Who Has What to Which?
Download
Report
Transcript Who Has What to Which?
Who Has What to Which?
(The Permissions Superset)
Robert L Davis
Principal Database Architect
[email protected]
@SQLSoldier
www.sqlsoldier.com
Please Support Our Sponsors
SQL Saturday is made possible with the generous support of these sponsors.
You can support them by opting-in and visiting them in the sponsor area.
Who Has What to Which?
(The Permissions Superset)
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Add, delete, or modify user accounts on local machine or in AD
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Add, delete, or modify user accounts on local machine or in AD
Add a user:
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Add, delete, or modify user accounts on local machine or in AD
Add a user:
Syntax: net user <user name> <password> /ADD
Example: net user SQLTest1 Pa$$W0rd /ADD
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Add, delete, or modify user accounts on local machine or in AD
Add a user:
Syntax: net user <user name> <password> /ADD
Example: net user SQLTest1 Pa$$W0rd /ADD
Delete a user:
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Add, delete, or modify user accounts on local machine or in AD
Add a user:
Syntax: net user <user name> <password> /ADD
Example: net user SQLTest1 Pa$$W0rd /ADD
Delete a user:
Syntax: net user <user name> /DELETE
Example: net user SQLTest1 /DELETE
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Add, delete, or modify user accounts on local machine or in AD
Add a user:
Syntax: net user <user name> <password> /ADD
Example: net user SQLTest1 Pa$$W0rd /ADD
Delete a user:
Syntax: net user <user name> /DELETE
Example: net user SQLTest1 /DELETE
Modify password for user:
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Add, delete, or modify user accounts on local machine or in AD
Add a user:
Syntax: net user <user name> <password> /ADD
Example: net user SQLTest1 Pa$$W0rd /ADD
Delete a user:
Syntax: net user <user name> /DELETE
Example: net user SQLTest1 /DELETE
Modify password for user:
Syntax: net user <user name> <new password>
Example: net user SQLTest1 D#gqo$dk@jcV
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET USER
Add, delete, or modify user accounts on local machine or in AD
Add a user:
Syntax: net user <user name> <password> /ADD
Example: net user SQLTest1 Pa$$W0rd /ADD
Delete a user:
Syntax: net user <user name> /DELETE
Example: net user SQLTest1 /DELETE
Modify password for user:
Syntax: net user <user name> <new password>
Example: net user SQLTest1 D#gqo$dk@jcV
Add /DOMAIN to perform in AD instead of local machine
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET LOCALGROUP
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET LOCALGROUP
Add, delete, or modify group accounts on local machine
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET LOCALGROUP
Add, delete, or modify group accounts on local machine
Add a local group:
Syntax: net localgroup <group name> /ADD
Example: net localgroup SQLDev /ADD
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET LOCALGROUP
Add, delete, or modify group accounts on local machine
Add a local group:
Syntax: net localgroup <group name> /ADD
Example: net localgroup SQLDev /ADD
Delete a local group:
Syntax: net localgroup <group name> /DELETE
Example: net localgroup SQLDev /DELETE
Who Has What to Which?
(The Permissions Superset)
Windows command line tools used in that demo:
NET LOCALGROUP
Add, delete, or modify group accounts on local machine
Add a local group:
Syntax: net localgroup <group name> /ADD
Example: net localgroup SQLDev /ADD
Delete a local group:
Syntax: net localgroup <group name> /DELETE
Example: net localgroup SQLDev /DELETE
Modify membership:
Syntax: net localgroup <group name> <user name> /ADD or /DELETE
Example 1: net localgroup SQLDev SQLTest1 /ADD
Example 2: net localgroup SQLDev SQLTest1 /DELETE
Who Has What to Which?
(The Permissions Superset)
Windows command line tools referenced in that demo:
NET GROUP
Add, delete, or modify group accounts in AD
Add a domain group:
Syntax: net group <group name> /ADD /DOMAIN
Example: net group SQLDev /ADD /DOMAIN
Delete a local group:
Syntax: net group <group name> /DELETE /DOMAIN
Example: net group SQLDev /DELETE /DOMAIN
Modify membership:
Syntax: net group <group name> <user name> /ADD or /DELETE /DOMAIN
Example 1: net group SQLDev SQLTest1 /ADD /DOMAIN
Example 2: net group SQLDev SQLTest1 /DELETE /DOMAIN
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
suser_sname()
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
suser_sname()
Function that returns the login name for the specified SID (security
identifier)
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
suser_sname()
Function that returns the login name for the specified SID (security
identifier)
If SID not supplied uses SID of current user
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
suser_sname()
Function that returns the login name for the specified SID (security
identifier)
If SID not supplied uses SID of current user
Execute As Login = '<login>'
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
suser_sname()
Function that returns the login name for the specified SID (security
identifier)
If SID not supplied uses SID of current user
Execute As Login = '<login>'
Changes the current security context of the current user to the specified
login
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
suser_sname()
Function that returns the login name for the specified SID (security
identifier)
If SID not supplied uses SID of current user
Execute As Login = '<login>'
Changes the current security context of the current user to the specified
login
Revert
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
suser_sname()
Function that returns the login name for the specified SID (security
identifier)
If SID not supplied uses SID of current user
Execute As Login = '<login>'
Changes the current security context of the current user to the specified
login
Revert
Changes the current security context of the current user to the previous
security context
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
suser_sname()
Function that returns the login name for the specified SID (security
identifier)
If SID not supplied uses SID of current user
Execute As Login = '<login>'
Changes the current security context of the current user to the specified
login
Revert
Changes the current security context of the current user to the previous
security context
Can require multiple executions if EXECUTE AS used more than once
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
HAS_PERMS_BY_NAME()
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
HAS_PERMS_BY_NAME()
Function that returns bit indicating if the current user has the specified
permission
0 = does not have the permission
1 = does have the permission
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
HAS_PERMS_BY_NAME()
Function that returns bit indicating if the current user has the specified
permission
0 = does not have the permission
1 = does have the permission
Syntax: HAS_PERMS_BY_NAME (<securable>, <securable class>,
<permission> [, <sub-securable>] [, <sub-securable class>])
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
HAS_PERMS_BY_NAME()
Function that returns bit indicating if the current user has the specified
permission
0 = does not have the permission
1 = does have the permission
Syntax: HAS_PERMS_BY_NAME (<securable>, <securable class>,
<permission> [, <sub-securable>] [, <sub-securable class>])
Example: HAS_PERMS_BY_NAME(N'dbo.ErrorLog', N'Object', N'SELECT')
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
xp_logininfo
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
xp_logininfo
Extended stored procedure that returns login mappings for a user or
group memberships for a Windows group
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
xp_logininfo
Extended stored procedure that returns login mappings for a user or
group memberships for a Windows group
Viewing login mappings:
Syntax: Exec xp_logininfo N‘<user>', N'all';
Example: Exec xp_logininfo N'SQLMCMLap\SQLTest1', N'all';
Who Has What to Which?
(The Permissions Superset)
T-SQL tools used in that demo:
xp_logininfo
Extended stored procedure that returns login mappings for a user or
group memberships for a Windows group
Viewing login mappings:
Syntax: Exec xp_logininfo N‘<user>', N'all';
Example: Exec xp_logininfo N'SQLMCMLap\SQLTest1', N'all';
Viewing group memberships:
Syntax: Exec xp_logininfo N‘<group>', N‘members';
Example: Exec xp_logininfo N'SQLMCMLap\SQLDev', N‘members';
Who Has What to Which?
(The Permissions Superset)
Who Has What to Which?
(The Permissions Superset)
Database owner:
Who Has What to Which?
(The Permissions Superset)
Database owner:
Mapped automatically to the dbo account
Who Has What to Which?
(The Permissions Superset)
Database owner:
Mapped automatically to the dbo account
Has all permissions inside of database (DML, DDL, etc)
Who Has What to Which?
(The Permissions Superset)
Database owner:
Mapped automatically to the dbo account
Has all permissions inside of database (DML, DDL, etc)
Has very broad permissions for modifying the database properties
Who Has What to Which?
(The Permissions Superset)
Database owner:
Mapped automatically to the dbo account
Has all permissions inside of database (DML, DDL, etc)
Has very broad permissions for modifying the database properties
Can make a variety of changes that can be damaging to the database
or even the server
Who Has What to Which?
(The Permissions Superset)
Database owner:
Mapped automatically to the dbo account
Has all permissions inside of database (DML, DDL, etc)
Has very broad permissions for modifying the database properties
Can make a variety of changes that can be damaging to the database
or even the server
Page verification, file settings, recovery model, auto-shrink, auto-close,
etc
Who Has What to Which?
(The Permissions Superset)
Database owner:
Mapped automatically to the dbo account
Has all permissions inside of database (DML, DDL, etc)
Has very broad permissions for modifying the database properties
Can make a variety of changes that can be damaging to the database
or even the server
Page verification, file settings, recovery model, auto-shrink, auto-close,
etc
Still cannot change TRUSTWORTHY
Who Has What to Which?
(The Permissions Superset)
Database owner:
Mapped automatically to the dbo account
Has all permissions inside of database (DML, DDL, etc)
Has very broad permissions for modifying the database properties
Can make a variety of changes that can be damaging to the database
or even the server
Page verification, file settings, recovery model, auto-shrink, auto-close,
etc
Still cannot change TRUSTWORTHY
Impersonated by sysadmin when sysadmin is in the database
Who Has What to Which?
(The Permissions Superset)
Database owner:
Mapped automatically to the dbo account
Has all permissions inside of database (DML, DDL, etc)
Has very broad permissions for modifying the database properties
Can make a variety of changes that can be damaging to the database
or even the server
Page verification, file settings, recovery model, auto-shrink, auto-close,
etc
Still cannot change TRUSTWORTHY
Impersonated by sysadmin when sysadmin is in the database
If no valid owner, you may receive error that the user cannot perform
the requested action under the current security context
Who Has What to Which?
(The Permissions Superset)
Who Has What to Which?
(The Permissions Superset)
Contained database user:
Who Has What to Which?
(The Permissions Superset)
Contained database user:
By default, a contained user can only access the contained
database
Who Has What to Which?
(The Permissions Superset)
Contained database user:
By default, a contained user can only access the contained
database
If a contained user is recreated in another database with the same
SID, the user can cross databases if the database they are currently
in has TRUSTWORTHY enabled
Who Has What to Which?
(The Permissions Superset)
Contained database user:
By default, a contained user can only access the contained
database
If a contained user is recreated in another database with the same
SID, the user can cross databases if the database they are currently
in has TRUSTWORTHY enabled
Moral: never set TRUSTWORTHY unless the CEO is standing at your
desk threatening to fire you
Who Has What to Which?
(The Permissions Superset)
Thanks!
Thank you for coming!
My blog: www.sqlsoldier.com
Twitter: twitter.com/SQLSoldier
Need help with your project: www.DBBest.com