Transcript Slide 1

Fixed database roles
Date :12-4-2011
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
1
Fixed Database-Level Roles








db_ddladmin
db_securityadmin
db_accessadmin
db_backupoperator
db_datawriter
db_datareader
db_denydatawriter.
db_denydatareader
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
2
The db_owner role

Like the sysadmin fixed server role, the db_owner role has complete control,
except in this case it is control of the database instead of the whole server.

CREATE AUTHORIZATION ON DATABASE::database_name TO valid_login

The db_owner can assign permissions,

backup and restore the database,
create and destroy objects,
manage user accounts and roles without any restrictions. Like with the db_ddladmin role,



DBAs should exercise caution before giving out the db_owner role, even in
development. Give developers only what rights they need and no more.

Caution: It is a best practice to ensure rights, regardless of system, are the minimum
required to do the job and nothing greater. This is the Principle of Least Privilege.
Even if a user has good track record of doing only what they are supposed to do,
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
3
The db_ddladmin role

A user with the db_ddladmin fixed database role has rights to issue (DDL) statements
in order to CREATE, DROP, or ALTER objects in the database.

The ability to set permissions such as with DENY, GRANT, or REVOKE, however, is
not given to the db_ddladmin role.
list the rights of this role:













All DDL but GRANT, REVOKE, DENY
REFERENCES permission on any table
sp_changeobjectowner
dbcc cleantable : Reclaims space from dropped variable-length columns in tables or indexed views
dbcc show_statistics :displays current query optimization statistics for a table or indexed view
dbcc showcontig :Displays fragmentation information for the data and indexes of the specified table or view.
sp_fulltext_column :Specifies whether or not a particular column of a table participates in full-text indexing.
sp_fulltext_table: Marks or unmarks a table for full-text indexing.
sp_recompile : Causes stored procedures and triggers to be recompiled the next time that they are run
sp_rename :Changes the name of a user-created object in the current database
sp_tableoption: Sets option values for user-defined tables
TRUNCATE TABLE :Removes all rows from a table without logging the individual row deletes.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
4
The db_ddladmin role

sp_changeobjectowner permissions has an additional requirement. In order for a member of the
db_ddladmin role to be able to successfully call sp_changeobjectowner, the member must also
be a member of the db_securityadmin database role. When an object’s owner is changed,
permissions are changed as well.

As a result, there is a check built into the system stored procedure to verify that a calling user is
either a db_owner or the combination of a db_ddladmin and db_securityadmin:

DBAs should exercise great caution with this database role.

The db_ddladmin role has the ability to create objects under the context of any valid user. This
means the role can create objects belonging to dbo simply by specifying the owner in the CREATE
statement.

Note: Because of the ability to create an object with any owner, I would not recommend any user
being granted this right in a production environment except in the rarest of circumstances.

Even in development you should carefully weigh its use for personnel outside of the DBA team.
This is a good security permission for a junior DBA who is only assigned development tasks,
however.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
5
The db_securityadmin role

db_securityadmin Members can modify role membership and manage permissions. Adding
principals to this role could enable unintended privilege escalation.

The list includes the DENY, GRANT, and REVOKE commands along with all the store procedures
for managing roles.

The full list is:














DENY
GRANT
REVOKE
sp_addapprole
sp_addgroup
sp_addrole
sp_addrolemember
sp_approlepassword
sp_changegroup
sp_changeobjectowner
sp_dropapprole
sp_dropgroup
sp_droprole
sp_droprolemember
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
6
The db_securityadmin role

sp_changeobjectowner. Recall from my discussion of the db_ddladmin security role
that sp_changeobjectowner requires either db_owner or the combination of
db_ddladmin and db_securityadmin role membership. This is because the stored
procedure makes a schema and a permission change.

This example changes the owner of the authors table to TESTuser.
,
valid owner user or role
EXEC sp_changeobjectowner 'authors', ‘testuser'

Surprisingly enough ,the db_securityadmin role cannot add users to the fixed
database roles.

Only db_owner role members can add users to a fixed database role and this is by
design in SQL Server
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
7
The db_accessadmin role

Members can add or remove access for Windows logins, Windows groups, and SQL Server
logins.

It has the ability to add and remove user access to the database just as the securityadmin has
the ability to add and remove logins to the server.

The db_accessadmin role does not, however, have the ability to create or remove database
roles, nor does it have the ability to manage permissions.


sp_dropalias :Removes an alias that links a user in the current database to a SQL Server login.
sp_dropuser :Removes a database user from the current database
sp_grantdbaccess :Adds a database user to the current database.
sp_revokedbaccess: Removes a database user from the current database.
sp_addalias : Maps a login to a user in a database:

CREATE USER test FOR LOGIN test






Tip: To give a user the ability to add users to the database AND manage roles and permissions,
make the user a member of both the db_accessadmin role and the db_securityadmin role.
sp_dropalias, sp_addalias , sp_dropuser, sp_grantdbaccess, sp_revokedbaccess: This feature
will be removed in the next version of Microsoft SQL Server
Use Create user, Drop user,
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
8
The db_backupoperator role

db_backupoperator Members can backup the database.

The whole purpose of the db_backupoperator is to have sufficient rights to create backups
of a database.

Restore permissions, however, are not granted to the db_backupoperator role.

BACKUP DATABASE
BACKUP LOG
CHECKPOINT :Writes all dirty pages for the current database to disk




I will say that I don’t use this role a whole lot. Most of the backup jobs I run are controlled
by SQL Server Agent or an external job scheduler and write backups to disk.

These backups are then grabbed by a third-party product backup product and written to
tape. Since the SQL Server Agent or job scheduler has sysadmin level access,
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
9
The db_datareader role


db_datareader Members can run a SELECT statement against any table or view in the database
db_datareader
SELECT permission on any object

This role is often used in reporting databases where users would be coming in via a third-party
reporting tool and building their own ad-hoc queries.

If you need to restrict a user to only be able to read from certain tables, the db_datareader is
not the right choice as it would have to be combined with the explicit use of DENY permissions on
tables the user shouldn’t be able to access.

A better practice would be to create a user-defined database role with the proper permissions

One key point about the db_datareader role is that it always has the right to read all tables and
views. That means if you create a new table in the database, a member of the db_datareader role
has access immediately.

This differs greatly from a user-defined role with which you must explicitly grant each permission.
Therefore, unless you give user-defined role permission to access a database object such as a table
or view, that role can’t do so.
Not only does it have access to user tables but also system tables.


That means a member of the db_datareader role can execute a SELECT query against a system
table even you decide to revoke public access to SELECT against these tables.

(keep in mind that revoking default permissions would result in an unsupported configuration so far
as Microsoft is concerned).
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
10
The db_datawriter role

db_datawriter Members can add, delete, or change data in all user tables.

DELETE, INSERT ,UPDATE permission on any object

The db_datawriter role has the ability to modify via INSERT, UPDATE, or DELETE
data in any table or view in the database.

the db_datawriter role has permission to write to all tables and views, regardless of
when they get created. So if you assign a user to the db_datawriter role and then
create a table in the database, the user has access to modify the table immediately.

if specific permissions are needed, I recommend a user-defined database role as a
better option.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
11
The db_denydatareader role

db_denydatareader Members cannot read any data in the user tables within a database.

db_denydatareader

The db_denydatareader role is the exact opposite of the db_datareader role: instead of granting
SELECT permissions on any database object, the db_denydatareader denies SELECT
permissions.

If access to the database can be controlled completely via stored procedures (with no dynamic
SQL queries), it may be a good idea to make standard users a member of this role.

By placing a user into the db_denydatareader role, the user is unable to connect to the database
and generate a SELECT query against any table.

If the same user is granted execute rights to a stored procedure that controls how a
particular table should be accessed, the user can only view data based on how the stored
procedure is coded, meaning data access can be carefully controlled.

GRANT EXECUTE ON dbo.usp_ControlSELECT TO testuser
GO

Keep in mind that the public role has SELECT permissions against all tables in the default
Northwind database configuration. Simply adding testuser to db_denydatareader has ensure
the user cannot access the Customers table directly, even with the wide-open access granted
No SELECT permission on any object
to the public role.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
12
The db_denydatawriter role

db_denydatawriter Members cannot add, modify, or delete any data in the user
tables within a database.

No DELETE, No INSERT, No UPDATE permission on any object

Like db_denydatareader, the db_denydatawriter role serves to restrict
permissions on a given database.

the user is preventing from modifying the data on any data via an INSERT,
UPDATE, or DELETE statement.

if access can be completely controlled by stored procedures, this is a good
role to put a standard user into. This will insure the user only accesses the
data in the means intended.

Tip: If data access can be controlled via stored procedures while maintaining
ownership chains and completely avoiding dynamic SQL, consider using the
db_denydatareader and db_denydatawriter role for regular users to restrict
data access to the stored procedures only.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
13
The public role

So if all current and future users who have rights to a database should have the
ability to access a particular stored procedure, rights could be assigned to the
public role, such as in the following example:

GRANT EXECUTE ON dbo.EveryoneStoredProc TO public

I assign no permissions to the public role and I recommend strongly that
you don’t either.

If I have a case where all users should access a particular object, I’ll create
a user-defined role.

My reason is simple: while everyone currently requires access to that
particular object, this may not always be the case. If, in the future, a single
user does not require permissions, I’ll be forced to uncouple the rights to
the public role, create a new role, and assign the permissions to it. I’ll then
be adding all the users except for the one in question to the new role. It’s
much simpler if I go ahead and do this up front, rather than try and do it
later after additional complexity may have been added.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
14
dbo Versus db_owner

In every database there is a special user, dbo.

While dbo has the effective permissions of a database owner, it is not one
and the same as the db_owner role.

Any user account can be assigned to the db_owner role, giving that user
complete control of the database.

The dbo user account is a special account which all members of the
sysadmin role are implicitly mapped to.

Also, the system table sysdatabases (located in master) stores who is the
owner of the database (and is assigned the dbo user account) in the sid
field.

So not only are sysadmins mapped to dbo, but so is the database owner.

The dbo user will always have db_owner rights to a given database, but it is
more than just a default user account.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
15
dbo Versus db_owner

The reason the sid of the database owner is important is in the case of a damaged
database. Normally, a db_owner role member could restore a database,

but the information on who belongs to the db_owner role is stored within the database
itself. If the database is damaged, SQL Server won’t be able to determine who are
members of the db_owner role

The only logins it knows for certain have the appropriate rights is the db_owner (by virtue
of the information stored in sysdatabases) and those who are assigned to the sysadmin
fixed server role (since they have all rights anyway).

Any time SQL Server cannot obtain the information about the db_owner database role
because the database is unavailable, the actual owner (apart from the sysadmins) will be
the only one who can perform such functions.

Another difference deals with permissions. If a user is a member of the db_owner role but
not the dbo, DENY permissions still apply. In other words, if I issue a DENY to prevent a
particular user from executing a stored procedure (or selecting data from a table, etc.), the
user will be unable to issue the execute statement (or SELECT, etc.) as SQL Server will
prohibit the user from doing so.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
16
Concluding Comments

Some roles, such as db_securityadmin, are included to assist
DBAs with delegation of administration responsibilities for a given
database.

Other roles, such as db_datareader, are used to provide a simple
method of assigning blanket permissions for end users. With that
said.

there is no role for executing all stored procedures in a given
database. If you want something like this, you'll have to create it
manually.

Certain roles, such as db_ddladmin and db_owner, have very
broad permissions that typically aren't assigned in a production
environment.

Other roles, such as db_securityadmin, have limitations on the full
scope of permissions they are supposed to have.
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
17
Thank you
Prepared by : Intesar G Ali
IT Department
Palestinian Land Authority
18