Presentation is loading. Please wait.

Presentation is loading. Please wait.

Who Has What to Which? (The Permissions Superset)

Published byTaisto Saarnio Modified over 5 years ago

Similar presentations

Presentation on theme: "Who Has What to Which? (The Permissions Superset)"— Presentation transcript:

1 Who Has What to Which? (The Permissions Superset)
Robert L Davis Principal Database Architect @SQLSoldier

2 Please Support Our Sponsors
SQL Saturday is made possible with the generous support of these sponsors. You can support them by opting-in and visiting them in the sponsor area.

3 Who Has What to Which? (The Permissions Superset)
DEMO

4 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER

5 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER Add, delete, or modify user accounts on local machine or in AD

6 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER Add, delete, or modify user accounts on local machine or in AD Add a user:

7 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER Add, delete, or modify user accounts on local machine or in AD Add a user: Syntax: net user <user name> <password> /ADD Example: net user SQLTest1 Pa$$W0rd /ADD

8 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER Add, delete, or modify user accounts on local machine or in AD Add a user: Syntax: net user <user name> <password> /ADD Example: net user SQLTest1 Pa$$W0rd /ADD Delete a user:

9 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER Add, delete, or modify user accounts on local machine or in AD Add a user: Syntax: net user <user name> <password> /ADD Example: net user SQLTest1 Pa$$W0rd /ADD Delete a user: Syntax: net user <user name> /DELETE Example: net user SQLTest1 /DELETE

10 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER Add, delete, or modify user accounts on local machine or in AD Add a user: Syntax: net user <user name> <password> /ADD Example: net user SQLTest1 Pa$$W0rd /ADD Delete a user: Syntax: net user <user name> /DELETE Example: net user SQLTest1 /DELETE Modify password for user:

11 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER Add, delete, or modify user accounts on local machine or in AD Add a user: Syntax: net user <user name> <password> /ADD Example: net user SQLTest1 Pa$$W0rd /ADD Delete a user: Syntax: net user <user name> /DELETE Example: net user SQLTest1 /DELETE Modify password for user: Syntax: net user <user name> <new password> Example: net user SQLTest1

12 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET USER Add, delete, or modify user accounts on local machine or in AD Add a user: Syntax: net user <user name> <password> /ADD Example: net user SQLTest1 Pa$$W0rd /ADD Delete a user: Syntax: net user <user name> /DELETE Example: net user SQLTest1 /DELETE Modify password for user: Syntax: net user <user name> <new password> Example: net user SQLTest1 Add /DOMAIN to perform in AD instead of local machine

13 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET LOCALGROUP

14 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET LOCALGROUP Add, delete, or modify group accounts on local machine

15 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET LOCALGROUP Add, delete, or modify group accounts on local machine Add a local group: Syntax: net localgroup <group name> /ADD Example: net localgroup SQLDev /ADD

16 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET LOCALGROUP Add, delete, or modify group accounts on local machine Add a local group: Syntax: net localgroup <group name> /ADD Example: net localgroup SQLDev /ADD Delete a local group: Syntax: net localgroup <group name> /DELETE Example: net localgroup SQLDev /DELETE

17 Who Has What to Which? (The Permissions Superset)
Windows command line tools used in that demo: NET LOCALGROUP Add, delete, or modify group accounts on local machine Add a local group: Syntax: net localgroup <group name> /ADD Example: net localgroup SQLDev /ADD Delete a local group: Syntax: net localgroup <group name> /DELETE Example: net localgroup SQLDev /DELETE Modify membership: Syntax: net localgroup <group name> <user name> /ADD or /DELETE Example 1: net localgroup SQLDev SQLTest1 /ADD Example 2: net localgroup SQLDev SQLTest1 /DELETE

18 Who Has What to Which? (The Permissions Superset)
Windows command line tools referenced in that demo: NET GROUP Add, delete, or modify group accounts in AD Add a domain group: Syntax: net group <group name> /ADD /DOMAIN Example: net group SQLDev /ADD /DOMAIN Delete a local group: Syntax: net group <group name> /DELETE /DOMAIN Example: net group SQLDev /DELETE /DOMAIN Modify membership: Syntax: net group <group name> <user name> /ADD or /DELETE /DOMAIN Example 1: net group SQLDev SQLTest1 /ADD /DOMAIN Example 2: net group SQLDev SQLTest1 /DELETE /DOMAIN

19 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: suser_sname()

20 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: suser_sname() Function that returns the login name for the specified SID (security identifier)

21 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: suser_sname() Function that returns the login name for the specified SID (security identifier) If SID not supplied uses SID of current user

22 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: suser_sname() Function that returns the login name for the specified SID (security identifier) If SID not supplied uses SID of current user Execute As Login = '<login>'

23 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: suser_sname() Function that returns the login name for the specified SID (security identifier) If SID not supplied uses SID of current user Execute As Login = '<login>' Changes the current security context of the current user to the specified login

24 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: suser_sname() Function that returns the login name for the specified SID (security identifier) If SID not supplied uses SID of current user Execute As Login = '<login>' Changes the current security context of the current user to the specified login Revert

25 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: suser_sname() Function that returns the login name for the specified SID (security identifier) If SID not supplied uses SID of current user Execute As Login = '<login>' Changes the current security context of the current user to the specified login Revert Changes the current security context of the current user to the previous security context

26 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: suser_sname() Function that returns the login name for the specified SID (security identifier) If SID not supplied uses SID of current user Execute As Login = '<login>' Changes the current security context of the current user to the specified login Revert Changes the current security context of the current user to the previous security context Can require multiple executions if EXECUTE AS used more than once

27 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: HAS_PERMS_BY_NAME()

28 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: HAS_PERMS_BY_NAME() Function that returns bit indicating if the current user has the specified permission 0 = does not have the permission 1 = does have the permission

29 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: HAS_PERMS_BY_NAME() Function that returns bit indicating if the current user has the specified permission 0 = does not have the permission 1 = does have the permission Syntax: HAS_PERMS_BY_NAME (<securable>, <securable class>, <permission> [, <sub-securable>] [, <sub-securable class>])

30 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: HAS_PERMS_BY_NAME() Function that returns bit indicating if the current user has the specified permission 0 = does not have the permission 1 = does have the permission Syntax: HAS_PERMS_BY_NAME (<securable>, <securable class>, <permission> [, <sub-securable>] [, <sub-securable class>]) Example: HAS_PERMS_BY_NAME(N'dbo.ErrorLog', N'Object', N'SELECT')

31 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: xp_logininfo

32 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: xp_logininfo Extended stored procedure that returns login mappings for a user or group memberships for a Windows group

33 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: xp_logininfo Extended stored procedure that returns login mappings for a user or group memberships for a Windows group Viewing login mappings: Syntax: Exec xp_logininfo N‘<user>', N'all'; Example: Exec xp_logininfo N'SQLMCMLap\SQLTest1', N'all';

34 Who Has What to Which? (The Permissions Superset)
T-SQL tools used in that demo: xp_logininfo Extended stored procedure that returns login mappings for a user or group memberships for a Windows group Viewing login mappings: Syntax: Exec xp_logininfo N‘<user>', N'all'; Example: Exec xp_logininfo N'SQLMCMLap\SQLTest1', N'all'; Viewing group memberships: Syntax: Exec xp_logininfo N‘<group>', N‘members'; Example: Exec xp_logininfo N'SQLMCMLap\SQLDev', N‘members';

35 Who Has What to Which? (The Permissions Superset)
DEMO

36 Who Has What to Which? (The Permissions Superset)
Database owner:

37 Who Has What to Which? (The Permissions Superset)
Database owner: Mapped automatically to the dbo account

38 Who Has What to Which? (The Permissions Superset)
Database owner: Mapped automatically to the dbo account Has all permissions inside of database (DML, DDL, etc)

39 Who Has What to Which? (The Permissions Superset)
Database owner: Mapped automatically to the dbo account Has all permissions inside of database (DML, DDL, etc) Has very broad permissions for modifying the database properties

40 Who Has What to Which? (The Permissions Superset)
Database owner: Mapped automatically to the dbo account Has all permissions inside of database (DML, DDL, etc) Has very broad permissions for modifying the database properties Can make a variety of changes that can be damaging to the database or even the server

41 Who Has What to Which? (The Permissions Superset)
Database owner: Mapped automatically to the dbo account Has all permissions inside of database (DML, DDL, etc) Has very broad permissions for modifying the database properties Can make a variety of changes that can be damaging to the database or even the server Page verification, file settings, recovery model, auto-shrink, auto-close, etc

42 Who Has What to Which? (The Permissions Superset)
Database owner: Mapped automatically to the dbo account Has all permissions inside of database (DML, DDL, etc) Has very broad permissions for modifying the database properties Can make a variety of changes that can be damaging to the database or even the server Page verification, file settings, recovery model, auto-shrink, auto-close, etc Still cannot change TRUSTWORTHY

43 Who Has What to Which? (The Permissions Superset)
Database owner: Mapped automatically to the dbo account Has all permissions inside of database (DML, DDL, etc) Has very broad permissions for modifying the database properties Can make a variety of changes that can be damaging to the database or even the server Page verification, file settings, recovery model, auto-shrink, auto-close, etc Still cannot change TRUSTWORTHY Impersonated by sysadmin when sysadmin is in the database

44 Who Has What to Which? (The Permissions Superset)
Database owner: Mapped automatically to the dbo account Has all permissions inside of database (DML, DDL, etc) Has very broad permissions for modifying the database properties Can make a variety of changes that can be damaging to the database or even the server Page verification, file settings, recovery model, auto-shrink, auto-close, etc Still cannot change TRUSTWORTHY Impersonated by sysadmin when sysadmin is in the database If no valid owner, you may receive error that the user cannot perform the requested action under the current security context

45 Who Has What to Which? (The Permissions Superset)
DEMO

46 Who Has What to Which? (The Permissions Superset)
Contained database user:

47 Who Has What to Which? (The Permissions Superset)
Contained database user: By default, a contained user can only access the contained database

48 Who Has What to Which? (The Permissions Superset)
Contained database user: By default, a contained user can only access the contained database If a contained user is recreated in another database with the same SID, the user can cross databases if the database they are currently in has TRUSTWORTHY enabled

49 Who Has What to Which? (The Permissions Superset)
Contained database user: By default, a contained user can only access the contained database If a contained user is recreated in another database with the same SID, the user can cross databases if the database they are currently in has TRUSTWORTHY enabled Moral: never set TRUSTWORTHY unless the CEO is standing at your desk threatening to fire you

50 Who Has What to Which? (The Permissions Superset)
Q & A

51 Thank you for coming! Thanks! My blog: www.sqlsoldier.com
Twitter: twitter.com/SQLSoldier Need help with your project:

Download ppt "Who Has What to Which? (The Permissions Superset)"

Similar presentations

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
1 SQL Server Management Studio SQL DDL CREATE TABLE Constraints ALTER TABLE DROP TABLE The GUI way Steen Jensen, autumn 2013.

1 SQL Server Management Studio SQL DDL CREATE TABLE Constraints ALTER TABLE DROP TABLE The GUI way Steen Jensen, autumn 2013.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
MOAC : Installing and Configuring Windows Server 2012

MOAC : Installing and Configuring Windows Server 2012
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 4: Implementing and Managing Group and Computer Accounts.
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.

Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.

Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
© Wiley Inc. 2006. All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.

© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Module 14 Configuring Security for SQL Server Agent.

Module 14 Configuring Security for SQL Server Agent.

Similar presentations

Ads by Google