Download WhoHasWhattoWhich_ThePermissionsSuperset

Who Has What to Which?
(The Permissions Superset)
Robert L Davis
Principal Database Architect
[email protected]
@SQLSoldier
www.sqlsoldier.com
Please Support Our Sponsors
SQL Saturday is made possible with the generous support of these sponsors.
You can support them by opting-in and visiting them in the sponsor area.
Who Has What to Which?
(The Permissions Superset)
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
 Add, delete, or modify user accounts on local machine or in AD
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
 Add, delete, or modify user accounts on local machine or in AD
 Add a user:
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
 Add, delete, or modify user accounts on local machine or in AD
 Add a user:
 Syntax: net user <user name> <password> /ADD
 Example: net user SQLTest1 Pa$$W0rd /ADD
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
 Add, delete, or modify user accounts on local machine or in AD
 Add a user:
 Syntax: net user <user name> <password> /ADD
 Example: net user SQLTest1 Pa$$W0rd /ADD
 Delete a user:
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
 Add, delete, or modify user accounts on local machine or in AD
 Add a user:
 Syntax: net user <user name> <password> /ADD
 Example: net user SQLTest1 Pa$$W0rd /ADD
 Delete a user:
 Syntax: net user <user name> /DELETE
 Example: net user SQLTest1 /DELETE
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
 Add, delete, or modify user accounts on local machine or in AD
 Add a user:
 Syntax: net user <user name> <password> /ADD
 Example: net user SQLTest1 Pa$$W0rd /ADD
 Delete a user:
 Syntax: net user <user name> /DELETE
 Example: net user SQLTest1 /DELETE
 Modify password for user:
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
 Add, delete, or modify user accounts on local machine or in AD
 Add a user:
 Syntax: net user <user name> <password> /ADD
 Example: net user SQLTest1 Pa$$W0rd /ADD
 Delete a user:
 Syntax: net user <user name> /DELETE
 Example: net user SQLTest1 /DELETE
 Modify password for user:
 Syntax: net user <user name> <new password>
 Example: net user SQLTest1 D#gqo$dk@jcV
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET USER
 Add, delete, or modify user accounts on local machine or in AD
 Add a user:
 Syntax: net user <user name> <password> /ADD
 Example: net user SQLTest1 Pa$$W0rd /ADD
 Delete a user:
 Syntax: net user <user name> /DELETE
 Example: net user SQLTest1 /DELETE
 Modify password for user:
 Syntax: net user <user name> <new password>
 Example: net user SQLTest1 D#gqo$dk@jcV
 Add /DOMAIN to perform in AD instead of local machine
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET LOCALGROUP
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET LOCALGROUP
 Add, delete, or modify group accounts on local machine
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET LOCALGROUP
 Add, delete, or modify group accounts on local machine
 Add a local group:
 Syntax: net localgroup <group name> /ADD
 Example: net localgroup SQLDev /ADD
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET LOCALGROUP
 Add, delete, or modify group accounts on local machine
 Add a local group:
 Syntax: net localgroup <group name> /ADD
 Example: net localgroup SQLDev /ADD
 Delete a local group:
 Syntax: net localgroup <group name> /DELETE
 Example: net localgroup SQLDev /DELETE
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
 NET LOCALGROUP
 Add, delete, or modify group accounts on local machine
 Add a local group:
 Syntax: net localgroup <group name> /ADD
 Example: net localgroup SQLDev /ADD
 Delete a local group:
 Syntax: net localgroup <group name> /DELETE
 Example: net localgroup SQLDev /DELETE
 Modify membership:
 Syntax: net localgroup <group name> <user name> /ADD or /DELETE
 Example 1: net localgroup SQLDev SQLTest1 /ADD
 Example 2: net localgroup SQLDev SQLTest1 /DELETE
Who Has What to Which?
(The Permissions Superset)
Windows command line tools referenced in that demo:
 NET GROUP
 Add, delete, or modify group accounts in AD
 Add a domain group:
 Syntax: net group <group name> /ADD /DOMAIN
 Example: net group SQLDev /ADD /DOMAIN
 Delete a local group:
 Syntax: net group <group name> /DELETE /DOMAIN
 Example: net group SQLDev /DELETE /DOMAIN
 Modify membership:
 Syntax: net group <group name> <user name> /ADD or /DELETE /DOMAIN
 Example 1: net group SQLDev SQLTest1 /ADD /DOMAIN
 Example 2: net group SQLDev SQLTest1 /DELETE /DOMAIN
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 suser_sname()
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 suser_sname()
 Function that returns the login name for the specified SID (security
identifier)
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 suser_sname()
 Function that returns the login name for the specified SID (security
identifier)
 If SID not supplied uses SID of current user
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 suser_sname()
 Function that returns the login name for the specified SID (security
identifier)
 If SID not supplied uses SID of current user
 Execute As Login = '<login>'
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 suser_sname()
 Function that returns the login name for the specified SID (security
identifier)
 If SID not supplied uses SID of current user
 Execute As Login = '<login>'
 Changes the current security context of the current user to the specified
login
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 suser_sname()
 Function that returns the login name for the specified SID (security
identifier)
 If SID not supplied uses SID of current user
 Execute As Login = '<login>'
 Changes the current security context of the current user to the specified
login
 Revert
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 suser_sname()
 Function that returns the login name for the specified SID (security
identifier)
 If SID not supplied uses SID of current user
 Execute As Login = '<login>'
 Changes the current security context of the current user to the specified
login
 Revert
 Changes the current security context of the current user to the previous
security context
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 suser_sname()
 Function that returns the login name for the specified SID (security
identifier)
 If SID not supplied uses SID of current user
 Execute As Login = '<login>'
 Changes the current security context of the current user to the specified
login
 Revert
 Changes the current security context of the current user to the previous
security context
 Can require multiple executions if EXECUTE AS used more than once
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 HAS_PERMS_BY_NAME()
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 HAS_PERMS_BY_NAME()
 Function that returns bit indicating if the current user has the specified
permission
 0 = does not have the permission
 1 = does have the permission
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 HAS_PERMS_BY_NAME()
 Function that returns bit indicating if the current user has the specified
permission
 0 = does not have the permission
 1 = does have the permission
 Syntax: HAS_PERMS_BY_NAME (<securable>, <securable class>,
<permission> [, <sub-securable>] [, <sub-securable class>])
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 HAS_PERMS_BY_NAME()
 Function that returns bit indicating if the current user has the specified
permission
 0 = does not have the permission
 1 = does have the permission
 Syntax: HAS_PERMS_BY_NAME (<securable>, <securable class>,
<permission> [, <sub-securable>] [, <sub-securable class>])
 Example: HAS_PERMS_BY_NAME(N'dbo.ErrorLog', N'Object', N'SELECT')
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 xp_logininfo
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 xp_logininfo
 Extended stored procedure that returns login mappings for a user or
group memberships for a Windows group
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 xp_logininfo
 Extended stored procedure that returns login mappings for a user or
group memberships for a Windows group
 Viewing login mappings:
 Syntax: Exec xp_logininfo N‘<user>', N'all';
 Example: Exec xp_logininfo N'SQLMCMLap\SQLTest1', N'all';
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
 xp_logininfo
 Extended stored procedure that returns login mappings for a user or
group memberships for a Windows group
 Viewing login mappings:
 Syntax: Exec xp_logininfo N‘<user>', N'all';
 Example: Exec xp_logininfo N'SQLMCMLap\SQLTest1', N'all';
 Viewing group memberships:
 Syntax: Exec xp_logininfo N‘<group>', N‘members';
 Example: Exec xp_logininfo N'SQLMCMLap\SQLDev', N‘members';
Who Has What to Which?
(The Permissions Superset)
Who Has What to Which?
(The Permissions Superset)
Database owner:
Who Has What to Which?
(The Permissions Superset)
Database owner:
 Mapped automatically to the dbo account
Who Has What to Which?
(The Permissions Superset)
Database owner:
 Mapped automatically to the dbo account
 Has all permissions inside of database (DML, DDL, etc)
Who Has What to Which?
(The Permissions Superset)
Database owner:
 Mapped automatically to the dbo account
 Has all permissions inside of database (DML, DDL, etc)
 Has very broad permissions for modifying the database properties
Who Has What to Which?
(The Permissions Superset)
Database owner:
 Mapped automatically to the dbo account
 Has all permissions inside of database (DML, DDL, etc)
 Has very broad permissions for modifying the database properties
 Can make a variety of changes that can be damaging to the database
or even the server
Who Has What to Which?
(The Permissions Superset)
Database owner:
 Mapped automatically to the dbo account
 Has all permissions inside of database (DML, DDL, etc)
 Has very broad permissions for modifying the database properties
 Can make a variety of changes that can be damaging to the database
or even the server
 Page verification, file settings, recovery model, auto-shrink, auto-close,
etc
Who Has What to Which?
(The Permissions Superset)
Database owner:
 Mapped automatically to the dbo account
 Has all permissions inside of database (DML, DDL, etc)
 Has very broad permissions for modifying the database properties
 Can make a variety of changes that can be damaging to the database
or even the server
 Page verification, file settings, recovery model, auto-shrink, auto-close,
etc
 Still cannot change TRUSTWORTHY
Who Has What to Which?
(The Permissions Superset)
Database owner:
 Mapped automatically to the dbo account
 Has all permissions inside of database (DML, DDL, etc)
 Has very broad permissions for modifying the database properties
 Can make a variety of changes that can be damaging to the database
or even the server
 Page verification, file settings, recovery model, auto-shrink, auto-close,
etc
 Still cannot change TRUSTWORTHY
 Impersonated by sysadmin when sysadmin is in the database
Who Has What to Which?
(The Permissions Superset)
Database owner:
 Mapped automatically to the dbo account
 Has all permissions inside of database (DML, DDL, etc)
 Has very broad permissions for modifying the database properties
 Can make a variety of changes that can be damaging to the database
or even the server
 Page verification, file settings, recovery model, auto-shrink, auto-close,
etc
 Still cannot change TRUSTWORTHY
 Impersonated by sysadmin when sysadmin is in the database
 If no valid owner, you may receive error that the user cannot perform
the requested action under the current security context
Who Has What to Which?
(The Permissions Superset)
Who Has What to Which?
(The Permissions Superset)
Contained database user:
Who Has What to Which?
(The Permissions Superset)
Contained database user:
 By default, a contained user can only access the contained
database
Who Has What to Which?
(The Permissions Superset)
Contained database user:
 By default, a contained user can only access the contained
database
 If a contained user is recreated in another database with the same
SID, the user can cross databases if the database they are currently
in has TRUSTWORTHY enabled
Who Has What to Which?
(The Permissions Superset)
Contained database user:
 By default, a contained user can only access the contained
database
 If a contained user is recreated in another database with the same
SID, the user can cross databases if the database they are currently
in has TRUSTWORTHY enabled
 Moral: never set TRUSTWORTHY unless the CEO is standing at your
desk threatening to fire you
Who Has What to Which?
(The Permissions Superset)
Thanks!
Thank you for coming!
 My blog: www.sqlsoldier.com
 Twitter: twitter.com/SQLSoldier
 Need help with your project: www.DBBest.com