Access, Users, Permissions SQL Server Access, Users, Permissions

Introduction Name: Dummea Vincent Job: SQL Server DBA A little about myself… LinkedIn: https://www.linkedin.com/in/dummea- vincent-1936b811 Blog: https://sqlelementary.com/ A little about myself….This is my first Sqlsaturday presentation so your feedbacks are definitely welcome. I am currently seeking my masters degree at university of Maryland, university college in Database systems (more so oracle database system).

Objectives/Topics Server Level 2 different Server Authentication The different server Roles Creating Logins Database Roles Creating Database users Manipulating Permissions Q&A Database Level Tables, SPs, and lower levels This session will cover the very basics of sql server so FYI if you are not a beginner I don’t want to waste your time. These are the topics we will be going over today. We will start at the top which will be the instance level permissions and access and then work our way down.

Server Permission I apologize for the blacked out words but the screen shots are taken from my work test server so cannot compromise our security. This page is the server property page. How you get here? Right click on the instance name and then click on properties just like any Microsoft program. The word SECURITY will be a recurring theme in sql server and when in doubt go to security for anything to do with access/permissions. The server authentication can be set while installing the instance but it can also be changed on this page.

The Server Roles Bulkadmin Dbcreator Diskadmin Processadmin Public Securityadmin Serveradmin Setupadmin Sysadmin The server roles and also database roles which I will go over in a later slide are pretty much self explanatory. The names says exactly what the role does.

Creating Windows Login Creating a WINDOWS login via GUI Now Microsoft provides 2 different ways a DBA can accomplish tasks in sql server. One is via GUI (graphic user interface) and the other is via T-SQL language. This shows the GUI way of creating a login. You scroll down to the SECURITY folder or tab, expand it, right click on login and click ‘New Login.’ Now you can either create a ‘WINDOWS’ login which does not require a password or a ‘SQL SERVER’ login which would require a password. A nice thing about GUI is that you can script out almost everything and it will script it out into the T-SQL form

Creating Windows Login Cont… Creating a WINDOWS login via T- SQL

Creating SQL Server Login Creating a SQL SERVER login via GUI

Creating SQL Server Login Cont… Scripting out a login

Creating SQL Server login via T-SQL

-- Syntax for SQL Server CREATE LOGIN login_name { WITH <option_list1> | FROM <sources> } <option_list1> ::= PASSWORD = { 'password' | hashed_password HASHED } [ MUST_CHANGE ] [ , <option_list2> [ ,... ] ] <option_list2> ::= SID = sid | DEFAULT_DATABASE = database | DEFAULT_LANGUAGE = language | CHECK_EXPIRATION = { ON | OFF} | CHECK_POLICY = { ON | OFF} | CREDENTIAL = credential_name <sources> ::= WINDOWS [ WITH <windows_options>[ ,... ] ] | CERTIFICATE certname | ASYMMETRIC KEY asym_key_name <windows_options> ::= DEFAULT_DATABASE = database

This is still the New login page which is also the login properties page. After creating the new login, you can go through each tab to makes changes. This page you can assign server roles.

This page is the User Mapping page This page is the User Mapping page. You can map a login to one or multiple databases. A login can be given access to both the instance and the databases, but a database user can only access database level permissions. As you can se I assigned sqlsaturday1 to the PROD database so now under the PROD users tab you can see sqlsaturday1 is listed as one of the users.

This is the Securables page This is the Securables page. Securables are anything that can be granted permissions to. So basically anything under database, schema, down to the objects.

This final page is self explanatory This final page is self explanatory. It shows the status of the login and here you can deny access to a login, disable the login, or if the user is locked out you can view it here.

A login can be given access to both the instance and the databases, but a database user can only access database level permissions.

Database Roles Db_accessadmin Db_backupoperator Db_datareader Db_datawriter Db_ddladmin Db_denydatareader Db_denydatawriter Db_owner Db_Securityadmin public You can create additional database roles but I would not recommend creating new server roles unless it is really necessary. Lets say for example, a request came to add 15 users to a specific database and to only grant them permission to SELECT on 4 tables and EXECUTE the stored procedures. If you want a hard life, you can do each user individual but if you want to make your life easy, kick it back to the requestor and suggest that you create a role that has permission to SELECT the 4 tables and EXECUTE the stored procedures. Then you can assign that role to the 15 users.

Creating a New Database Role Here is how you would create a database role either via GUI or T-sql. You should start noticing a pattern that from server level to database level the actions are the same and syntax are similar.

Creating Database Users Now there are several types of users that you can create in a database. We will concentrate on creating a user with login because that is what is mostly used.

2 USERS, 1 LOGIN You can associate multiple users to one login as long as each user is from a different database. But doing so would be pointless because both users once they login they can access each others database.

Granting permissions on a database Granting permissions on a database. This is the database properties page and although I did not go through each tab, the only tab associated with security or access is the permissions tab.

Granting permissions on a Schema

Granting permissions on a Table

Granting permissions on a stored procedure Granting permissions on a stored procedure. If you noticed while I went through the slide, the blue underlined “view ……” leads you to the next permission level, so to avoid clicking out of here. You can manage all levels of permissions in the same location. To go back to the lower level permission just click cancel.

Q1 You are the lead database administrator (DBA) of a Microsoft SQL Server 2012 environment. All DBAs are members of the DOMAIN\JrDBAs Active Directory group. You grant DOMAIN\JrDBAs access to the SQL Server. You need to create a server role named SpecialDBARole that can perform the following functions: * View all databases. * View the server state. * Assign GRANT, DENY, and REVOKE permissions on logins. You need to add DOMAIN\JrDBAs to the server role. You also need to provide the least level of privileges necessary. Which SQL statement or statements should you use? Choose all that apply. A. CREATE SERVER ROLE [SpecialDBARole] AUTHORIZATION setupadmin; B. ALTER SERVER ROLE [SpecialDBARole] ADD MEMBER [DOMAIN\JrDBAs]; C. CREATE SERVER ROLE [SpecialDBARole] AUTHORIZATION securityadmin; D. GRANT VIEW DEFINITION TO [SpecialDBARole]; E. CREATE SERVER ROLE [SpecialDBARole] AUTHORIZATION serveradmin; F. GRANT VIEW SERVER STATE, VIEW ANY DATABASE TO [SpecialDBARole]; Answers are BCF.

Q2 A. USE Database2 B. EXECUTE AS OWNER C. USE Database1 You develop three Microsoft SQL Server 2012 databases named Database1, Database2, and Database3. You have permissions on both Database1 and Database2. You plan to write and deploy a stored procedure named dbo.usp_InsertEvent in Database3. dbo.usp_InsertEvent must execute other stored procedures in the other databases. You need to ensure that callers that do not have permissions on Database1 or Database2 can execute the stored procedure. Which Transact-SQL statement should you use? Which Transact-SQL statement should you use? A. USE Database2 B. EXECUTE AS OWNER C. USE Database1 D. EXECUTE AS CALLER Answer is B.

Q3 A. Create a custom database role that includes the users. Deny Delete permissions on the Sales schema for the custom database role. B. Include the Sales schema as an owned schema for the db_denydatawriter role. Add the users to the db_denydatawriter role. C. Deny Delete permissions on each table in the Sales schema for each user. D. Create a custom database role that includes the users. Deny Delete permissions on each table in the Sales schema for the custom database role. You administer a Microsoft SQL Server 2012 database that has multiple tables in the Sales schema. Some users must be prevented from deleting records in any of the tables in the Sales schema. You need to manage users who are prevented from deleting records in the Sales schema. You need to achieve this goal by using the minimum amount of administrative effort. What should you do? Answer is A.