Download presentation
Presentation is loading. Please wait.
Published byAmanda Jacobs Modified over 9 years ago
1
Chapter 10 Overview Implement Microsoft Windows Authentication Mode and Mixed Mode Assign login accounts to database user accounts and roles Assign permissions to user accounts and roles Manage security within SQL Server.
2
Authentication Processing When a user connects to SQL Server, the client opens a trusted connection to SQL Server, which passes the user’s Windows 2000 security credentials to SQL Server If SQL Server finds the user’s Windows 2000 user account or group account in the list of SQL Server login accounts in the sysxlogins system table, it accepts the connection.
3
Windows Authentication Mode Advantages Provides more features, such as secure validation and encryption of passwords, auditing, password expiration, minimum password length, and account lockout after an invalid password. Enables you to add groups of users to SQL Server by adding a single login account. Enables users to access SQL Server quickly, without having to remember another login account and password.
4
Mixed Mode Authentication Advantages Mixed Mode, and the SQL Server Authentication mechanism in particular, enables non-Windows 2000 clients, Internet clients, and mixed client groups to connect to SQL Server.
5
Can create login accounts from existing Windows 2000 users and groups, or can create new SQL Server login accounts. Login accounts are stored in the master..sysxlogins system table. System or security administrators can execute stored procedures to allow or disallow a Windows 2000 user or group account to connect to SQL Server Create a Login Account
6
System Stored ProcedureDescription sp_grantloginAdds a login account entry for a Windows 2000 user or SQL Server group sp_revokeloginRemoves the login account entries for a windows 2000 user or group from SQL Server sp_denyloginPrevents a Windows 2000 user or group from connecting to SQL Server
7
Create a Login Account SQL Server login accounts and passwords can contain up to 128 characters, including letters, symbols, and digits. However, login accounts cannot: contain a backslash character, be a reserved login account – for example, sa. be null or an empty string (“ ”)
8
Default Login Accounts BUILTIN\Administrators is provided as the default login account for all Windows 2000 administrators. It has all rights on the SQL Server and in all databases. System administrator (sa) is a special login account that has all rights on the SQL Server and in all databases. It is provided for backward compatibility and should not be used routinely. This account is only enabled when SQL Server is using Mixed Mode Authentication.
9
Assign Logins to User Accounts Add User Accounts using: SQL Server Enterprise Manager sp_grantdbaaccess Dbo User Account: The sa login and members of the System Administrators (sysadmin) role are mapped to a special user account inside all databases called dbo. Any object that a system administrator creates automatically belongs to dbo. The dbo user is a default account and cannot be deleted.
10
Assign Logins (ctd) Guest User Account The guest user account allows logins without user accounts to access a database. Login accounts assume the identity of the guest user when both of the following conditions are met: The login account has access to SQL Server but does not have access to the database through its own user account. The database contains a guest user account.
11
Roles Roles provide a means of assembling users into a single unit to which permissions can be applied. Roles include: Fixed Server Roles Fixed Database Roles User-defined Database Roles
12
Fixed Server Role Privileges Role Privileges SysadminCan perform any activity in SQL Server ServeradminCan set serverwide configuration options, shut down the server SetupadminCan manage linked servers and startup procedures SecurityadminCan manage logins and CREATE DATABASE permissions, also read error logs and change passwords ProcessadminCan manage processes running in SQL Server DbcreatorCan create, alter, and drop databases DiskadminCan manage disk files BulkadminCan execute BULK INSERT Statements (Groupings of administrative privileges at the server level)
13
Fixed Database Role Privileges (Groupings of administrative privileges at the database level) db_ownerHas all permissions in the database db_accessadminCan add or remove user IDs db_securityadminCan manage all permissions, object ownerships, roles, and role memberships db_ddladminCan issue ALL DDL, but cannot issue GRANT, REVOKE, or DENY statements. db_backupoperatorCan issue DBCC, CHECKPOINT, and BACKUP statements db_datareaderCan select all data from any user table in the database db_datawriterCan modify any data from any user table in the database db_denydatareaderCannot select any data from any user table in the database db_denydatawriterCannot modify any data from any user table in the database RolePrivileges
14
User-defined Database Role Creating a user-defined database role enables you to create a group of users with a set of common permissions. Add a Role: When a group of users need to perform the same activities in SQL Server If you do not have permissions to manage Windows 2000 accounts
15
Permissions Permissions specify which database objects users are authorized to use and what the users can do with those objects.
16
Types of Permissions 1.Statement Permissions Activities that involve creating a database or items in a database require a class of permissions called statement permissions. Statement Permissions give users the privilege of issuing certain Transact-SQL statements including: Create Database, Create Table, Create view, Create Procedure, Create Rule, Create Default, Create function, Backup Database, Backup Log
17
Types of Permissions 2. Object Permissions: Activities that involve working with data or executing procedures require a class of permissions known as object permissions: Table and view Permissions: Select, Insert, Update Table/view, Delete, References Column Permissions: Select, Update column, and references Stored Procedure Permissions: Exec
18
Types of Permissions 3.Predefined Permissions: Only members of fixed roles or owners of database objects can perform certain activities. Permissions to perform these activities are called predefined or implicit permissions Fixed Role Permissions: Fixed roles have implicit administrative permissions. Object owner Permissions: Object owners also have implied permissions that allow them to perform all activities with objects that they own.
19
Command Line Interface (CLI) Security can also be managed from the command line interface (CLI)
20
CLI – Create Logins Create a SQL Server Login sp_addlogin ‘MrsDeveloperSQL’, ‘password’ Create a Windows account Login sp_grantlogin ‘SENECADOM\MrsDboNT’
21
CLI – Work with Database Users Map Login Accounts to a User account USE pubs2 Go EXEC sp_grantdbaccess ‘SENECADOM\MrsDboNT’, ‘MrsDboNT’ Go
22
CLI – Work with Database Users CommandResult sp_helploginsDisplays information about a login sp_droploginRemoves a login sp_revokeloginRemoves a login sp_denyloginDenies a login sp_passwordChanges a login’s password sp_defaultdbSets a login’s default database sp_validateloginsShows “orphans” in the database. These are logins that exist in SQL Server but no longer exist as Windows accounts
23
CLI – Work with Roles Add SQL 2000 user to the sysadmin group sp_addsrvrolemember ‘SuperUser’, ‘sysadmin’ Add a new database role of developers sp_addrole ‘Developers’
24
CLI – Work with Roles CommandResult sp_droproleRemoves a role sp_helproleDisplays information about a role sp_helpdbfixedroleDisplays privileges the fixed roles have
25
CLI – Work with Permissions Grant Select access to a table Grant Select On authors To MrsDeveloperSQL GO Deny Insert access to a table Deny Insert On authors To MrsDeveloperSQL GO Revoke Select permissions from a table Revoke Select On authors From MrsDeveloperSQL GO
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.