RSS RSS feed
November 21, 2009
Hot Topics:

Microsoft SQL Server's Security Model

Permissions

A permission allows someone to do something within a database. There are two types of permissions: object and statement. Object permissions control who can access and manipulate data in tables and views and who can run stored procedures. Statement permissions control who can drop and create objects within a database.

SQL Server uses the commands GRANT, REVOKE, and DENY to manage permissions.

GRANT - When you GRANT a permission to an object, you allow someone to perform an action against the object (for example, SELECT, UPDATE, INSERT, DELETE, or EXECUTE). When you GRANT permission to a statement, you allow someone to run the statement (for example, CREATE TABLE).

REVOKE - When you REVOKE a permission from an object, you prevent someone from performing an action against the object (for example, SELECT, UPDATE, INSERT, DELETE, or EXECUTE). When you REVOKE permission from a statement, you take away a user's ability to run the statement (for example, CREATE TABLE).

DENY - When you DENY a permission from an object, you explicitly prevent someone from using the permission (for example, SELECT, UPDATE, INSERT, DELETE, or EXECUTE), whereas REVOKE actually removes the permission.

Object Permissions

Object permissions control access to objects within SQL Server. You can grant and revoke permissions to tables, table columns, views, and stored procedures through the Enterprise Manager or through system procedures. A user who wants to perform an action against an object must have the appropriate permission. For example, when a user wants to SELECT * FROM table1, she must have SELECT permission for the table. Table 1 summarizes the types of object permissions.

Table 1 - Summary of Object Permissions

Object Type Possible Actions
table SELECT, UPDATE, DELETE, INSERT, REFERENCE
column SELECT, UPDATE
view SELECT, UPDATE, INSERT, DELETE
stored procedure EXECUTE

Statement Permissions

Statement permissions control who can perform administrative actions such as creating or backing up a database. Only the sa, members of the sysadmin role, or database owner can administer statement permissions. I advise prudence in granting access to statement permissions such as CREATE DATABASE, BACKUP DATABASE, and BACKUP LOG. Usually, the best approach is to let the sa, a member of the sysadmin role, or the database owner manage these statements. Following is a list of statement permissions that can be granted or revoked:

  • CREATE DATABASE - Creates a database. This permission can be granted only by the sa and only to users in the master database.
  • CREATE DEFAULT - Creates a default value for a table column.
  • CREATE PROCEDURE - Creates a stored procedure.
  • CREATE RULE - Creates a table column rule.
  • CREATE TABLE - Creates a table.
  • CREATE VIEW - Creates a view.
  • BACKUP DATABASE - Backs up the database.
  • BACKUP TRANSACTION - Backs up the transaction log.

Roles

Roles provide a logical way to group users with permissions. The following are the types of roles found in SQL Server:

  • Server roles
  • Database roles
Server Roles

Server roles provide levels of access to server operations and tasks. If an individual is placed in a certain role, he can perform the function permitted by the role. For example, an individual who is member of the sysadmin role can perform any type of action in SQL Server.

Server roles are predefined and are serverwide. These roles are not database specific and cannot be customized. Table 2 provides a listing and explanation for each type of server role.

Table 2 - Server Roles

Server Role        Description
sysadmin Able to do anything in SQL Server
serveradmin Able to modify SQL Server settings and shut down SQL Server
setupadmin Able to install replication and control extended stored procedures
securityadmin Able to control server logins and create database permissions
processadmin Able to control SQL Server processes
dbcreator Able to create and modify databases
diskadmin Able to manage disk files
bulkadmin Able to execute bulk insert statements

Database Roles

Database roles provide the assignment of a set of database-specific permissions to an individual or a group of users. Database roles can be assigned to NT Authenticated logins or SQL Server Authenticated logins. Roles that are assigned to NT Authenticated logins can be assigned to NT users and NT groups. Roles can also be nested so that a hierarchical group of permissions can be assigned to logins.

Database roles are database specific. SQL Server provides three types of roles:

  • Predefined database roles
  • User-defined database roles
  • Implicit roles
Predefined Database Roles

Predefined database roles are standard SQL Server database roles. Each database in SQL Server has these roles. Predefined database roles make it easy to delegate responsibility. For example, a developer might be assigned the db_ddladmin role in a development database. This role would allow a developer to create and drop objects (tables, stored procedures, views, and so on) on an as-needed basis.

Predefined database roles are database specific and cannot be customized. Table 3 provides a description of each predefined database role.

Table 3 - Predefined Database Roles

Database Role            Description
db_owner Has complete access to all objects within the database, can drop and re-create objects, and has the capability to assign object permissions to other users. It can modify database settings and perform database maintenance tasks. This role encompasses all functionality listed in the other predefined database roles.
db_accessadmin Controls access to the database by adding or removing Windows Authentication users and SQL Server users.
db_datareader Has complete access to SELECT data from any table in the database. This role does not grant INSERT, DELETE, or UPDATE permissions on any table in the database.
db_datawriter Can perform INSERT, DELETE, or UDPATE statements on any table in the database. This role does not grant SELECT permission on any table in the database
db_ddladmin Has the capability to create, modify, and drop objects in the database.
db_securityadmin Performs security management within the database. This role manages statement and object permissions and roles within the database.
db_backupoperator Has the capability to back up the database.
db_denydatareader       Denies SELECT permission on all tables in the database. However, this role does allow users to modify existing table schemas. It does not allow them to create or drop existing tables.
db_denydatawriter       Denies data modification statements (INSERT, DELETE, or UPDATE) from being performed against any tables in the databases
public Every database user is a member of the public role. A user automatically becomes part of the public role when she is permitted access to the database.

NOTE
When everyone in a database needs the same permission to the same object, use the public role. When you grant or revoke a permission to the public role, everyone feels the effect. Using the public role is often an easy way to streamline security administration.
1 2




Networking Solutions





Partners

  • Partner With Us














More for Developers

Local Guides
 >Architecture & Design
 >Database
 >Java
 >Languages & Tools
 >Microsoft & .NET
 >Open Source
 >Project Management
 >Security
 >Techniques
 >Wireless

internet.commediabistro.comJusttechjobs.comGraphics.com

Search:

WebMediaBrands Corporate Info

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs

Solutions

Whitepapers and eBooks

Microsoft Articles: Visual Studio 2010
Adobe Article: Adobe Helps PHP Developers Create Rich Internet Applications
Microsoft Whitepaper: How Windows Server 2008 R2 Helps Optimize IT and Save You Money
Adobe Article: Java Developers Finding a Home at Adobe Flex
IBM Articles: A Smarter Business Needs Smarter Technology
Intel Xeon Processor Increases Server Efficiency and Capabilities
Intel Tech Brief: Automated Energy Efficiency for the Intelligent Enterprise
Oracle Whitepapers - Innovation for IT Leaders
Avaya Article: Communication-Enabled Mashups--Empowering Both Business Owners and IT
 Internet.com eBook: IT Manager's Guide to Social Networking
Internet.com eBook: Get Ready for Windows 7
Microsoft Article: Expression Web 3--New Features for PHP Developers
Whitepapers: Manage Your Business Infrastracture with IBM
Whitepaper: Maximize Your Storage Investment with HP
Internet.com eBook: Becoming a Better Project Manager
Microsoft Article: Stress Free and Efficient Designer/Developer Collaboration
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Webcast: Connecting PHP to Microsoft Technologies
Video: Microsoft Partner Program Benefits
Video: Windows Azure Debugging Tips
SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports
 IBM Webcast: Speed Business Innovation with Reduced Cost and Risk
Video: Deploy Applications on Windows Azure
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Download: Microsoft Visual Studio 2010 Beta 2
Downloads & Free Trials: Microsoft's New Efficiency Resource Center
Get the Windows 7 SDK
 Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
All About Botnets
 MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES