Data Base Administration-

Security

Prepared
 Client Server Architecture
 The client server model is just one way for the
computers to communicate via the web
 The client server is based on a centralized structure
 There is another way to communicate via a

decentralized structure
 It requires client and server programs and devices
 Clients request and server response for requests
 A client is a machine or a program is an appliance or a

way to make requests through the web

 Server and Client
 Server is a computer program but not merely device
 High performance computer are called servers because
they run server programs
 Servers provide functionality and serve other programs
called clients
 A single server serve multiple clients at the same time
 We can run multiple server in one single machine
 Server is always listening for requests, and as soon as it
receives one, responds with a message
 Types of servers includes file server, webserver, e-mail
server, database server ex. sql server
A
 Servers are need to be running 24/7 hrs because they are vital for their
organizations
 They need to be built in a robust hardware with non stop with little
downtime
 A desktop would use a processor of i.e intel i-core 7 process
 The server processor is designed to handle concurrent processes i.e intel
Xeon which is fast and the ability a lot of tasks precisely
 Support multi-processes simultaneously
 Supports Error correcting code(ECC) ram to correct errors
 Can also support large amounts of RAM, CACHES
 A server has also have hot swappable hard drives in RAID configuration
 RIAD copies data on multiple disks
 Hard drives normally do not catch fires,
 Servers should also have redundant power supplies
 Servers need to use a server operating system
 Are able to handle thousands of concurrent
 Server operating systems are robust and stable connections
 Database Security
 Is a mechanism of protecting database access,
modification and deleting from unauthorized users
 What are the different security techniques we should

use
 1. windows authentication
 Is a mechanism by which we can create user account in

windows environment and give privilege to the user

 SQL server Security
 Is a mechanism by which we can create a user sql

server and give

 Database Security
 Database security is a mechanism of protecting
database access, modification and deleting from
unauthorized users
 What are the different security techniques we should

use
1. Physical security
2. Logical Security
 Logical Level Security
 Authentication is validating the identity of authorized
users
 Autherization is a process of authorizing users to

access a database objects

 Authentication Modes – Windows level and Server

level – Campus
 Users and Logins
 Logins is related to servers
 Users is related to database
 Types of Logical Security
1. Windows level
2. Server level
3. Data Base Level
4. File level

 Windows:- is a mechanism by which we can create user account

in the windows environment and give privilege to the user
 SQL Server Security: - is a mechanism by which we can create
a user in SQL Server and give privilege to the user
 Database:-
 File:-
Windows level Access to SQL server
 To give windows level access it requires you to have
user account in your pc
 And if credential manager is ON in your account you

can also add windows credential

Windows level Access to SQL server
 Click on security
 Right click on new log in
 Select windows
 Click search to specify windows user
 Type the user name and check
 Click ok
 Or
 Click advanced to see lists of windows user
 Select and click ok
To Access as different windows user
 Click start button
 Right click on management studio
 Click on file location
 Shift + right mouse click
 Click run as a different user
 Type username and password
 Create Windows Account
 Go to control panel
 User account
 Add user
 Not used microsoft account
 Type user name and password
 Specify all security questions
 To set credential user
 Click on control panel
 Click user accounts
 Click on windows credential
 Add a windows credential
 Type the servername that you want to access
 Type username and password
 Providing Server Level Access
 Click on Security
 Right click
 New log in
 Select server authentication
 Type log in name
 Type password
 Disable enable password policy for the class but it is

recommended to do
Providing Server Level Access using
SQL command
 Use databasename
 CREATE LOGIN loginname WITH PASSWORD = ‘password’

 TO DELETE LOGIN
 Use databasename
 DROP LOGIN loginname

1. use master
 CREATE LOGIN melesech WITH PASSWORD='melesech‘

2. use master
 DROP LOGIN melesech

3. use abebe
 create login melesech1 with password='melesech
You can use the T-SQL’s create user command
for SQL server add user to database. The SQL
create user command takes the following

syntax:
 create user <user-name> for login <login-

name>
 SQL server database role
membership
 db_owner. Allowed to perform all configuration
and maintenance activities on the database and
can also drop the database.
 db_securityadmin. Allowed to modify role
membership and manage permissions. Adding
principles to this role could enable unintended
privilege escalation.
 db_accessadmin. Allowed to add or remove access
to the database for Windows logins, Windows
groups, and SQL Server logins.
 db_backupoperator. Allowed to go for backup of
the database.
Cont…
 db_ddladmin. Allowed to run any Data Definition
Language (DDL) command in a database.
 db_datawriter. Allowed to add, delete, or change
data in all user tables.
 db_datareader. Allowed to read complete data
from all user tables.
 db_denydatawriter. Cannot add, modify, or
delete any data in the user tables within a
database.
 db_denydatareader. Cannot read any data in the
user tables within a database.
 Access as server level
 Click management studio
 Select server type
 Select server level authentication
 Type user name and password
 Click OK

 To remove login names

 Go to the specified server
 Click on security, logins
 Find the login name and delete
If unable to access with server level
access
 Right click on the properties of server
 Select security
 Check sql and windows authentication
 Click ok
 Go to command line and type service and open the

dialogue box
 Run the sql server type and restart the service
 To connect to the database
 Server role
 Server role is specified highest level is sys level and
 The lowest level is public level – can not create

database,
 You can enter into the server but cannot access any

database as you haven’t set permission at database

level
 Fixed Server role
 Bulk admin – who copies data
 Db creator – who create database
 Processadmin- manages system process
 Public admin- lowest access to read only
 Security admin- username and password
 Serveradmin – configure settings
 Setupadmin – install replication and manages extended

procedures
 Sysadmin has highest level access
 Diskadmin- manage disk files, limit disc increase
 Definning Server Level Role
 Click on log in
 You can specify the login name
 Right mouse click and select properties
 Click server role
 Select roles – as db creater , sys roles, disk admin
 Click server
 Click new server role and type financial
To modify the existing priveleges
 Select the server
 Click on security
 Click on login
 Select name and
 Click server role and specify or change the existing

status i.e from sysadmin to public

Windows vs server level access
 Windows level access is important, if you want to
revoke you can simply remove from windows active
directory and he can not access server level access
weather he know it or not as it protects from windows
level
 From active level directory
 Delete the user
 Database Level Access
 Go to the database and go to security and right click
 Select new user and type username
 Specify login name by finding from existing login

names
 Click the three dots
 Type the name and check or browse and select log in
 Type user
 Now you have access to the database level but can not

see the file level access

 Database Level Access
 Click on user mapping
 Specify the database name
 Select type of role database Owner is the highest level
 DB data reader only
 Grant these roles
 Deny revoke access
To give database level
 Go to database
 Select security right click
 New user

 use abebe
 create login melesech1 with password='melesech
 create user melesech1 for login melesech
 To alter role
 use abebe
 ALTER ROLE [DB_OWNER] add member melesech1
 Fixed Database Role
 Db-owner :- all activities
 Accessadmin – add or remove users
 Datareader – see data in the database
 Data-writer – add,modify, delete data in tables
 Ddladmn – all ddl operation
 Security admin- security permission
 Backupoperator- bacup database
 Denydatareader- cannotsee any data in the database
 Deny data writer- cannot change any data
 Database Level
 General- to see user Name and specify Default Schema
 Owned Schema – To give/deny grants to schema

owned by the user

 Membership- to specify database role membership
 Securable- To give/deny grants to the database objects
 Status – to give or grant permission to connect to the

database engine
 User Mapping
 User Mapping relates to database level access
 Specify the database
 Specify the role in that specific database
 Highest level is database owner in database level owner
 Status – Grant or Deny,
 Login- enables disabled
 To provide File level access
 Go to the database and security and users
 Find the users and double click
 Click securable and search
 Select either specific or all
 OK
 Click search and select object i.e table
 Click browse and select name
 Click ok and click ok
To provide data file
 Go to the specified database
 Click security and users
 Find and double click users
 Click securable and find object and select table
 Check grant or deny permission for the table
 Click OK
 Check grant or deny permission for the table
 Specify columns
 Click OK
 To revoke
 Security
 Click on the username
 Right click on properties
 Status - Deny
 Login - disable
Excercise
 Create a login by the name newuser33 and
password3 by windows authentication mode
 Create a login by the name newuser3 and

pass3 using serverauthentication mode

 Create a database called registrar3
 Create a table called student with name and

age
 Create a table called course with dept,

coursename