module 10 assigning server and database roles. module overview working with server roles working...
TRANSCRIPT
Module 10
Assigning Server and Database Roles
Module Overview
• Working with Server Roles
• Working with Fixed Database Roles
• Creating User-defined Database Roles
Lesson 1: Working with Server Roles
• Server-scoped Permissions
• Typical Server-scoped Permissions
• Overview of Fixed Server Roles
• public Server Role
• Demonstration 1A: Assigning Fixed Server Roles
Server-scoped Permissions
• Permissions at the server level can be assigned in two ways: Fixed server roles Specific server-scoped permissions
• Minimize the use of fixed server roles Assign more specific permissions
USE master;GOGRANT ALTER ON LOGIN::HRAppTO [AdventureWorks\Holly];GOGRANT ALTER ANY DATABASETO [AdventureWorks\Holly];GO
USE master;GOGRANT ALTER ON LOGIN::HRAppTO [AdventureWorks\Holly];GOGRANT ALTER ANY DATABASETO [AdventureWorks\Holly];GO
Typical Server-scoped Permissions
• Current database must be master when assigning server-scoped permissions
• Permissions assignments are visible by querying the sys.server_permissions view
Typical Server-scoped Permissions
ALTER ANY DATABASE ALTER TRACE
BACKUP DATABASE BACKUP LOG
CONNECT CREATE DATABASE
VIEW ANY DEFINITION VIEW SERVER STATE
Overview of Fixed Server Roles
Role Description Server-level Permission
sysadmin Perform any activity CONTROL SERVER (with GRANT option)
dbcreator Create and alter databases ALTER ANY DATABASE
diskadmin Manage disk files ALTER RESOURCES
serveradmin Configure server-wide settings
ALTER ANY ENDPOINT, ALTER RESOURCES, ALTER SERVER STATE, ALTER SETTINGS, SHUTDOWN, VIEW SERVER STATE
securityadmin Manage and audit server logins ALTER ANY LOGIN
processadmin Manage SQL Server processes ALTER ANY CONNECTIONALTER SERVER STATE
bulkadmin Run the BULK INSERT statement ADMINISTER BULK OPERATIONS
setupadmin Configure replication and linked servers ALTER ANY LINKED SERVER
public Server Role
• Not considered a fixed server role as its permissions can be changed
• By default, is granted: VIEW ANY DATABASE permission CONNECT permission on default endpoints
public is a special server role with server-scope.
Demonstration 1A: Assigning Fixed Server Roles
• In this demonstration, you will see: How to view the available fixed server roles using the GUI
How to assign a fixed server role using the GUI
How to view the available fixed server roles using T-SQL
How to assign a fixed server role using T-SQL
How to view the members of fixed server roles using T-SQL
How to view the server permissions that are currently assigned
Lesson 2: Working with Fixed Database Roles
• Database-scoped Permissions
• Overview of Fixed Database Roles
• Assigning Users to Roles
• Database Owner
• Demonstration 2A: Managing Roles and Users
Database-scoped Permissions
• Permissions at the database level can be assigned in three ways: Fixed database roles User-defined database roles Specific database-scoped permissions
• Minimize the use of fixed database roles Assign more specific permissions
USE AdventureWorks2008R2;GOGRANT CREATE TABLE TO HRManager;GOGRANT VIEW DEFINITION TO James;GO
USE AdventureWorks2008R2;GOGRANT CREATE TABLE TO HRManager;GOGRANT VIEW DEFINITION TO James;GO
Overview of Fixed Database Roles
Role Description
db_owner Perform any configuration and maintenance activities on the DB and can drop it
db_securityadmin Modify role membership and manage permissions
db_accessadmin Add or remove access to the DB for logins
db_backupoperator Back up the DB
db_ddladmin Run any DDL command in the DB
db_datawriter Add, delete, or change data in all user tables
db_datareader Read all data from all user tables
db_denydatawriter Cannot add, delete, or change data in user tables
db_denydatareader Cannot read any data in user tables
Assigning Users to Roles
• Users can be assigned to roles Using GUI Using T-SQL
USE AdventureWorks2008R2;GOEXEC sp_addrolemember 'db_datareader', 'James';GO
USE AdventureWorks2008R2;GOEXEC sp_addrolemember 'db_datareader', 'James';GO
Database Owner
dboThe sa login and members of sysadmin role are mapped to dbo account, along with the owner of the database
Demonstration 2A: Managing Roles and Users
• In this demonstration you will see: How to view the available fixed database roles using the GUI
How to assign a fixed database role using the GUI
How to view the available fixed database roles using T-SQL
How to assign a fixed database role using T-SQL
How to view the members of fixed database roles using T-SQL
Lesson 3: Creating User-defined Database Roles
• Working with User-defined Database Roles
• Applying Roles in Common Scenarios
• Demonstration 3A: User-defined Database Roles
• Defining Application Roles
• Demonstration 3B: Application Roles
Working with User-defined Database Roles
• Database roles can be created, modified, and dropped CREATE ROLE statement to create Roles have owners Permissions are granted to role Role permissions are inherited by role members
USE MarketDev;GO
CREATE ROLE MarketingReaders AUTHORIZATION dbo;GO
GRANT SELECT ON SCHEMA::Marketing TO MarketingReaders;GO
USE MarketDev;GO
CREATE ROLE MarketingReaders AUTHORIZATION dbo;GO
GRANT SELECT ON SCHEMA::Marketing TO MarketingReaders;GO
Applying Roles in Common Scenarios
• Typical scenario Define dbo users and other administrative roles Define permission groups within the database Consider the use of the public role for common permissions Create roles and assign permissions to them Add users to roles
• For decision-making within code IS_SRVROLEMEMBER, IS_MEMBER
IF IS_MEMBER('BankManagers') = 0BEGIN PRINT 'Operation is only for bank manager use'; ROLLBACK;END;
IF IS_MEMBER('BankManagers') = 0BEGIN PRINT 'Operation is only for bank manager use'; ROLLBACK;END;
Demonstration 3A: User-defined Database Roles
• In this demonstration you will see: How to create a user-defined database role using the
GUI How to create a user-defined database role using T-SQL How to view the available database roles using T-SQL
Defining Application Roles
User runs app
App connects to db as user
App authenticates using sp_setapprole
App assumes app role
Application roles are used to enable permissions for users only while they are running particular applications.
Demonstration 3B: Application Roles
• In this demonstration, you will see how to: Create an application role
Change security context to an application role
Lab 10: Assigning Server and Database Roles
• Exercise 1: Assign Server Roles
• Exercise 2: Assign Fixed Database Roles
• Exercise 3: Create and Assign User-defined Database Roles
• Challenge Exercise 4: Check Role Assignments (Only if time permits)
Logon information
Estimated time: 45 minutes
Virtual machine 623XB-MIA-SQL
User name AdventureWorks\Administrator
Password Pa$$w0rd
Lab Scenario
You have created the SQL Server logins and Database users. You now need to assign the logins and users to the required roles based upon the security requirements for the MarketDev database. You should assign the minimum level of access that will allow each user to perform their job. This will require a combination of server, fixed database, and user defined database roles.
Do not be concerned with object and schema permissions as these will be assigned in Module 11 but you do need to consider the role requirements that will be required at that time.
Note: the changes you make will later be migrated to the production environment. You should use T-SQL commands to implement the required changes.
Lab Review
• What is the biggest challenge when assigning permissions to users?
• Why do users often get granted more permissions than they need to do their work?
Module Review and Takeaways
• Review Questions
• Best Practices