Reviewing sql server permissions tech republic


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Reviewing sql server permissions tech republic

  1. 1. Reviewing SQL Server Permissions | TechRepublic ZDNet Asia SmartPlanet TechRepublic Log In Join TechRepublic FAQ Go Pro! Blogs Downloads Newsletters Galleries Q&A Discussions News Research Library IT Management Development IT Support Data Center Networks Security Home / Blogs / The Enterprise Cloud Follow this blog: The Enterprise Cloud Reviewing SQL Server Permissions By Tim Chapman November 3, 2008, 10:19 AM PST Takeaway: SQL Server consultant Tim Chapman looks at the importance of database permissions and how you can use internal SQL Server system views to easily which users have access on your system. Permissions on data are one of the most critical aspects of database administration. If you’re too strict as a database administrator then your users will not be able to do their jobs. If you’re not lenient, then data can be compromised or even leaked. It is a very fine balance to control. The ability to determine these permissions on your database systems is absolutely paramount. Btrieve 6.15 Forever Who has access to my SQL Server? Still using Btrieve? So are we! Get the Ultimate Btrieve Patch First things first, you need to know which users are able to login into your SQL Server instance. Logins come in two flavors; Windows authentication and SQL Server Logins. Windows logins are Google Docs For Business tied to Windows accounts while SQL Server logins are housed in SQL Server internally. Whether Start with 5 GB of Included Storage Get the login is Windows based or is an internal SQL account, you can access login information by Additional 20 GB Just $4/month! querying internal SQL Server views. To find the login information, the sys.server_principals system view can be used. The following script queries this view and returns login information along with re-lion Builder the type of associated login. Leading in easy to use terrain database generation tools SELECT name, type_desc, is_disabled FROM sys.server_principals To test this query, run the following script followed by the script above. The new login TestLogin should appear in the result-set. Keep Up with TechRepublic CREATE LOGIN TestLogin WITH Password = ‘asdevex33′, CHECK_POLICY = OFF Who has access to my Databases? Once a login is able to gain entry into the server, they then need access to databases. Before a Five Apps login is able to access a database, a user must be mapped to that login inside the database. The Google in the Enterprise following script queries the sys.database_principals system view, which holds user related information for the current database. Note that this information will likely differ for each database Subscribe Today you run it in. Users are database-level, so different users will have different access in different databases. Follow us however you choose! SELECT[08/29/2012 3:46:21 PM]
  2. 2. Reviewing SQL Server Permissions | TechRepublic UserName =, UserType = dp.type_desc, LoginName =, LoginType = sp.type_desc FROM sys.database_principals dp JOIN sys.server_principals sp ON dp.principal_id = sp.principal_id Media Gallery To test the above view, run the following script followed by the script immediately above. The new user TestUser (which is now mapped to the login TestLogin) should appear in the result-set. CREATE USER TestUser FOR LOGIN TestLogin Server Roles PHOTO GALLERY (1 of 15) Curiositys autonomous Now that I have covered server logins and database users, I need to cover the different server and seven minutes of... database roles on the system. A login can be a member of a server role, which gives the login elevated permissions for the SQL Server instance. The following query can be used to view which More Galleries » logins are tied to which server roles. select, p.type_desc,, pp.type_desc from sys.server_role_members roles join sys.server_principals p on roles.member_principal_id = p.principal_id VIDEO (1 of 13) Cracking Open: HTC Titan II join sys.server_principals pp on roles.role_principal_id = pp.principal_id More Videos » The following script adds the TestLogin I created above to the dbcreator server role. Once this script is ran, rerun the immediate script above. The new login role will be included in the result- set. Hot Questions View All EXECUTE sp_addsrvrolemember 3 SSL redirection @loginame = ‘TestLogin’, @rolename = ‘dbcreator’ 3 Switching from a Job to a career in Database Roles the IT field: Need an IT pros advice The previous query illustrated which users had specific permissions inside of your database. However, when you’re a member of a database role, you’re given permissions that are not windows 7 wont shutdown and 2 contained in the sys.database_permissions view, but are absolutely vital for knowing which users keeps switching on have permissions inside your database. You can use the following query to determine which users are assigned to database roles. 2 can anyone suggest if any such software exist with similar SELECT functionality?, p.type_desc,, pp.type_desc, pp.is_fixed_role Ask a Question FROM sys.database_role_members roles JOIN sys.database_principals p ON roles.member_principal_id = p.principal_id Hot Discussions View All JOIN sys.database_principals pp ON roles.role_principal_id = pp.principal_id The following script adds the TestUser to the db_datareader database role. Once this script has 221 Should developers be sued for been executed, run the previous script to see the new entry in the sys.database_role_members security holes? system view. 79 The sitting duck that is open source EXECUTE sp_addrolemember 27 Five fast Windows desktop search @rolename = ‘db_datareader’, utilities @membername = ‘TestUser’ Is the death knell sounding for 30 traditional antivirus? What can these users do?[08/29/2012 3:46:21 PM]
  3. 3. Reviewing SQL Server Permissions | TechRepublic The following query uses the sys.database_permissions system view to indicate which users had Start a Discussion specific permissions inside the current database. SELECT Blog Archive dp.class_desc, dp.permission_name, dp.state_desc, ObjectName = OBJECT_NAME(major_id), GranteeName =, GrantorName = August 2012 December 2011 July 2012 November 2011 June 2012 October 2011 FROM sys.database_permissions dp May 2012 September 2011 JOIN sys.database_principals grantee on dp.grantee_principal_id = grantee.principal_id April 2012 August 2011 March 2012 July 2011 JOIN sys.database_principals grantor on dp.grantor_principal_id = grantor.principal_id February 2012 June 2011 Conclusion January 2012 Today I looked at some system views included in SQL Server 2005 and SQL Server 2008 which can be used to view permissions on your SQL Server instance. The more you know about the permissions on your SQL Server system, the more prepared you’ll be if problems arise. Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters. About Tim Chapman Full Bio Contact EMC AX4 - A failover update Use the Print Management console for Windows Server 2008 print server 5 Join the conversation! Add Your Opinion Comments Follow via: Staff Picks Top Rated Most Recent My Contacts See All Comments Very useful 0 ckmutunga 24th Aug 2011 Votes It is exactly what I was looking for. View in thread Who has access to my Databases? 0 JeffNguyen 10th Jun 2011 Votes I think for the part Who has access to my Databases?, the SQL should be. Please correct me if Im wrong SELECT UserName =, UserType = dp.type_desc, LoginName =, LoginType =... Read Whole Comment +[08/29/2012 3:46:21 PM]
  4. 4. Reviewing SQL Server Permissions | TechRepublic View in thread minor correction? 0 Malkie 27th Jan 2011 Votes Permissions on data are one of the most critical aspects of database administration. If you???re too strict as a database administrator then your users will not be able to do their jobs. If you???re... Read Whole Comment + View in thread See all comments Join the TechRepublic Community and join the conversation! Signing-up is free and quick, Do it now, we want to hear your opinion. Join Login[08/29/2012 3:46:21 PM]