Professional Documents
Culture Documents
1
Argument Description
Example
CREATE LOGIN login20
WITH PASSWORD = '1234' MUST_CHANGE,
CHECK_EXPIRATION = ON;
To add server role
sp_addsrvrolemember @loginame= 'login20'
, @rolename = 'sysadmin'
To view all logins
SELECT *
FROM sys.sql_logins;
2
Permissions and privileges control the access to SQL Server data and database objects.
Privileges can be of two types:
o System privileges that allow users to create, alter or drop database objects.
o Object privileges that allow users to execute, select, insert, update, or delete data
on database objects to which the privileges were assigned.
Only database administrators or owners of database objects can provide or revoke
privileges.
The GRANT statement provides access and permissions on database objects to the user.
The basic syntax is as follows:
GRANT privileges
ON database_name.object
TO {user_name |PUBLIC |role_name}
[WITH GRANT OPTION];
Argument Description
3
Example
use STUDENTGRADE
go
GRANT SELECT, INSERT ON dbo.COURSE TO User20
To see all principals on STUDENTGRADE database
SELECT *
FROM STUDENTGRADE.sys.database_principals;
Guest user
Guest user exists to permit access to a database for logins that are not mapped to a
specific database user.
When the guest account is granted CONNECT permission, any login can connect to the
database. This opens a possible security hole. The default permissions for the guest
account are limited by design
The guest user can not be disabled for master and tempdb because it requires access for a
connection to be able to use resources in those two databases.
By default the guest account is disabled in each user database and cannot drop this guest
account.
Revoke the guest user permission to access the database if it is not required.
To cancel access from guest account
use Database Name
REVOKE CONNECT FROM guest
GO
4
SA Account
The sa login, short for system administrator, is one of the riskiest server-level principals
in SQL Server.
It's automatically added as a member of the sysadmin fixed server role and, as such, has
all permissions on that instance and can perform any activity
If Windows Authentication is selected during installing SQL Server, the database engine
assigns a random password to the account and automatically disables it.
If SQL Server Authentication is selected during installation, the account will be enabled.
If the login were hacked, the attacker could do unlimited damage.
The sa login can not be dropped , but it can be disabled .
If the login is enabled, the administrator must provide a strong password and should
avoid using it for applications.
To check whether sa is disabled or not
USE master;
GO
SELECT principal_id, type_desc, is_disabled
FROM sys.server_principals
WHERE name = 'sa';
To disable sa
USE master;
GO
ALTER LOGIN sa disable ;
5
If the login is disabled, the is_disabled value will be 1, as shown in
To enable sa Login
USE master;
GO
ALTER LOGIN sa enable ;
To Change password
ALTER LOGIN sa
WITH PASSWORD = 'log@1234';
Note : Unless connecting to a system absolutely requires the sa login, it’s best that the account
remains disabled.