Scribd Logo
Upload

Welcome to Scribd!

  • Creating New Logins and Users (T-SQL)

    Uploaded by

    Nathnael Mesfin
    9 views6 pages
    The document discusses how to create logins, users, and manage permissions in SQL Server. It covers creating Windows and SQL authentication logins using CREATE LOGIN. It also covers creating database users with CREATE USER, granting permissions with GRANT, and describes best practices for managing the sa and guest accounts.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses how to create logins, users, and manage permissions in SQL Server. It covers creating Windows and SQL authentication logins using CREATE LOGIN. It also covers creating database users with CREATE USER, granting permissions with GRANT, and describes best practices for managing the sa and guest accounts.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    9 views6 pages

    Creating New Logins and Users (T-SQL)

    Uploaded by

    Nathnael Mesfin
    The document discusses how to create logins, users, and manage permissions in SQL Server. It covers creating Windows and SQL authentication logins using CREATE LOGIN. It also covers creating database users with CREATE USER, granting permissions with GRANT, and describes best practices for managing the sa and guest accounts.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Create a new Login ( T-SQL)

    To Create a new login, use the CREATE LOGIN statement.


    Windows Authentication
    CREATE LOGIN login_name
    FROM WINDOWS
    [ WITH DEFAULT_DATABASE = database_name
    | DEFAULT_LANGUAGE = language_name ];
    Example
    CREATE LOGIN Login1
    FROM WINDOWS;
    SQL Server authentication
    CREATE LOGIN login_name
    WITH PASSWORD = 'password' [ MUST_CHANGE ]
    [ , SID = sid_value]
    | DEFAULT_DATABASE = database_name
    | DEFAULT_LANGUAGE = language_name
    | CHECK_EXPIRATION = { ON | OFF }
    | CHECK_POLICY = { ON | OFF }
    The table describes the arguments used in the CREATE LOGIN statements.
    Argument Description

    login_name Name of the login connected to the server.

    Name of the default database to which the login will be


    database_name
    assigned.

    language_name Default language for the login you create.

    Password Password for the login you create.

    MUST_CHANGE Prompts to change the password upon the connection.

    1
    Argument Description

    Value used to recreate a login. It can be used only for logins


    sid_value with SQL Server authentication. If sid_value is not set, SQL
    Server will assign a new SID.

    Defines whether the password expiration policy is applied. It


    CHECK_EXPIRATION
    should be set to ON if you use the MUST_CHANGE option.

    When the argument is set to ON, it indicates that Windows


    CHECK_POLICY password policy of the computer on which SQL Server is
    running should be applied to the login as well.

    Example
    CREATE LOGIN login20
    WITH PASSWORD = '1234' MUST_CHANGE,
    CHECK_EXPIRATION = ON;
    To add server role
    sp_addsrvrolemember @loginame= 'login20'
    , @rolename = 'sysadmin'
    To view all logins
    SELECT *
    FROM sys.sql_logins;

    Create a new user (T-SQL)


    The basic syntax to create a new user with login statement is :
    CREATE USER <username> for login <login_name>
    Example
    CREATE USER User20 FOR LOGIN login20;
    Assigning Permissions and Privileges.
    Grant permissions using T-SQL

    2
     Permissions and privileges control the access to SQL Server data and database objects.
    Privileges can be of two types:
    o System privileges that allow users to create, alter or drop database objects.
    o Object privileges that allow users to execute, select, insert, update, or delete data
    on database objects to which the privileges were assigned.
     Only database administrators or owners of database objects can provide or revoke
    privileges.
     The GRANT statement provides access and permissions on database objects to the user.
    The basic syntax is as follows:
    GRANT privileges
    ON database_name.object
    TO {user_name |PUBLIC |role_name}
    [WITH GRANT OPTION];

    Argument Description

    Permissions you want to grant. They include the SELECT, INSERT,


    Privileges
    UPDATE, DELETE, REFERENCES, ALTER, or ALL statements.

    database_name Name of the database to which the database object belongs.

    Object Database object on which the specified privileges will be assigned.

    user_name Name of the user whom the privileges will be granted.

    PUBLIC Used to grant permissions to all users.

    role_name Set of privileges grouped in one category.

    WITH GRANT OPTION specifies that the security principal


    WITH GRANT
    receiving the permission is given the ability to grant the specified
    OPTION
    permission to other security accounts.

    3
    Example
    use STUDENTGRADE
    go
    GRANT SELECT, INSERT ON dbo.COURSE TO User20
    To see all principals on STUDENTGRADE database
    SELECT *
    FROM STUDENTGRADE.sys.database_principals;

    Guest user
     Guest user exists to permit access to a database for logins that are not mapped to a
    specific database user.
     When the guest account is granted CONNECT permission, any login can connect to the
    database. This opens a possible security hole. The default permissions for the guest
    account are limited by design
     The guest user can not be disabled for master and tempdb because it requires access for a
    connection to be able to use resources in those two databases.
     By default the guest account is disabled in each user database and cannot drop this guest
    account.
     Revoke the guest user permission to access the database if it is not required.
    To cancel access from guest account
    use Database Name
    REVOKE CONNECT FROM guest
    GO

    To give access to guest account


    use Database Name
    GRANT CONNECT TO guest
    GO

    4
    SA Account
     The sa login, short for system administrator, is one of the riskiest server-level principals
    in SQL Server.
     It's automatically added as a member of the sysadmin fixed server role and, as such, has
    all permissions on that instance and can perform any activity
     If Windows Authentication is selected during installing SQL Server, the database engine
    assigns a random password to the account and automatically disables it.
     If SQL Server Authentication is selected during installation, the account will be enabled.
     If the login were hacked, the attacker could do unlimited damage.
     The sa login can not be dropped , but it can be disabled .
     If the login is enabled, the administrator must provide a strong password and should
    avoid using it for applications.
    To check whether sa is disabled or not
    USE master;
    GO
    SELECT principal_id, type_desc, is_disabled
    FROM sys.server_principals
    WHERE name = 'sa';

    To disable sa
    USE master;
    GO
    ALTER LOGIN sa disable ;

    5
    If the login is disabled, the is_disabled value will be 1, as shown in 

    To enable sa Login
    USE master;
    GO
    ALTER LOGIN sa enable ;

    To Change password
    ALTER LOGIN sa
    WITH PASSWORD = 'log@1234';
    Note : Unless connecting to a system absolutely requires the sa login, it’s best that the account
    remains disabled.

    You might also like