Home > Articles > Data > SQL Server

SQL Server Reference Guide

Hosted by

Toggle Open Guide Table of ContentsGuide Contents

Close Table of ContentsGuide Contents

Close Table of Contents

Security: Using the Command Line

Last updated Mar 28, 2003.

I'm continuing my series on the concepts behind SQL Security. In the previous entries I've explain SQL Server logins and database logons, and I've given you the basics on object and statement permissions. You should read through those before you read this article — I’ll bring everything together here, from creating users and roles to assigning permissions to objects like tables, views and stored procedures.

Security is all about allowing only the access to objects needed by a "principal," which is what Microsoft calls any entity that uses SQL Server, from people to service and certificates. The process for assigning permissions can be very complex, but if you break it down it can be simplified. I usually follow this process:

  • Identify the objects in the database
  • Identify the users who need access
  • Create database roles (more on this in a bit)
  • Set the permissions for the roles on the objects
  • Add the users to the roles

I normally lay out these elements in a spreadsheet to create the security matrix. I can then implement the design using graphical tools as I've shown you in the other tutorials or by using commands. In fact, if you set up the spreadsheet with the commands, you can create your security scripts from there. I'll show you how I do this in another tutorial.

Identify the Objects You want to Secure (Securables)

To identify the objects, you can just look at them in the graphical tools in Enterprise Manager (EM) or SQL Server Management Studio (SSMS), or, if your graphical diagrams are accurate, you can use those. I normally use the INFORMATION_SCHEMA system construct to list out the objects I want to apply permissions to — in most cases, Tables, views and Stored Procedures, like this:

/* Identify the Objects - Tables, Views, Stored Procedures: */
SELECT TABLE_NAME
FROM INFORMATION_SCHEMA.TABLES
ORDER BY TABLE_NAME ASC;
GO
SELECT TABLE_NAME AS 'VIEW_NAME'
FROM INFORMATION_SCHEMA.VIEWS
ORDER BY TABLE_NAME ASC;
GO
SELECT ROUTINE_NAME, ROUTINE_TYPE 
FROM INFORMATION_SCHEMA.ROUTINES
ORDER BY ROUTINE_NAME ASC;
GO

Note that the INFORMATION_SCHEMA view is ISO compliant; it does not list every object SQL Server can work with. I present it here because it is the most compatible way of working across systems. I normally only apply permissions at these levels anyway — it catches all of the objects I normally work with.

Identifying or Creating the Principals

As I explained in earlier tutorials, you need to create a server login account before you can assign a database object permission. Then you can tie the login to a to a database user, and then grant or deny that account permissions to various objects in a database. I recommend that you add the additional steps of creating a database “Role”, and apply permissions to that, and then add the user to the Role — but I’ll cover that more in a moment.

I’ve also explained that there are two types of login authentication for SQL Server: Windows users and SQL Server users. The commands I’m about to show you depend on the type of authentication your server has installed. I'm going to show you how to use the stored procedures that SQL Server provides for security, and I’ll also show you the more ANSI-compliant method of using the CREATE, DROP, and other Transact-SQL commands to work with security. While there are some stored procedures that simplify things greatly, you should learn the newer syntax. I’ll show both here — and you can choose which to work with.

The first stored procedure for creating SQL Server logins using SQL authentication is called sp_addlogin. The format looks like this:

sp_addlogin ’username’, ’password'

If you have Windows authentication set on your server, you use a different stored procedure called sp_grantlogin, and it doesn't require the password:

sp_grantlogin ’domain\username’

Notice that you have to specify the domain name. SQL Server will "trust" that account, so it doesn’t track the password. If you're not on a domain but in a workgroup instead, the domain name is the server name itself. Keep in mind that the user would need to authenticate with that name and password on the SQL Server system, so unless this is a locally installed version of SQL Server you'll want to either use a domain or create a SQL Server login for that situation.

Here are some other commands you can use to work with logins, with links to the syntax for each:

Stored Procedure

Purpose

sp_defaultdb

Sets a login’s default database

sp_denylogin

Denies a login

sp_droplogin

Removes a login

sp_helplogins

Displays logins

sp_password

Changes a login’s password

sp_revokelogin

Revokes a login

sp_validatelogins

Shows "orphans" in the database. These are logins that exist in SQL Server, but no longer exist as a Windows account.

Rather than working with the stored procedures, you might want to learn to work with the CREATE syntax, which is more standard. The basic format looks like this for a Windows user:

/* Create Instance Accounts, Then Database Users */
-- Windows Account
CREATE LOGIN [MyDomain\Buck] 
FROM WINDOWS;
GO
And like this for a  SQL Server based account:
-- SQL Server Account
CREATE LOGIN User1 
WITH PASSWORD = 'Letmein12345';
GO

Once you have the Server logins created, it’s time to tie the login to access a database. Once again, you can use a stored procedure to do this — sp_grantdbaccess. Here's an example of the syntax:

sp_grantdbaccess ’domain\WindowsUserName, ’SQLLoginName’

Make sure you’re "in" the database to which you’re granting the account access. You can do that by pulling down the database name menu in Query Analyzer/SQL Server Management Studio or (safer) by type the USE databasename command. What you’re doing with this stored procedure is setting the domain account to a user account in this database. Yes, you could name it something different, but you can also drive your car into a lake. There aren’t a lot of good reasons to do either one.

Just as with the logins, there are other commands to help you work with the logons, ones that you should learn to use. To create a new user in a database that is tied to a SQL Server account, use the CREATE USER command, like this:

-- Database Login
CREATE USER User1
FOR LOGIN User1;
GO 

And there are some other stored procedures you can use to work with users once you create them. Here’s a couple that you might find useful:

Stored Procedure

Purpose

sp_helpuser

Displays information about a database user

sp_revokedbaccess

Removes a login from the database

Create Database Roles, Assign Users to the Roles

I’m not going to spend a great deal of time on roles in this tutorial; I’ll cover the entire concept of roles in a following tutorial. But for now you can think of a Role in a database like a Group in Windows or Unix. they merely contain database users, or even other Roles. Simply creating a Role doesn’t do anything special — but once you do, you can assign permissions to the Role for things like a table or stored procedure. Here’s how to create a Role in a database (remember to use the USE statement to move to the database first):

/* Create A database Role */
CREATE ROLE SelectFromView;
GO
CREATE ROLE ExecuteAProc;
GO
Now it’s a matter of placing the user in a Role. For that, it’s OK to use a stored procedure, and it’s very simple to do that:
/* Add user to Role */
EXEC sp_addrolemember 'SelectFromView'
, 'User1';
GO 
EXEC sp_addrolemember 'ExecuteAProc'
, 'User1';
GO

Now that you have your server logins, the database users created, and you’ve assigned the user to a Role, you need to set the permissions for the various database objects.

Set Permissions on the Object to the Role

You can grant or deny permissions to users or roles. The main commands to use are GRANT, DENY and REVOKE. Remember that permissions are layered on each object, so permissions need to be set on views and the tables they references, unless they are owned by the same account, and if the objects are owned by a single user, you only have to set permissions on the "parent" object.

Not only does each object require the security, but each statement requires the security. In other words, if you need to allow access to a few columns in a table, you have to issue the GRANT command on the table and the SELECT, INSERT, UPDATE, and DELETE verbs. The verbs are self-explanatory. Using this "layered" security approach, you can set certain accounts (or roles) to be able to see (SELECT) certain portions of data from a table and not be able to change (UPDATE) or erase (DELETE) it.

The one verb I didn’t mention is the EXECUTE permission. As long as one account created the objects in the database, you only need to set the permission on the stored procedure.

The GRANT verb allows access to an object. The general syntax looks like this:

GRANT SELECT
ON object
TO principal (like a Role or a User)
You can use more than one verb here — just add a comma between them, like this:
GRANT SELECT, UPDATE
ON object
TO principal

You don’t have to type every verb if you want to give every permission to an account. Just use the ALL permission, which is basically everything.

What if you want the opposite? If you don’t want to the account to access an object, use the DENY verb. The general syntax looks like this:

DENY INSERT
ON object
TO principal

Remember the REVOKE command? I know we haven’t talked about roles yet, but let’s say "Buck" is a member of a role called "Normal" (no real danger of that). Let’s say that we don’t want Buck to be able to access a table, even though his group (Normal) still needs to. For that, use the DENY verb. But let’s say now you want Buck not to have access to the table, but if he’s the member of a group that does need access, we don’t want to affect that. For that situation, use the REVOKE command. It looks like this:

REVOKE SELECT 
ON authors
FROM [HQ\Buck]

I’ll show you how to put these commands to good use in the next few tutorials on security.

Books and eBooks

I cover more about security in my book Administrator's Guide to SQL Server 2005. Even though it’s a previous version, the information still holds for the security aspects.

Online Resources

The primary site for SQL Server security is here.