Scribd Logo
Upload

Welcome to Scribd!

  • Assign Server and Database Roles in SQL Server

    Uploaded by

    Phil
    26 views25 pages

    Original Title

    20764C_02-1.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    26 views25 pages

    Assign Server and Database Roles in SQL Server

    Uploaded by

    Phil

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Module 2

    Assigning Server and Database


    Roles
    Module Overview

    • Working with Server Roles


    • Working with Fixed Database Roles
    • User-Defined Database Roles
    Lesson 1: Working with Server Roles

    • Server-Scoped Permissions
    • Typical Server-Scoped Permissions
    • Overview of Fixed Server Roles
    • public Server Role
    • Working with User-Defined Server Roles
    • Demonstration: Assigning Fixed and User-Defined
    Server Roles
    Server-Scoped Permissions

    • Control access to server resources


    • Organized as a hierarchy
    • CONTROL SERVER at the top of the hierarchy
    • Granting a permission to a server principal implicitly
    grants its child permissions
    • Can only be granted to server principals (not to
    database principals)
    Typical Server-Scoped Permissions

    • CONTROL SERVER (top of hierarchy)


    • ADMINISTER BULK OPERATIONS
    • ALTER ANY DATABASE
    • CREATE ANY DATABASE (implicitly granted with above)
    • ALTER ANY LINKED SERVER
    • ALTER ANY LOGIN (includes linked servers logins)
    • ALTER SERVER STATE
    • VIEW SERVER STATE (implicitly granted with above)
    • ALTER SETTINGS
    • Displays or changes global configuration settings
    • ALTER TRACE : Functionality will be deprecated in a 2019.
    Overview of Fixed Server Roles

    • sysadmin (basically, GOD on the server)


    • serveradmin (configure server settings)
    • securityadmin (manage logins)
    • processadmin (terminate sessions)
    • setupadmin (manage linked servers)
    • bulkadmin (execute BULK INSERT statements)
    • diskadmin (manage disk files)
    • dbcreator (manage and create databases)
    • public
    • Every user is a member of public; this can’t be changed
    public Server Role

    • All logins are members of public; the public role


    defines default permissions granted to all logins
    • By default, public has the permissions:
    • CONNECT
    • VIEW ANY DATABASE

    • Controlling access to server-level securables by


    granting permissions to public is not best
    practice
    Working with User-Defined Server Roles

    • Managing User-Defined Roles


    • CREATE SERVER ROLE
    • DROP SERVER ROLE

    • Managing Permissions
    • GRANT, DENY and REVOKE

    • Managing Membership
    • ALTER SERVER ROLE
    • By default, members of user-defined server roles
    cannot make other principals members of the role
    Demonstration: Assigning Fixed and User-
    Defined Server Roles

    In this demonstration, you will see how to work


    with:
    • Server-scoped permissions
    • Fixed server roles
    • User-defined server roles
    Lesson 2: Working with Fixed Database Roles

    • Database-Scoped Permissions
    • Overview of Fixed Database Roles
    • Assigning Database Principals to Database Roles
    • Database Owner
    • Demonstration: Managing Database Roles and
    Users
    Database-Scoped Permissions

    • Control access to database resources


    • Organized as a hierarchy
    • CONTROL at the top of the hierarchy
    • CREATE DATABASE is independent of the hierarchy
    • Granting a permission to a database principal implicitly
    grants it child permissions
    • Can only be explicitly granted to database
    principals
    • Some server permissions implicitly grant
    database permissions
    Overview of Fixed Database Roles

    • Fixed roles common to all databases:


    db_owner db_datawriter
    db_securityadmin db_datareader
    db_accessadmin db_denydatawriter
    db_backupoperator db_denydatareader
    db_ddladmin public

    • msdb has additional fixed roles for SSIS, Data Collection,


    Mirroring, Policy-Based Management and server groups
    • In Azure SQL Database, master includes the
    loginmanager and dbmanager fixed roles
    Assigning Database Principals to Database Roles

    • Add and remove members from a role using the


    ALTER ROLE statement
    • A role member may be a user or a user-defined
    role
    • Fixed database roles cannot be members of
    other roles
    • Membership of database roles can only be
    assigned to database principals. Server principals
    cannot be assigned membership of database
    roles
    Database Owner

    • dbo
    • The login that owns a database
    • Default schema dbo

    • db_owner
    • Fixed database role with administrative permissions for
    a database
    • dbo is a member of db_owner
    Lesson 3: User-Defined Database Roles

    • Working with User-Defined Database Roles


    • Applying Roles in Common Scenarios
    • Demonstration: User-Defined Database Roles
    • Defining Application Roles
    • Demonstration: Application Roles
    Working with User-Defined Database Roles

    • Managing User-Defined Roles


    • CREATE ROLE (Umm… creates roles…)
    • DROP ROLE (Deletes roles)

    • Managing Permissions
    • GRANT, DENY and REVOKE

    • Managing Membership
    • ALTER ROLE
    Applying Roles in Common Scenarios

    • Controlling access to database objects


    • Object level (Like allow a user to only run SELECT
    statements)
    • Schema level (Like user.table)
    • Database level (Or, the entire database)
    Demonstration: User-Defined Database Roles

    • In this demonstration, you will see how to work


    with user-defined database roles
    Defining Application Roles

    • Security context of the user is replaced by the


    application role
    • Allows a set of permissions to be associated with an
    application, rather than a user
    • Creating Application Roles
    • Use CREATE APPLICATION ROLE
    • Password must meet Windows password policy

    • Using Application Roles


    • Use sp_setapprole
    • Use a secure network connection to avoid leaking the
    application role password
    Application Role Scenario

    • A user uses an application that has the ability to


    make changes to a database
    • You can create an application role that gives the
    application appropriate access to the database
    • The user would be able to view the information
    contained in the database, but not have access (using
    their user account directly) to make changes to the
    database
    Lab: Assigning Server and Database Roles

    • Exercise 1: Assigning Server Roles


    • Exercise 2: Assigning Fixed Database Roles
    • Exercise 3: Assigning User-Defined Database Roles
    • Exercise 4: Verifying Security

    Logon Information
    Virtual machine: 20764C-MIA-SQL
    User name: ADVENTUREWORKS\Student
    Password: Pa55w.rd

    Estimated Time: 60 minutes


    Lab Scenario

    Adventure Works Cycles is a global manufacturer,


    wholesaler, and retailer of cycle products.
    Following an internal security audit, the company
    aims to simplify the administration of database
    security by making security controls more
    consistent. You are a database administrator for
    Adventure Works, tasked with implementing the
    new security controls through server-level and
    database-level roles.
    Lab Review

    • Your organization wants to track data access by


    individual Windows users. Does this mean you
    cannot base logins on Windows groups?
    Module Review and Takeaways

    • Best Practice

    You might also like