Security in sql
Sql server provides security with the help of two objects
Login
User
Login
Login isof two types
Sql server authenticated
Windows authenticated
Creating sql server authenticated login
To create a login use
Create login command that has the following syntax to create sql server authenticated login
Create login <loginname>
With password =’pwd’ [ ,]
[default_database=<dbname>] [ , ]
[check_expiration =ON|OFF [ ,]
[check_policy=ON | OFF] (Default is on for check_policy)
Default_database option is used to specify default database for the login, which will automatically come into use when you login in with that login.
Check_expiration:
Is used to specify whether or not the password will be expired and user will be forced to change the password (Default- off)
Check_policy
Is used to specify whether or not the password will be validated against password policy of sql server [Default- ON]
Example
The following example creates a sql server authenticated login with the name SSAe
create login ssae
with password ='ssae',
default_database=mydb,
check_policy=off
creating windows authentication login
to create a window authenticated login, first you have to create a user in windows operating system using user accounts options in control panel and then use the following syntax to create login command to create a windows authenticated
syntax
create login [servername|username] from windows
example: create login [uday-PC\wa] from windows
in the above example wa is the user account creating in control panel .
the purpose of user is to allow the login to access a particular database
every login must be associated with a user, to access a database. Every login can be associated with only one user that also in anyone database available on the server.
To create the user for the login use the stored procedure
sp_grantdbaccess ‘loginname’,’username’
This procedural will create user for the login in the current database that is in the user. Hence while creating a user for the login using this stored procedure, you must make sure that the database in which you want to create the user is in use.
The following example create a user with name ssauser for the login ssae
sp_grantdbaccess 'ssae','ssauser'
the following example create a user with a name “Wauser” for the windows authenticated login wa.
sp_grantdbaccess [uday-PC\wa],'wauser'
Permissions :
Every login user requires permission to perform any operation against the server
Data base permission or system level permission
Object level permission
Database level
These are the permissions related to communicate like create,alter,drop
Database level permissions can be granted only by admistrator
Object level permission: these are the permissions related to particular object in the database like tables, view, store procedures and user defined functions
Related to table available permissions are select, insert, update, delete
Object level permission can be granted only by the user who creates that object
Granting database level permission
To grant permission , you have to use the grant command that has the following syntax
grant permission
to <userlist>
[with grant option]
The following example grants create table to the user ssauser
grant create table to ssauser
Granting object level permission
To grant object level permission use the following syntax of grant command
Syntax:
Grant <permissionlist>
On <objectname>
To <userlist>
[with grant option]
The following example grant select, insert permission on emp table to the user ssauser
grant select,insert on emp to ssauser
The following example grants update permission on the column ename,hiredate and deptno of emp table to the user ssauser
update EMP set ename='uday' where EMPNO=1001
note: we cannot grant permission for insert, delete on specified columns (i.e only select & update permissions can be granted on specific columns and not on insert, delete & references.
The following example grants all permissions on table dept to the user ssauser
grant all ondept to ssauser
the permission all is deprecated and it will be eliminated in future versions and hence it is not recommended to use the permission all
With grant option
While granting permission , the user who is granting permission is called as Grantor and the use who is getting permission is called Grantee
Whenever grantor wants to allow the grantee to grant the permission to other user, than he must specify option while granting the permission.
The following example grants the select permission on the table emp to the user ssauser and wauser using grant option
grant selecton emp tossauser with grantoption
getting list of permissions the current user has
to get list of permission the current user has use the function “fn_my_permission” which is a table valued function and it has the following syntax
select * fromfn_my_permissions ('db/objectname','database/object')
this function takes two arguments
1 dbobjectname and the string database or string object
When the first argument is a db name than second argument must be string db.
When the first argument is an object name, than second argument must be string object.
The following example list the db level permission that the current user has
select * fromfn_my_permissions ('mydb','database')
The following example list the permissions the current user has on the table emp
select * fromfn_my_permissions ('emp','object')
Revoking database level permissions
The permission you granted to other users can be revoked when you don’t want to allow those users to perform those operations or access your objects and for this Revoke command is used.
Revoke command the following syntax to revoke DataBase level permission
Revoke <permission list>
From <user list>
[cascade]
The following example revoke create table and create view permissions from the user ssauser and wauser
1 verify permission first
2 Revoke
Revoke create table, create view from ssauser, wauser
Revoking Object Level Permissions
To revoke object level permissions revoke command has the following syntax
Revoke <permissionlist>
on <objectName>
from <userlist>
[cascade]
The following example revoke select & Insert Permission on Emp Table from the users ssauser and wauser
Revoke select user on
Emp
From ssauser,wauser
The following example revokes update permissions on the columns hiredate and deptno of emp table from the user ssauser and wauser
Revoke update on
Emp
From ssauser, wauser
Revoke update(hiredate,DeptNo) in Emp
From ssauser,wauser
The following example revokes all permissions on table dept from the user ssauser and wauser
Revoke all on dept
From ssauser,wauser
Cascade
To revoke the permission granted with grant option, you must specify the option cascade
When you revoke the permission using cascade option than permission will be revoked not only from the user from whom you are revoking but also from every user who get those permissions either directly or indirectly from that user.
Example:
The following example revokes select permission on table studies from the user ssauser
Revoke select on
Studies from ssauser
Cascade
Roles:
There are situation in Real time where you have to grant different permissions on different object to different users at different times. In this case Roles will make the task easy.
Role will make the task easy.
A role is the set of permission and main purpose of a role is to make it easy to manage the permissions to be granted to other users.
A role can contain any no of permissions and a single role can contain both database level and object level permissions.
Creating a Role:
To create a role use the stored procedure that has the following syntax
Sp_addrole ‘rolename’
The following example creates a role with a name MyRole
Sp_addrole ‘myrole’
Granting permission to Revoking Permission from a Role
Granting permission to a role or Revoking permissions from a Role is same as granting and revoking permissions to and from user except that in the place of username you have to write Role Name
The following example grants different permissions on the object emp ,dept,salgrade,studies and programmer to the role myrole
Grant select,insert on emp to myrole
Grant select, update on dept to myrole
Grant select on salgrade to myrole
Grant select, delete on studies to myrole
Grant insert on programmer to myrole
Adding Members to a Role
When you want to grant all the permissions available in the role to the user, you have to add that use as a member to the role and for this use the stored procedure
Sp_addrolemember ‘rolename’,’username’
The following example adds the user ssauser as a member to the role “myrole”
Sp_addmember ‘myrole’ ,’ssauser’
Getting list of Roles
To get the list of roles available in the database use the stored procedure
sp_helprole with no arguments
eg: sp_helprole
Getting list of member of a Role
To get list of members of a role, use the stored procedure
sp_helprolemember
syntax:
sp_helprolemember ‘rolename’
the following example list the members of the role my role
sp_helprolemember ‘myrole’
Removing the member from the Role
When you want to revoke all permissions from a user that are granted to the user through a role , than you have to remove that user as a member from the role, and for this use the stored procedure
sp_droprolemember ‘rolename’,’username’
The following example revokes the user ssauser as a member from the role “myrole”
Sp_droprolemember ‘myrole’,’ssauser’
Deleting a Role:
To delete a role it must not have any members
After deleting all the members from a role use the stored procedure
sp_droprole ‘role name’
The following example deletes the role myrole
sp_droprole ‘myrole’
While working with roles, there are situations where you want to add a user as a member to the role but you don’t want to grant one or more permissions available in the role to that user. In this case you have to user the deny command
The permissions granted to a role cannot be revoked with revoke command
Syntax:
Deny <permission list>
[on <object name>]
To <user list>]
[cascade]
The following example deny select and update permissions on table dept to the user ssauser
Deny select, update on
Dept to
Ssauser
Fixed Roles
sql server provides a set of predefined roles which are collectively called as fixed roles and they are classified into
fixed database roles
fixed server roles
Fixed database roles
Fixed db rules are used to grant permission on a particular db and fixed db rules available
In sql server are as follows
db_datareader
Members of this roles will get select permissions on all tables in database that may be created by any user.
Db_datawriter
Member of this role will get insert, update, and delete permissions on all tables in the database that may be created by any user.
Dd_ddladmin
Members of this will get permissions on all ddl commands within that particular database
Db_owner
Members of this roles will become owner of the database and they will have completely rights on the database
To add a member of this role use the stored procedure
Sp_addrolemember and to delete a member from this use the stored procedure
Sp_droprolemember
Both of these stored procedures take two arguments where the first argument is RoleName and the second argument is UserName
Fixed Server Roles
Are used to grant permission on server, to a login. Fixed server roles available in database as follows
Dbcreator: members of this role will get permission to create alter and drop database
Security Admin
Member of this role will get permission to manage logins and they will also have the permission to grant, revoke, or deny server level permissions
Sysadmin
Members of this role will become administrator for the server and they will have complete rights on the server.
To add a member to the fixed server roles use the stored procedure
Sp_addsrvrolemember and to delete a member from this role use the stored procedure
Sp_dropsrvrolemember
Both of these stored procedure takes two arguments where the first argument is login Name and second argument is RoleName
Sp_addsrvrolemember ‘loginname’,’rolename’
Sp_dropsrvrolemember ‘loginname’,’rolename’
To get the list of permission you granted to a particular user or list of permissions you got from any user or list of permission available in a role
Use the stored procedur
Sp_helprotect ‘object/dbaname’ ‘username’ ,’grantorname’,’0’/’s’/’o s’
The first argument for this procedure is object Name or database Name on which you want to get the list of permissions
Second argument the username permission of which you want to list
Third argument the grantorname permission granted by whom you want to list and object level permission or system level permissions or both.
Only single p in helprotect
The following example lists the permissions granted by the use dbo to the user “ssauser”
Sp_helprotect null,’ssauser’,dbo’
The following example list the permission granted by the user dbo to all other users
Sp_helpprotect null,null,’dbo’
To get all permission we need to specify null.
The following example list all the permission the role myrole has
Sp_helptext null,’myrole’
