* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 6231B_10
Survey
Document related concepts
Entity–attribute–value model wikipedia , lookup
Serializability wikipedia , lookup
Extensible Storage Engine wikipedia , lookup
Microsoft Access wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Oracle Database wikipedia , lookup
Functional Database Model wikipedia , lookup
Ingres (database) wikipedia , lookup
Relational model wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Concurrency control wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Database model wikipedia , lookup
Versant Object Database wikipedia , lookup
Transcript
Module 10 Assigning Server and Database Roles Module Overview • Working with Server Roles • Working with Fixed Database Roles • Creating User-defined Database Roles Lesson 1: Working with Server Roles • Server-scoped Permissions • Typical Server-scoped Permissions • Overview of Fixed Server Roles • public Server Role • Demonstration 1A: Assigning Fixed Server Roles Server-scoped Permissions • Permissions at the server level can be assigned in two ways: Fixed server roles Specific server-scoped permissions • Minimize the use of fixed server roles Assign more specific permissions USE master; GO GRANT ALTER ON LOGIN::HRApp TO [AdventureWorks\Holly]; GO GRANT ALTER ANY DATABASE TO [AdventureWorks\Holly]; GO Typical Server-scoped Permissions • Current database must be master when assigning server- scoped permissions • Permissions assignments are visible by querying the sys.server_permissions view Typical Server-scoped Permissions ALTER ANY DATABASE ALTER TRACE BACKUP DATABASE BACKUP LOG CONNECT CREATE DATABASE VIEW ANY DEFINITION VIEW SERVER STATE Overview of Fixed Server Roles Role Description Server-level Permission sysadmin Perform any activity CONTROL SERVER (with GRANT option) dbcreator Create and alter databases ALTER ANY DATABASE diskadmin Manage disk files ALTER RESOURCES serveradmin Configure server-wide settings ALTER ANY ENDPOINT, ALTER RESOURCES, ALTER SERVER STATE, ALTER SETTINGS, SHUTDOWN, VIEW SERVER STATE securityadmin Manage and audit server logins ALTER ANY LOGIN processadmin Manage SQL Server processes ALTER ANY CONNECTION ALTER SERVER STATE bulkadmin Run the BULK INSERT statement ADMINISTER BULK OPERATIONS setupadmin Configure replication and linked servers ALTER ANY LINKED SERVER public Server Role public is a special server role with server-scope. • Not considered a fixed server role as its permissions can be changed • By default, is granted: VIEW ANY DATABASE permission CONNECT permission on default endpoints Demonstration 1A: Assigning Fixed Server Roles • In this demonstration, you will see: How to view the available fixed server roles using the GUI How to assign a fixed server role using the GUI How to view the available fixed server roles using T-SQL How to assign a fixed server role using T-SQL How to view the members of fixed server roles using T-SQL How to view the server permissions that are currently assigned Lesson 2: Working with Fixed Database Roles • Database-scoped Permissions • Overview of Fixed Database Roles • Assigning Users to Roles • Database Owner • Demonstration 2A: Managing Roles and Users Database-scoped Permissions • Permissions at the database level can be assigned in three ways: Fixed database roles User-defined database roles Specific database-scoped permissions • Minimize the use of fixed database roles Assign more specific permissions USE AdventureWorks2008R2; GO GRANT CREATE TABLE TO HRManager; GO GRANT VIEW DEFINITION TO James; GO Overview of Fixed Database Roles Role Description db_owner Perform any configuration and maintenance activities on the DB and can drop it db_securityadmin Modify role membership and manage permissions db_accessadmin Add or remove access to the DB for logins db_backupoperator Back up the DB db_ddladmin Run any DDL command in the DB db_datawriter Add, delete, or change data in all user tables db_datareader Read all data from all user tables db_denydatawriter Cannot add, delete, or change data in user tables db_denydatareader Cannot read any data in user tables Assigning Users to Roles • Users can be assigned to roles Using GUI Using T-SQL USE AdventureWorks2008R2; GO EXEC sp_addrolemember 'db_datareader', 'James'; GO Database Owner dbo The sa login and members of sysadmin role are mapped to dbo account, along with the owner of the database Demonstration 2A: Managing Roles and Users • In this demonstration you will see: How to view the available fixed database roles using the GUI How to assign a fixed database role using the GUI How to view the available fixed database roles using T-SQL How to assign a fixed database role using T-SQL How to view the members of fixed database roles using T-SQL Lesson 3: Creating User-defined Database Roles • Working with User-defined Database Roles • Applying Roles in Common Scenarios • Demonstration 3A: User-defined Database Roles • Defining Application Roles • Demonstration 3B: Application Roles Working with User-defined Database Roles • Database roles can be created, modified, and dropped CREATE ROLE statement to create Roles have owners Permissions are granted to role Role permissions are inherited by role members USE MarketDev; GO CREATE ROLE MarketingReaders AUTHORIZATION dbo; GO GRANT SELECT ON SCHEMA::Marketing TO MarketingReaders; GO Applying Roles in Common Scenarios • Typical scenario Define dbo users and other administrative roles Define permission groups within the database Consider the use of the public role for common permissions Create roles and assign permissions to them Add users to roles • For decision-making within code IS_SRVROLEMEMBER, IS_MEMBER IF IS_MEMBER('BankManagers') = 0 BEGIN PRINT 'Operation is only for bank manager use'; ROLLBACK; END; Demonstration 3A: User-defined Database Roles • In this demonstration you will see: How to create a user-defined database role using the GUI How to create a user-defined database role using T-SQL How to view the available database roles using T-SQL Defining Application Roles User runs app App connects to db as user App authenticates using sp_setapprole App assumes app role Application roles are used to enable permissions for users only while they are running particular applications. Demonstration 3B: Application Roles • In this demonstration, you will see how to: Create an application role Change security context to an application role Lab 10: Assigning Server and Database Roles • Exercise 1: Assign Server Roles • Exercise 2: Assign Fixed Database Roles • Exercise 3: Create and Assign User-defined Database Roles • Challenge Exercise 4: Check Role Assignments (Only if time permits) Logon information Virtual machine 623XB-MIA-SQL User name AdventureWorks\Administrator Password Pa$$w0rd Estimated time: 45 minutes Lab Scenario You have created the SQL Server logins and Database users. You now need to assign the logins and users to the required roles based upon the security requirements for the MarketDev database. You should assign the minimum level of access that will allow each user to perform their job. This will require a combination of server, fixed database, and user defined database roles. Do not be concerned with object and schema permissions as these will be assigned in Module 11 but you do need to consider the role requirements that will be required at that time. Note: the changes you make will later be migrated to the production environment. You should use T-SQL commands to implement the required changes. Lab Review • What is the biggest challenge when assigning permissions to users? • Why do users often get granted more permissions than they need to do their work? Module Review and Takeaways • Review Questions • Best Practices