Transcript lesson13

Permissions
Lesson 13
Skills Matrix
Security Modes
• Maintaining data integrity involves creating
users, controlling their access and limiting
their ability to read, change, add or delete
data.
• SQL Server processes user names and
passwords according to an authentication
mode. SQL Server provides two such modes:
– Windows Authentication.
– Mixed.
Windows Authentication Mode
• With this mode, users can sit down at their computers,
log in to the Windows domain, and gain access to SQL
Server using the Kerberos security protocol.
• Use Windows Authentication mode so users don’t have
to remember multiple usernames and passwords.
• Only users with Windows accounts can open a trusted
connection to SQL Server.
– This means others, such as Apple or Linux clients,
can’t use Windows Authentication mode because
they don’t have a Windows user account.
Mixed Mode
• Mixed mode allows both Windows
Authentication and SQL Server
Authentication (or Standard Authentication).
• Anyone can gain access to SQL Server using
Mixed mode. Mac users, Novell users, Unix
users, and the like, can gain access using
SQL Server authentication.
Permissions
• Now that you’ve created user accounts for
everyone, you need to restrict what those
users can do with the database.
• You do so by assigning permissions directly
to the users or adding the users to a
database role with a predefined set of
permissions.
Permissions
• These permissions control create, alter and
drop actions on:
– Databases
– Tables
– Views
– Procedures
– Indexes
– Rules
– Defaults
Object Permissions
• Once the structure exists to hold the data,
you need to give users permission to start
working with the data in the databases.
• You accomplish this by granting object
permissions to your users.
• Using object permissions, you can control
who may read from, write to, or otherwise
manipulate your data.
Object Permissions
• Alter
• Control
• Create
• Delete
• Execute
• Impersonate
• Insert
• References
• Select
• Take Ownership
• Update
• View Definition
Permission States
• All the permissions in SQL Server can exist in
one of three states:
– Granted
– Revoked
– Denied
Using Impersonation
• SQL Server supports the ability to impersonate
another principal either explicitly by using the
stand-alone EXECUTE AS statement, or implicitly by
using the EXECUTE AS clause on modules.
• The stand-alone EXECUTE AS statement can be
used to impersonate server-level principals, or
logins, by using the EXECUTE AS LOGIN statement.
– The stand-alone EXECUTE AS statement can also be
used to impersonate database level principals, or
users, by using the EXECUTE AS USER statement.
Using Impersonation
• Implicit impersonations that are performed
through the EXECUTE AS clause on modules
impersonate the specified user or login at
the database or server level.
– This impersonation depends on whether the
module is a database-level module, such as
a stored procedure or function, or a serverlevel module, such as a server-level trigger.
Cross-Database Ownership
• SQL Server can be configured to allow ownership
chaining between specific databases or across all
databases inside a single instance of SQL Server.
• Cross-database ownership chaining is disabled by
default.
• When multiple database objects access each other
sequentially, the sequence is known as a chain.
• Ownership chaining enables managing access to
multiple objects, such as multiple tables, by setting
permissions on one object, such as a view.
Summary
• SQL Server has a sophisticated security system
that allows you to carefully implement your security
plan.
– SQL Server can operate in Mixed security mode,
which means Windows users and groups can be
given access directly to SQL Server; or you can
create separate, unique accounts that reside
only in SQL Server.
– If SQL Server runs in Windows Authentication
mode, every user must first connect with a
preauthorized Windows account.
Summary
• Each database in SQL Server has its own
independent permissions.
• You looked at the two types of user
permissions: statement permissions, which
are used to create or change the data
structure, and object permissions, which
manipulate data.
• Remember that statement permissions can’t
be granted to other users.
Summary
• This lesson examined the processes of
creating and managing logins, groups, and
users.
• You learned how to create a Standard login
and a Windows user or group login using SQL
Server Management Studio or T-SQL, and you
learned the appropriate use of each.
• If you have a well-designed security plan that
incorporates growth, managing your user base
can be a painless task.
Summary for Certification Examination
• Know the differences in authentication modes.
• Know when to use Mixed mode versus Windows
Authentication mode.
• Mixed mode allows users who do not have an
Active Directory account, such as Novell or Unix
users, to access the SQL Server.
• Windows Authentication mode allows only users
with Active Directory accounts to access SQL
Server.
Summary for Certification Examination
• Understand permissions. Know what the
permissions are, what they are for, as well as how
to assign them.
• Don’t forget that two types of permissions exist,
object and statement.
• Object permissions control a user’s ability to create
or modify database objects, such as tables and
views.
• Statement permissions control a user’s ability to
manipulate data using statements such as SELECT
or INSERT.