To be able to access data from a database, a user must pass through two stages of authentication, one at the SQL Server level and the other at the database level. These two stages are implemented using Logins names and User accounts respectively. A valid login is required to connect to SQL Server and a valid user account is required to access a database.
Login: A valid
login name is required to connect to an SQL Server instance. A login could be:
- A
Windows NT/2000 login that has been granted access to SQL Server
- An
SQL Server login, that is maintained within SQL Server
These login names are maintained within the
master database. So, it is essential to backup the master database after adding
new logins to SQL Server.
User: A valid user account within a database is required to access that database. User accounts are specific to a database. All permissions and ownership of objects in the database are controlled by the user account. SQL Server logins are associated with these user accounts. A login can have associated users in different databases, but only one user per database.
User: A valid user account within a database is required to access that database. User accounts are specific to a database. All permissions and ownership of objects in the database are controlled by the user account. SQL Server logins are associated with these user accounts. A login can have associated users in different databases, but only one user per database.
During a new connection request, SQL Server
verifies the login name supplied, to make sure, that login is authorized to
access SQL Server. This verification is called Authentication. SQL Server
supports two authentication modes:
- Windows
authentication mode: With Windows authentication, you do not have to
specify a login name and password, to connect to SQL Server. Instead, your
access to SQL Server is controlled by your Windows NT/2000 account (or the
group to which your account belongs to), that you used to login to the
Windows operating system on the client computer/workstation. A DBA must
first specify to SQL Server, all the Microsoft Windows NT/2000 accounts or
groups that can connect to SQL Server
- Mixed
mode:
Mixed mode allows users to connect using Windows authentication or SQL
Server authentication. Your DBA must first create valid SQL Server login
accounts and passwords. These are not related to your Microsoft Windows
NT/2000 accounts. With this authentication mode, you must supply the SQL
Server login and password when you connect to SQL Server. If you do not
specify SQL Server login name and password, or request Windows
Authentication, you will be authenticated using Windows Authentication.
Point to note is that, whatever mode you
configure your SQL Server to use, you can always login using Windows
authentication.
Windows authentication is the recommended security mode, as it is more secure and you don't have to send login names and passwords over the network. You should avoid mixed mode, unless you have a non-Windows NT/2000 environment or when your SQL Server is installed on Windows 95/98 or for backward compatibility with your existing applications.
SQL Server's authentication mode can be changed using Enterprise Manager (Right click on the server name and click on Properties. Go to the Security tab).
Authentication mode can also be changed using SQL DMO object model.
Here is a list of helpful stored procedures for managing logins and users:
Windows authentication is the recommended security mode, as it is more secure and you don't have to send login names and passwords over the network. You should avoid mixed mode, unless you have a non-Windows NT/2000 environment or when your SQL Server is installed on Windows 95/98 or for backward compatibility with your existing applications.
SQL Server's authentication mode can be changed using Enterprise Manager (Right click on the server name and click on Properties. Go to the Security tab).
Authentication mode can also be changed using SQL DMO object model.
Here is a list of helpful stored procedures for managing logins and users:
|
sp_addlogin
|
Creates
a new login that allows users to connect to SQL Server using SQL Server
authentication
|
|
sp_grantlogin
|
Allows
a Windows NT/2000 user account or group to connect to SQL Server using
Windows authentication
|
|
sp_droplogin
|
Drops
an SQL Server login
|
|
sp_revokelogin
|
Drops
a Windows NT/2000 login/group from SQL Server
|
|
sp_denylogin
|
Prevents
a Windows NT/2000 login/group from connecting to SQL Server
|
|
sp_password
|
Adds
or changes the password for an SQL Server login
|
|
sp_helplogins
|
Provides
information about logins and their associated users in each database
|
|
sp_defaultdb
|
Changes
the default database for a login
|
|
sp_grantdbaccess
|
Adds
an associated user account in the current database for an SQL Server login or
Windows NT/2000 login
|
|
sp_revokedbaccess
|
Drops
a user account from the current database
|
|
sp_helpuser
|
Reports
information about the Microsoft users and roles in the current database
|
Now let's talk about controlling access to
objects within the database and managing permissions. Apart from managing
permissions at the individual database user level, SQL Server 7.0/2000
implements permissions using roles. A role is nothing but a group to which
individual logins/users can be added, so that the permissions can be applied to
the group, instead of applying the permissions to all the individual
logins/users. There are three types of roles in SQL Server 7.0/2000:
- Fixed
server roles
- Fixed
database roles
- Application
roles
Fixed server roles: These
are server-wide roles. Logins can be added to these roles to gain the
associated administrative permissions of the role. Fixed server roles cannot be
altered and new server roles cannot be created. Here are the fixed server roles
and their associated permissions in SQL Server 2000:
|
Fixed
server role
|
Description
|
|
sysadmin
|
Can
perform any activity in SQL Server
|
|
serveradmin
|
Can
set server-wide configuration options, shut down the server
|
|
setupadmin
|
Can
manage linked servers and startup procedures
|
|
securityadmin
|
Can
manage logins and CREATE DATABASE permissions, also read error logs and
change passwords
|
|
processadmin
|
Can
manage processes running in SQL Server
|
|
dbcreator
|
Can
create, alter, and drop databases
|
|
diskadmin
|
Can
manage disk files
|
|
bulkadmin
|
Can
execute BULK INSERT statements
|
Fixed database roles: Each
database has a set of fixed database roles, to which database users can be
added. These fixed database roles are unique within the database. While the
permissions of fixed database roles cannot be altered, new database roles can
be created. Here are the fixed database roles and their associated permissions
in SQL Server 2000:
|
Fixed
database role
|
Description
|
|
db_owner
|
Has
all permissions in the database
|
|
db_accessadmin
|
Can
add or remove user IDs
|
|
db_securityadmin
|
Can
manage all permissions, object ownerships, roles and role memberships
|
|
db_ddladmin
|
Can
issue ALL DDL, but cannot issue GRANT, REVOKE, or DENY statements
|
|
db_backupoperator
|
Can
issue DBCC, CHECKPOINT, and BACKUP statements
|
|
db_datareader
|
Can
select all data from any user table in the database
|
|
db_datawriter
|
Can
modify any data in any user table in the database
|
|
db_denydatareader
|
Cannot
select any data from any user table in the database
|
|
db_denydatawriter
|
Cannot
modify any data in any user table in the database
|
Create
Login
USE [master]
GO
CREATE LOGIN [test5] WITH PASSWORD=N'Passw0rd', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
EXEC master..sp_addsrvrolemember @loginame = N'test5', @rolename = N'sysadmin'
GO
Creating User:-
CREATE USER [test5 ] FOR LOGIN [Test5]
EXEC sp_addrolemember N'db_owner', N'test5'
END;
GO
No comments:
Post a Comment