Home > Articles > Data > SQL Server

SQL Server Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

Data Management Objects: Security

Last updated Mar 28, 2003.

Computer security has become a hot topic these days. It's in many technical and business journals, on the news, and the major newspapers. In fact, I just watched a two-hour program regarding identity theft on PBS; in that program, the speaker went into some detail on computer security. Its lapse has been highlighted in articles and reports on terrorism, which uses stolen identities and other data for illegal activities.

Database security is part of the package, but complete security isn't just about strong passwords or knowing who your users are. Those are certainly good elements to include in your security plan, but even before you consider them, you should evaluate what access each account needs. In addition, it's best to make a complete security review of all of your platforms, including SQL Server. It seems that lots of documentation is necessary for an adequate security plan.

So why don't we do that? I mean we, as in the Technical Professionals charged with protecting such things? There are two answers that I get most often when I ask about documenting security information.

The first answer I hear is, "I just don't have that much time. I know it's important, but I have so many other things to work on, security doesn't get the attention it deserves." The second answer I get goes something like this: "I can't possibly keep track of all the objects, users, groups, and security requirements. It changes way too often, and I don't know what the requirements are, anyway."

Well, I've got good news for you. Using SQL Server DMO programming, you can create security documentation quickly and easily. You can create a full matrix on the current security, and by monitoring the output, you can track when changes occur.

I've covered SQL Server security in depth before, but let's take a quick look at the basics once again, so that we have a reference for this article.

SQL Server security has two areas. The first area involves access, and the second involve rights. Let's take a look at the access part first.

The best way I've found to describe SQL Server security is like a building. To get into most modern office buildings, you need a card with a code for building access, and another code on the card to access a particular room.

Using this analogy, SQL Server is like the building, and a Server Login is the code for the front door. Each database is like the rooms in the building, and the databases require a Database Logon. So the login gets you in the front door (SQL Server) but not into a room, and the logon gets you into the room (a particular database).

SQL Server security can tie in to a Windows account, or you can create an account for SQL Server that doesn't use an operating system account at all. That's a bit different from operating system security, which deals with a single account all the time.

Either way, these accounts allow access to two things: the server and its database objects. As I've covered in other articles, each database then contains other objects, such as tables, views, and stored procedures.

These objects have two kinds of security: object and statement permissions. The object permissions allow access to an object, and statement permissions allow the account to create or alter an object. Let's focus on the statement permissions here.

Statement permissions allow a user account to perform such actions as SELECT, INSERT, and DELETE (The UPDATE command is actually an implied DELETE and then INSERT). For stored procedures, they include EXECUTE permissions. These permissions exist separately on each object, unless the parent object (such as a stored procedure) was created by the same user as the underlying object (such as the table the stored procedure uses). In that case, the administrator only has to grant the EXECUTE permission on the stored procedure, greatly simplifying what you have to track.

It's best to have a listing of the security for each user, per object, per statement. That's a lot of tracking! You can use SQL Server DMO programming to make that effort a lot easier.

The following code travels down a particular database for all non-system groups, and shows all the object permissions for each of those groups.

' Get and set a SQL DMO server object, and connect
' to the local server instance
Set oServer = CreateObject("SQLDMO.SQLServer")
oServer.LoginSecure = True
oServer.Connect "(local)"

' Get and set a database object
Set oDatabase = oServer.Databases("pubs")

' Get and set a database role object
Set oDatabaseRole = oDatabase.DatabaseRoles

' Here is the outer loop for the roles
For Each oDatabaseRole in oDatabase.DatabaseRoles 
	' Exclude the system roles
	If oDatabaseRole.IsFixedRole = False Then
		' Get and set a permissions object
		Set oRolePermission = oDatabaserole.ListObjectPermissions(SQLDMOPriv_AllObjectPrivs)
		' Inner loop for the permission, by object and group
		For Each oRolePermission in oDatabaserole.ListObjectPermissions(SQLDMOPriv_AllObjectPrivs) 
			strMsgText = strMsgText & oRolePermission.PrivilegeTypeName + ", " + oRolePermission.ObjectOwner + "." + oRolePermission.ObjectName + ", " + oRolePermission.Grantee & vbcrlf
		Next 
	End If

Next	

' Display. You could also send this to a file
MsgBox strMsgText,,"Permission, Object, Group" 

'Clean up
Set oRolePermission = Nothing
Set oDatabase = Nothing
Set oServer = Nothing

Let's deconstruct this code a bit. In the first section, I connect to the server and the database in which I'm interested. You can use a collection to iterate through all your servers and/or databases to make this part of the code more extensible.

In the lines:

' Get and set a database role object
Set oDatabaseRole = oDatabase.DatabaseRoles

I'm using a new property on the Database collection, called DatabaseRoles. This property provides access to the roles defined in the database.

This code uses two loops: one for the roles in the database, and the other for the permissions the role owns. Notice that the permission is iterated through the role – not through the object. That's an important distinction.

Within the outer loop I've used an If statement to exclude the system roles – which should never change anyway.

The next few lines show the full complexity of displaying security. You can see that I've set a line to fill the oRolePermission object with the list of object permissions:

Set oRolePermission = oDatabaserole.ListObjectPermissions(SQLDMOPriv_AllObjectPrivs)

Now that these objects are available, the inner loop uses them to access properties like oRolePermission.PrivilegeTypeName.

I captured the information from these roles into a text variable and then displayed that in a message box, but you can also send the results to a file to create a matrix. You can then parse that file to create a history of security changes.

In this article, I've only shown the documentation of the security on a few objects. You can use these same techniques on all of the SQL Server objects that have security, and you can also use them to change that security. You can add users and groups using DMO programming. For more information on these processes, check out the references at the end of this article.

In the next tutorial, I'll finish up this section on DMO with a discussion on another useful function: scripting.

Online Resources

The full documentation for the SQL Server Object Library can be found here.

You can read more on SQL Server Security from Microsoft here. This site has a lot of good resources and a few good downloads.

InformIT Tutorials and Sample Chapters

If you're looking for a preview of how security will change in SQL 2005, check out this article.

Service Packs are the main source of security updates for SQL Server. Roberta Bragg covers more in this free sample chapter from her book on becoming an MCSE.