1 / 24

Module 10 Assigning Server and Database Roles

Module 10 Assigning Server and Database Roles. Module Overview. Working with Server Roles Working with Fixed Database Roles Creating User-defined Database Roles. Lesson 1: Working with Server Roles. Server- s coped Permissions Typical Server-scoped Permissions

gigi
Download Presentation

Module 10 Assigning Server and Database Roles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 10 Assigning Server and Database Roles

  2. Module Overview • Working with Server Roles • Working with Fixed Database Roles • Creating User-defined Database Roles

  3. Lesson 1: Working with Server Roles • Server-scoped Permissions • Typical Server-scoped Permissions • Overview of Fixed Server Roles • public Server Role • Demonstration 1A: Assigning Fixed Server Roles

  4. Server-scoped Permissions • Permissions at the server level can be assigned in two ways: • Fixed server roles • Specific server-scoped permissions • Minimize the use of fixed server roles • Assign more specific permissions USEmaster; GO GRANTALTERONLOGIN::HRApp TO [AdventureWorks\Holly]; GO GRANTALTERANYDATABASE TO [AdventureWorks\Holly]; GO

  5. Typical Server-scoped Permissions • Current database must be master when assigning server-scoped permissions • Permissions assignments are visible by querying the sys.server_permissions view

  6. Overview of Fixed Server Roles

  7. public Server Role public is a special server role with server-scope. • Not considered a fixed server role as its permissions can be changed • By default, is granted: • VIEW ANY DATABASE permission • CONNECT permission on default endpoints

  8. Demonstration 1A: Assigning Fixed Server Roles • In this demonstration, you will see: • How to view the available fixed server roles using the GUI • How to assign a fixed server role using the GUI • How to view the available fixed server roles using T-SQL • How to assign a fixed server role using T-SQL • How to view the members of fixed server roles using T-SQL • How to view the server permissions that are currently assigned

  9. Lesson 2: Working with Fixed Database Roles • Database-scoped Permissions • Overview of Fixed Database Roles • Assigning Users to Roles • Database Owner • Demonstration 2A: Managing Roles and Users

  10. Database-scoped Permissions • Permissions at the database level can be assigned in three ways: • Fixed database roles • User-defined database roles • Specific database-scoped permissions • Minimize the use of fixed database roles • Assign more specific permissions USE AdventureWorks2008R2; GO GRANTCREATE TABLE TOHRManager; GO GRANTVIEW DEFINITION TO James; GO

  11. Overview of Fixed Database Roles

  12. Assigning Users to Roles • Users can be assigned to roles • Using GUI • Using T-SQL USE AdventureWorks2008R2; GO EXECsp_addrolemember 'db_datareader', 'James'; GO

  13. Database Owner dboThesa login and members of sysadmin role are mapped to dboaccount, along with the owner of the database

  14. Demonstration 2A: Managing Roles and Users • In this demonstration you will see: • How to view the available fixed database roles using the GUI • How to assign a fixed database role using the GUI • How to view the available fixed database roles using T-SQL • How to assign a fixed database role using T-SQL • How to view the members of fixed database roles using T-SQL

  15. Lesson 3: Creating User-defined Database Roles • Working with User-defined Database Roles • Applying Roles in Common Scenarios • Demonstration 3A: User-defined Database Roles • Defining Application Roles • Demonstration 3B: Application Roles

  16. Working with User-defined Database Roles • Database roles can be created, modified, and dropped • CREATE ROLE statement to create • Roles have owners • Permissions are granted to role • Role permissions are inherited by role members USEMarketDev; GO CREATEROLEMarketingReaders AUTHORIZATIONdbo; GO GRANTSELECTONSCHEMA::Marketing TOMarketingReaders; GO

  17. Applying Roles in Common Scenarios • Typical scenario • Define dbo users and other administrative roles • Define permission groups within the database • Consider the use of the public role for common permissions • Create roles and assign permissions to them • Add users to roles • For decision-making within code • IS_SRVROLEMEMBER, IS_MEMBER IFIS_MEMBER('BankManagers')= 0 BEGIN PRINT'Operation is only for bank manager use'; ROLLBACK; END;

  18. Demonstration 3A: User-defined Database Roles • In this demonstration you will see: • How to create a user-defined database role using the GUI • How to create a user-defined database role using T-SQL • How to view the available database roles using T-SQL

  19. Defining Application Roles User runs app App authenticates using sp_setapprole App connects to db as user App assumes app role Application roles are used to enable permissions for users only while they are running particular applications.

  20. Demonstration 3B: Application Roles • In this demonstration, you will see how to: • Create an application role • Change security context to an application role

  21. Lab 10: Assigning Server and Database Roles • Exercise 1: Assign Server Roles • Exercise 2: Assign Fixed Database Roles • Exercise 3: Create and Assign User-defined Database Roles • Challenge Exercise 4: Check Role Assignments (Only if time permits) Logon information Estimated time: 45minutes

  22. Lab Scenario You have created the SQL Server logins and Database users. You now need to assign the logins and users to the required roles based upon the security requirements for the MarketDev database. You should assign the minimum level of access that will allow each user to perform their job. This will require a combination of server, fixed database, and user defined database roles. Do not be concerned with object and schema permissions as these will be assigned in Module 11 but you do need to consider the role requirements that will be required at that time. Note: the changes you make will later be migrated to the production environment. You should use T-SQL commands to implement the required changes.

  23. Lab Review • What is the biggest challenge when assigning permissions to users? • Why do users often get granted more permissions than they need to do their work?

  24. Module Review and Takeaways • Review Questions • Best Practices

More Related