Table of Contents
- Microsoft SQL Server Defined
- Microsoft SQL Server Features
- Microsoft SQL Server Administration
- Microsoft SQL Server Programming
- Performance Tuning
- Choosing the Back End
- The DBA's Toolbox, Part 1
- The DBA's Toolbox, Part 2
- Scripting Solutions for SQL Server
- Building a SQL Server Lab
- Using Graphics Files with SQL Server
- Enterprise Resource Planning
- Customer Relationship Management (CRM)
- Building a Reporting Data Server
- Building a Database Documenter, Part 1
- Building a Database Documenter, Part 2
- Data Management Objects
- Data Management Objects: The Server Object
- Data Management Objects: Server Object Methods
- Data Management Objects: Collections and the Database Object
- Data Management Objects: Database Information
- Data Management Objects: Database Control
- Data Management Objects: Database Maintenance
- Data Management Objects: Logging the Process
- Data Management Objects: Running SQL Statements
- Data Management Objects: Multiple Row Returns
- Data Management Objects: Other Database Objects
- Data Management Objects: Security
- Data Management Objects: Scripting
- Powershell and SQL Server - Overview
- PowerShell and SQL Server - Objects and Providers
- Powershell and SQL Server - A Script Framework
- Powershell and SQL Server - Logging the Process
- Powershell and SQL Server - Reading a Control File
- Powershell and SQL Server - SQL Server Access
- Powershell and SQL Server - Web Pages from a SQL Query
- Powershell and SQL Server - Scrubbing the Event Logs
- SQL Server 2008 PowerShell Provider
- SQL Server I/O: Importing and Exporting Data
- SQL Server I/O: XML in Database Terms
- SQL Server I/O: Creating XML Output
- SQL Server I/O: Reading XML Documents
- SQL Server I/O: Using XML Control Mechanisms
- SQL Server I/O: Creating Hierarchies
- SQL Server I/O: Using HTTP with SQL Server XML
- SQL Server I/O: Using HTTP with SQL Server XML Templates
- SQL Server I/O: Remote Queries
- SQL Server I/O: Working with Text Files
- Using Microsoft SQL Server on Handheld Devices
- Front-Ends 101: Microsoft Access
- Comparing Two SQL Server Databases
- English Query - Part 1
- English Query - Part 2
- English Query - Part 3
- English Query - Part 4
- English Query - Part 5
- RSS Feeds from SQL Server
- Using SQL Server Agent to Monitor Backups
- Reporting Services - Creating a Maintenance Report
- SQL Server Chargeback Strategies, Part 1
- SQL Server Chargeback Strategies, Part 2
- SQL Server Replication Example
- Creating a Master Agent and Alert Server
- The SQL Server Central Management System: Definition
- The SQL Server Central Management System: Base Tables
- The SQL Server Central Management System: Execution of Server Information (Part 1)
- The SQL Server Central Management System: Execution of Server Information (Part 2)
- The SQL Server Central Management System: Collecting Performance Metrics
- The SQL Server Central Management System: Centralizing Agent Jobs, Events and Scripts
- The SQL Server Central Management System: Reporting the Data and Project Summary
- Time Tracking for SQL Server Operations
- Migrating Departmental Data Stores to SQL Server
- Migrating Departmental Data Stores to SQL Server: Model the System
- Migrating Departmental Data Stores to SQL Server: Model the System, Continued
- Migrating Departmental Data Stores to SQL Server: Decide on the Destination
- Migrating Departmental Data Stores to SQL Server: Design the ETL
- Migrating Departmental Data Stores to SQL Server: Design the ETL, Continued
- Migrating Departmental Data Stores to SQL Server: Attach the Front End, Test, and Monitor
- Tracking SQL Server Timed Events, Part 1
- Tracking SQL Server Timed Events, Part 2
- Patterns and Practices for the Data Professional
- Managing Vendor Databases
- Consolidation Options
- Connecting to a SQL Azure Database from Microsoft Access
- SharePoint 2007 and SQL Server, Part One
- SharePoint 2007 and SQL Server, Part Two
- SharePoint 2007 and SQL Server, Part Three
- Querying Multiple Data Sources from a Single Location (Distributed Queries)
- Importing and Exporting Data for SQL Azure
- Working on Distributed Teams
- Professional Development
- Application Architecture Assessments
- Business Intelligence
- Tips and Troubleshooting
- Additional Resources
Data Management Objects: Security
Last updated Mar 28, 2003.
Computer security has become a hot topic these days. It's in many technical and business journals, on the news, and the major newspapers. In fact, I just watched a two-hour program regarding identity theft on PBS; in that program, the speaker went into some detail on computer security. Its lapse has been highlighted in articles and reports on terrorism, which uses stolen identities and other data for illegal activities.
Database security is part of the package, but complete security isn't just about strong passwords or knowing who your users are. Those are certainly good elements to include in your security plan, but even before you consider them, you should evaluate what access each account needs. In addition, it's best to make a complete security review of all of your platforms, including SQL Server. It seems that lots of documentation is necessary for an adequate security plan.
So why don't we do that? I mean we, as in the Technical Professionals charged with protecting such things? There are two answers that I get most often when I ask about documenting security information.
The first answer I hear is, "I just don't have that much time. I know it's important, but I have so many other things to work on, security doesn't get the attention it deserves." The second answer I get goes something like this: "I can't possibly keep track of all the objects, users, groups, and security requirements. It changes way too often, and I don't know what the requirements are, anyway."
Well, I've got good news for you. Using SQL Server DMO programming, you can create security documentation quickly and easily. You can create a full matrix on the current security, and by monitoring the output, you can track when changes occur.
I've covered SQL Server security in depth before, but let's take a quick look at the basics once again, so that we have a reference for this article.
SQL Server security has two areas. The first area involves access, and the second involve rights. Let's take a look at the access part first.
The best way I've found to describe SQL Server security is like a building. To get into most modern office buildings, you need a card with a code for building access, and another code on the card to access a particular room.
Using this analogy, SQL Server is like the building, and a Server Login is the code for the front door. Each database is like the rooms in the building, and the databases require a Database Logon. So the login gets you in the front door (SQL Server) but not into a room, and the logon gets you into the room (a particular database).
SQL Server security can tie in to a Windows account, or you can create an account for SQL Server that doesn't use an operating system account at all. That's a bit different from operating system security, which deals with a single account all the time.
Either way, these accounts allow access to two things: the server and its database objects. As I've covered in other articles, each database then contains other objects, such as tables, views, and stored procedures.
These objects have two kinds of security: object and statement permissions. The object permissions allow access to an object, and statement permissions allow the account to create or alter an object. Let's focus on the statement permissions here.
Statement permissions allow a user account to perform such actions as SELECT, INSERT, and DELETE (The UPDATE command is actually an implied DELETE and then INSERT). For stored procedures, they include EXECUTE permissions. These permissions exist separately on each object, unless the parent object (such as a stored procedure) was created by the same user as the underlying object (such as the table the stored procedure uses). In that case, the administrator only has to grant the EXECUTE permission on the stored procedure, greatly simplifying what you have to track.
It's best to have a listing of the security for each user, per object, per statement. That's a lot of tracking! You can use SQL Server DMO programming to make that effort a lot easier.
The following code travels down a particular database for all non-system groups, and shows all the object permissions for each of those groups.
' Get and set a SQL DMO server object, and connect ' to the local server instance Set oServer = CreateObject("SQLDMO.SQLServer") oServer.LoginSecure = True oServer.Connect "(local)" ' Get and set a database object Set oDatabase = oServer.Databases("pubs") ' Get and set a database role object Set oDatabaseRole = oDatabase.DatabaseRoles ' Here is the outer loop for the roles For Each oDatabaseRole in oDatabase.DatabaseRoles ' Exclude the system roles If oDatabaseRole.IsFixedRole = False Then ' Get and set a permissions object Set oRolePermission = oDatabaserole.ListObjectPermissions(SQLDMOPriv_AllObjectPrivs) ' Inner loop for the permission, by object and group For Each oRolePermission in oDatabaserole.ListObjectPermissions(SQLDMOPriv_AllObjectPrivs) strMsgText = strMsgText & oRolePermission.PrivilegeTypeName + ", " + oRolePermission.ObjectOwner + "." + oRolePermission.ObjectName + ", " + oRolePermission.Grantee & vbcrlf Next End If Next ' Display. You could also send this to a file MsgBox strMsgText,,"Permission, Object, Group" 'Clean up Set oRolePermission = Nothing Set oDatabase = Nothing Set oServer = Nothing
Let's deconstruct this code a bit. In the first section, I connect to the server and the database in which I'm interested. You can use a collection to iterate through all your servers and/or databases to make this part of the code more extensible.
In the lines:
' Get and set a database role object Set oDatabaseRole = oDatabase.DatabaseRoles
I'm using a new property on the Database collection, called DatabaseRoles. This property provides access to the roles defined in the database.
This code uses two loops: one for the roles in the database, and the other for the permissions the role owns. Notice that the permission is iterated through the role – not through the object. That's an important distinction.
Within the outer loop I've used an If statement to exclude the system roles – which should never change anyway.
The next few lines show the full complexity of displaying security. You can see that I've set a line to fill the oRolePermission object with the list of object permissions:
Set oRolePermission = oDatabaserole.ListObjectPermissions(SQLDMOPriv_AllObjectPrivs)
Now that these objects are available, the inner loop uses them to access properties like oRolePermission.PrivilegeTypeName.
I captured the information from these roles into a text variable and then displayed that in a message box, but you can also send the results to a file to create a matrix. You can then parse that file to create a history of security changes.
In this article, I've only shown the documentation of the security on a few objects. You can use these same techniques on all of the SQL Server objects that have security, and you can also use them to change that security. You can add users and groups using DMO programming. For more information on these processes, check out the references at the end of this article.
In the next tutorial, I'll finish up this section on DMO with a discussion on another useful function: scripting.
The full documentation for the SQL Server Object Library can be found here.
You can read more on SQL Server Security from Microsoft here. This site has a lot of good resources and a few good downloads.
InformIT Tutorials and Sample Chapters
If you're looking for a preview of how security will change in SQL 2005, check out this article.
Service Packs are the main source of security updates for SQL Server. Roberta Bragg covers more in this free sample chapter from her book on becoming an MCSE.