Embed Size (px)
Citation preview
Chapter 10 Overview
Implement Microsoft Windows
Authentication Mode and Mixed Mode
Assign login accounts to database user
accounts and roles
Assign permissions to user accounts and
roles
Manage security within SQL Server.
Authentication Processing
When a user connects to SQL Server, the client opens a trusted connection to SQL Server, which passes the user’s Windows 2000 security credentials to SQL Server
If SQL Server finds the user’s Windows 2000 user account or group account in the list of SQL Server login accounts in the sysxlogins system table, it accepts the connection.
Windows Authentication Mode Advantages
Provides more features, such as secure validation and encryption of passwords, auditing, password expiration, minimum password length, and account lockout after an invalid password.
Enables you to add groups of users to SQL Server by adding a single login account.
Enables users to access SQL Server quickly, without having to remember another login account and password.
Mixed Mode Authentication Advantages
Mixed Mode, and the SQL Server Authentication mechanism in particular, enables non-Windows 2000 clients, Internet clients, and mixed client groups to connect to SQL Server.
Can create login accounts from existing Windows 2000 users and groups, or can create new SQL Server login accounts.
Login accounts are stored in the master..sysxlogins system table.
System or security administrators can execute stored procedures to allow or disallow a Windows 2000 user or group account to connect to SQL Server
Create a Login Account
Create a Login Account
System Stored Procedure Description
sp_grantlogin Adds a login account entry for a Windows 2000 user or SQL Server group
sp_revokelogin Removes the login account entries for a windows 2000 user or group from SQL Server
sp_denylogin Prevents a Windows 2000 user or group from connecting to SQL Server
Create a Login Account
SQL Server login accounts and passwords can contain up to 128 characters, including letters, symbols, and digits. However, login accounts cannot: • contain a backslash character, • be a reserved login account – for example, sa.• be null or an empty string (“ ”)
Default Login Accounts
• BUILTIN\Administrators is provided as the default login account for all Windows 2000 administrators. It has all rights on the SQL Server and in all databases.
• System administrator (sa) is a special login account that has all rights on the SQL Server and in all databases. It is provided for backward compatibility and should not be used routinely. This account is only enabled when SQL Server is using Mixed Mode Authentication.
Assign Logins to User Accounts
Add User Accounts using: SQL Server Enterprise Manager sp_grantdbaaccess
Dbo User Account:The sa login and members of the System Administrators (sysadmin) role are mapped to a special user account inside all databases called dbo. Any object that a system administrator creates automatically belongs to dbo. The dbo user is a default account and cannot be deleted.
Assign Logins (ctd)
Guest User AccountThe guest user account allows logins without user accounts to access a database. Login accounts assume the identity of the guest user when both of the following conditions are met:
The login account has access to SQL Server but does not have access to the database through its own user account. The database contains a guest user account.
Roles
Roles provide a means of assembling users into
a single unit to which permissions can be
applied.
Roles include:
• Fixed Server Roles
• Fixed Database Roles
• User-defined Database Roles
Fixed Server Role Privileges
Role Privileges
Sysadmin Can perform any activity in SQL Server
Serveradmin Can set serverwide configuration options, shut down the server
Setupadmin Can manage linked servers and startup procedures
Securityadmin Can manage logins and CREATE DATABASE permissions, also read error logs and change passwords
Processadmin Can manage processes running in SQL Server
Dbcreator Can create, alter, and drop databases
Diskadmin Can manage disk files
Bulkadmin Can execute BULK INSERT Statements
(Groupings of administrative privileges at the server level)
Fixed Database Role Privileges(Groupings of administrative privileges at the database level)
db_owner Has all permissions in the database
db_accessadmin Can add or remove user IDs
db_securityadmin Can manage all permissions, object ownerships, roles, and role memberships
db_ddladmin Can issue ALL DDL, but cannot issue GRANT, REVOKE, or DENY statements.
db_backupoperator Can issue DBCC, CHECKPOINT, and BACKUP statements
db_datareader Can select all data from any user table in the database
db_datawriter Can modify any data from any user table in the database
db_denydatareader Cannot select any data from any user table in the database
db_denydatawriter Cannot modify any data from any user table in the database
Role Privileges
User-defined Database Role
Creating a user-defined database role enables you to create a group of users with a set of common permissions.
Add a Role:
• When a group of users need to perform the same activities in SQL Server
• If you do not have permissions to manage Windows 2000 accounts
Permissions
Permissions specify which database objects
users are authorized to use and what the
users can do with those objects.
Types of Permissions
1.Statement Permissions• Activities that involve creating a database
or items in a database require a class of permissions called statement permissions.
• Statement Permissions give users the privilege of issuing certain Transact-SQL statements including: Create Database, Create Table, Create view, Create Procedure, Create Rule, Create Default, Create function, Backup Database, Backup Log
Types of Permissions
2. Object Permissions: Activities that involve working with data or
executing procedures require a class of permissions known as object permissions: • Table and view Permissions: Select,
Insert, Update Table/view, Delete, References
• Column Permissions: Select, Update column, and references
• Stored Procedure Permissions: Exec
Types of Permissions
3.Predefined Permissions:Only members of fixed roles or owners of database objects can perform certain activities. Permissions to perform these activities are called predefined or implicit permissions
• Fixed Role Permissions: Fixed roles have implicit administrative permissions.
• Object owner Permissions: Object owners also have implied permissions that allow them to perform all activities with objects that they own.
Command Line Interface (CLI)
Security can also be managed from the command line interface (CLI)
CLI – Create Logins
• Create a SQL Server Login
sp_addlogin ‘MrsDeveloperSQL’, ‘password’
• Create a Windows account Login
sp_grantlogin ‘SENECADOM\MrsDboNT’
CLI – Work with Database Users
Map Login Accounts to a User account
USE pubs2
Go
EXEC sp_grantdbaccess ‘SENECADOM\MrsDboNT’, ‘MrsDboNT’
Go
CLI – Work with Database Users
Command Result
sp_helplogins Displays information about a login
sp_droplogin Removes a login
sp_revokelogin Removes a login
sp_denylogin Denies a login
sp_password Changes a login’s password
sp_defaultdb Sets a login’s default database
sp_validatelogins Shows “orphans” in the database. These are logins that exist in SQL Server but no longer exist as Windows accounts
CLI – Work with Roles
Add SQL 2000 user to the sysadmin group
sp_addsrvrolemember ‘SuperUser’, ‘sysadmin’
Add a new database role of developers
sp_addrole ‘Developers’
CLI – Work with Roles
Command Result
sp_droprole Removes a role
sp_helprole Displays information about a role
sp_helpdbfixedrole Displays privileges the fixed roles have
CLI – Work with Permissions
Grant Select access to a tableGrant Select On authors To MrsDeveloperSQL GO
Deny Insert access to a tableDeny Insert On authors To MrsDeveloperSQL GO
• Revoke Select permissions from a table Revoke Select On authorsFrom MrsDeveloperSQL GO
