

-- Limit queries and updates per hour
ALTER LOGIN mcp_user 
WITH 
    CHECK_POLICY = ON, 
    CHECK_EXPIRATION = ON;

-- Set resource governor limits (if applicable)
EXEC sp_configure 'user connections', 100;

GRANT SELECT (public_column1, public_column2) 
ON dbo.sensitive_table TO mcp_user;

-- Enable audit logging (available in Enterprise Edition)
CREATE SERVER AUDIT MCP_Audit 
TO FILE ( FILEPATH = 'C:\SQL_Audit\' );

-- Attach to the database
CREATE DATABASE AUDIT SPECIFICATION MCP_DB_Audit
FOR SERVER AUDIT MCP_Audit
ADD (SELECT, INSERT, UPDATE, DELETE ON DATABASE::your_database BY mcp_user);

ALTER DATABASE AUDIT SPECIFICATION MCP_DB_Audit WITH (STATE = ON);

SELECT session_id, login_name, status, host_name, program_name
FROM sys.dm_exec_sessions
WHERE login_name = 'mcp_user';

EXEC sp_helprotect NULL, 'mcp_user';

SELECT session_id, start_time, status, command, text
FROM sys.dm_exec_requests r
JOIN sys.dm_exec_sessions s ON r.session_id = s.session_id
JOIN sys.dm_exec_sql_text(r.sql_handle) AS sql_text ON 1=1
WHERE login_name = 'mcp_user';