Table of Contents
- Microsoft SQL Server Defined
- Microsoft SQL Server Features
Microsoft SQL Server Administration
- The DBA Survival Guide: The 10 Minute SQL Server Overview
- Preparing (or Tuning) a Windows System for SQL Server, Part 1
- Preparing (or Tuning) a Windows System for SQL Server, Part 2
- Installing SQL Server
- Upgrading SQL Server
- SQL Server 2000 Management Tools
- SQL Server 2005 Management Tools
- SQL Server 2008 Management Tools
- SQL Azure Tools
- Automating Tasks with SQL Server Agent
- Run Operating System Commands in SQL Agent using PowerShell
- Automating Tasks Without SQL Server Agent
- Storage – SQL Server I/O
- Service Packs, Hotfixes and Cumulative Upgrades
- Tracking SQL Server Information with Error and Event Logs
- Change Management
- SQL Server Metadata, Part One
- SQL Server Meta-Data, Part Two
- Monitoring - SQL Server 2005 Dynamic Views and Functions
- Monitoring - Performance Monitor
- Unattended Performance Monitoring for SQL Server
- Monitoring - User-Defined Performance Counters
- Monitoring: SQL Server Activity Monitor
- SQL Server Instances
- DBCC Commands
- SQL Server and Mail
- Database Maintenance Checklist
- The Maintenance Wizard: SQL Server 2000 and Earlier
- The Maintenance Wizard: SQL Server 2005 (SP2) and Later
- The Web Assistant Wizard
- Creating Web Pages from SQL Server
- SQL Server Security
- Securing the SQL Server Platform, Part 1
- Securing the SQL Server Platform, Part 2
- SQL Server Security: Users and other Principals
- SQL Server Security – Roles
- SQL Server Security: Objects (Securables)
- Security: Using the Command Line
- SQL Server Security - Encrypting Connections
- SQL Server Security: Encrypting Data
- SQL Server Security Audit
- High Availability - SQL Server Clustering
- SQL Server Configuration, Part 1
- SQL Server Configuration, Part 2
- Database Configuration Options
- 32- vs 64-bit Computing for SQL Server
- SQL Server and Memory
- Performance Tuning: Introduction to Indexes
- Statistical Indexes
- Backup and Recovery
- Backup and Recovery Examples, Part One
- Backup and Recovery Examples, Part Two: Transferring Databases to Another System (Even Without Backups)
- SQL Profiler - Reverse Engineering An Application
- SQL Trace
- SQL Server Alerts
- Files and Filegroups
- Full-Text Indexes
- Read-Only Data
- SQL Server Locks
- Monitoring Locking and Deadlocking
- Controlling Locks in SQL Server
- SQL Server Policy-Based Management, Part One
- SQL Server Policy-Based Management, Part Two
- SQL Server Policy-Based Management, Part Three
- Microsoft SQL Server Programming
- Performance Tuning
- Practical Applications
- Professional Development
- Application Architecture Assessments
- Business Intelligence
- Tips and Troubleshooting
- Additional Resources
Security: Using the Command Line
Last updated Mar 28, 2003.
I'm continuing my series on the concepts behind SQL Security. In the previous entries I've explain SQL Server logins and database logons, and I've given you the basics on object and statement permissions. You should read through those before you read this article — I’ll bring everything together here, from creating users and roles to assigning permissions to objects like tables, views and stored procedures.
Security is all about allowing only the access to objects needed by a "principal," which is what Microsoft calls any entity that uses SQL Server, from people to service and certificates. The process for assigning permissions can be very complex, but if you break it down it can be simplified. I usually follow this process:
- Identify the objects in the database
- Identify the users who need access
- Create database roles (more on this in a bit)
- Set the permissions for the roles on the objects
- Add the users to the roles
I normally lay out these elements in a spreadsheet to create the security matrix. I can then implement the design using graphical tools as I've shown you in the other tutorials or by using commands. In fact, if you set up the spreadsheet with the commands, you can create your security scripts from there. I'll show you how I do this in another tutorial.
Identify the Objects You want to Secure (Securables)
To identify the objects, you can just look at them in the graphical tools in Enterprise Manager (EM) or SQL Server Management Studio (SSMS), or, if your graphical diagrams are accurate, you can use those. I normally use the INFORMATION_SCHEMA system construct to list out the objects I want to apply permissions to — in most cases, Tables, views and Stored Procedures, like this:
/* Identify the Objects - Tables, Views, Stored Procedures: */ SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES ORDER BY TABLE_NAME ASC; GO SELECT TABLE_NAME AS 'VIEW_NAME' FROM INFORMATION_SCHEMA.VIEWS ORDER BY TABLE_NAME ASC; GO SELECT ROUTINE_NAME, ROUTINE_TYPE FROM INFORMATION_SCHEMA.ROUTINES ORDER BY ROUTINE_NAME ASC; GO
Note that the INFORMATION_SCHEMA view is ISO compliant; it does not list every object SQL Server can work with. I present it here because it is the most compatible way of working across systems. I normally only apply permissions at these levels anyway — it catches all of the objects I normally work with.
Identifying or Creating the Principals
As I explained in earlier tutorials, you need to create a server login account before you can assign a database object permission. Then you can tie the login to a to a database user, and then grant or deny that account permissions to various objects in a database. I recommend that you add the additional steps of creating a database “Role”, and apply permissions to that, and then add the user to the Role — but I’ll cover that more in a moment.
I’ve also explained that there are two types of login authentication for SQL Server: Windows users and SQL Server users. The commands I’m about to show you depend on the type of authentication your server has installed. I'm going to show you how to use the stored procedures that SQL Server provides for security, and I’ll also show you the more ANSI-compliant method of using the CREATE, DROP, and other Transact-SQL commands to work with security. While there are some stored procedures that simplify things greatly, you should learn the newer syntax. I’ll show both here — and you can choose which to work with.
The first stored procedure for creating SQL Server logins using SQL authentication is called sp_addlogin. The format looks like this:
sp_addlogin ’username’, ’password'
If you have Windows authentication set on your server, you use a different stored procedure called sp_grantlogin, and it doesn't require the password:
Notice that you have to specify the domain name. SQL Server will "trust" that account, so it doesn’t track the password. If you're not on a domain but in a workgroup instead, the domain name is the server name itself. Keep in mind that the user would need to authenticate with that name and password on the SQL Server system, so unless this is a locally installed version of SQL Server you'll want to either use a domain or create a SQL Server login for that situation.
Here are some other commands you can use to work with logins, with links to the syntax for each:
Sets a login’s default database
Denies a login
Removes a login
Changes a login’s password
Revokes a login
Shows "orphans" in the database. These are logins that exist in SQL Server, but no longer exist as a Windows account.
Rather than working with the stored procedures, you might want to learn to work with the CREATE syntax, which is more standard. The basic format looks like this for a Windows user:
/* Create Instance Accounts, Then Database Users */ -- Windows Account CREATE LOGIN [MyDomain\Buck] FROM WINDOWS; GO And like this for a SQL Server based account: -- SQL Server Account CREATE LOGIN User1 WITH PASSWORD = 'Letmein12345'; GO
Once you have the Server logins created, it’s time to tie the login to access a database. Once again, you can use a stored procedure to do this — sp_grantdbaccess. Here's an example of the syntax:
sp_grantdbaccess ’domain\WindowsUserName, ’SQLLoginName’
Make sure you’re "in" the database to which you’re granting the account access. You can do that by pulling down the database name menu in Query Analyzer/SQL Server Management Studio or (safer) by type the USE databasename command. What you’re doing with this stored procedure is setting the domain account to a user account in this database. Yes, you could name it something different, but you can also drive your car into a lake. There aren’t a lot of good reasons to do either one.
Just as with the logins, there are other commands to help you work with the logons, ones that you should learn to use. To create a new user in a database that is tied to a SQL Server account, use the CREATE USER command, like this:
-- Database Login CREATE USER User1 FOR LOGIN User1; GO
And there are some other stored procedures you can use to work with users once you create them. Here’s a couple that you might find useful:
Displays information about a database user
Removes a login from the database
Create Database Roles, Assign Users to the Roles
I’m not going to spend a great deal of time on roles in this tutorial; I’ll cover the entire concept of roles in a following tutorial. But for now you can think of a Role in a database like a Group in Windows or Unix. they merely contain database users, or even other Roles. Simply creating a Role doesn’t do anything special — but once you do, you can assign permissions to the Role for things like a table or stored procedure. Here’s how to create a Role in a database (remember to use the USE statement to move to the database first):
/* Create A database Role */ CREATE ROLE SelectFromView; GO CREATE ROLE ExecuteAProc; GO Now it’s a matter of placing the user in a Role. For that, it’s OK to use a stored procedure, and it’s very simple to do that: /* Add user to Role */ EXEC sp_addrolemember 'SelectFromView' , 'User1'; GO EXEC sp_addrolemember 'ExecuteAProc' , 'User1'; GO
Now that you have your server logins, the database users created, and you’ve assigned the user to a Role, you need to set the permissions for the various database objects.
Set Permissions on the Object to the Role
You can grant or deny permissions to users or roles. The main commands to use are GRANT, DENY and REVOKE. Remember that permissions are layered on each object, so permissions need to be set on views and the tables they references, unless they are owned by the same account, and if the objects are owned by a single user, you only have to set permissions on the "parent" object.
Not only does each object require the security, but each statement requires the security. In other words, if you need to allow access to a few columns in a table, you have to issue the GRANT command on the table and the SELECT, INSERT, UPDATE, and DELETE verbs. The verbs are self-explanatory. Using this "layered" security approach, you can set certain accounts (or roles) to be able to see (SELECT) certain portions of data from a table and not be able to change (UPDATE) or erase (DELETE) it.
The one verb I didn’t mention is the EXECUTE permission. As long as one account created the objects in the database, you only need to set the permission on the stored procedure.
The GRANT verb allows access to an object. The general syntax looks like this:
GRANT SELECT ON object TO principal (like a Role or a User) You can use more than one verb here — just add a comma between them, like this: GRANT SELECT, UPDATE ON object TO principal
You don’t have to type every verb if you want to give every permission to an account. Just use the ALL permission, which is basically everything.
What if you want the opposite? If you don’t want to the account to access an object, use the DENY verb. The general syntax looks like this:
DENY INSERT ON object TO principal
Remember the REVOKE command? I know we haven’t talked about roles yet, but let’s say "Buck" is a member of a role called "Normal" (no real danger of that). Let’s say that we don’t want Buck to be able to access a table, even though his group (Normal) still needs to. For that, use the DENY verb. But let’s say now you want Buck not to have access to the table, but if he’s the member of a group that does need access, we don’t want to affect that. For that situation, use the REVOKE command. It looks like this:
REVOKE SELECT ON authors FROM [HQ\Buck]
I’ll show you how to put these commands to good use in the next few tutorials on security.
Books and eBooks
I cover more about security in my book Administrator's Guide to SQL Server 2005. Even though it’s a previous version, the information still holds for the security aspects.