SQL Server logins, Windows accounts, and Windows groups can be added to server-level roles.. They will be able to ■ ■ reset passwords for SQL Server logins and GRANT, DENY, and Revoke da
Trang 1and have the required permissions associated with them Although you are limited
to the built-in server-level roles, you can create new database-level roles in addition
to those available to suit more specific needs
SQL Server logins, Windows accounts, and Windows groups can be added to
server-level roles Server-level roles are as follows:
sysadmin – Perform any activity in the server By default, the BUILTIN\
■
■
Administrators group and the local administrator’s group are members of
the sysadmin role
serveradmin – Change server-wide configuration options and shut down
■
■
the server
securityadmin – Manage logins and their properties They will be able to
■
■
reset passwords for SQL Server logins and GRANT, DENY, and Revoke
database-level and server-level permissions
processadmin – End processes running in an instance of SQL Server
■
■
setupadmin – Add and remove linked servers
■
■
bulkadmin – Run the BULK INSERT statement
■
■
diskadmin – Manage disk files
■
■
dbcreator – CREATE, ALTER, DROP, and restore any database
■
■
You can find the following objects in the master database that can help when
working with server-level roles:
sp_helpsrvrole – Returns a list of server-level roles
■
■
sp_helpsrvrolemember – Returns information about the members of
■
■
a server-level role
sp_srvrolepermission – Displays the permissions of a server-level role
■
■
IS_SRVROLEMEMBER – Indicates whether a SQL Server login is
■
■
a member of the specified server-level role
sys.server_role_members – Returns one row for each member of each
■
■
server-level role
sp_addsrvrole_member – Adds a login as a member of a server-level role
■
■
sp_dropsrvrole_member – Removes a SQL Server login or a Windows
■
■
user or group from a server-level role
Trang 2There are two types of database-level roles, fixed database roles that are predefined
in the database and flexible database roles that you can create
The fixed database-level roles are:
db_owner – Can drop the database as well as permission to perform all
■
■
configuration and maintenance tasks
db_security_admin – Can modify role membership and manage permissions
■
■
Please be careful when adding principals to this role; an unintended privilege escalation could result
db_accessadmin – Can add or remove database access for Windows logins,
■
■
Windows groups, and SQL Server logins
db_backupoperator – Can back up the database
■
■
db_ddladmin – Can run any Data Definition Language command
■
■
db_datawriter – Can add, delete, or change data in all user tables
■
■
db_datareader – Can read all data from all user tables
■
■
db_denydatawriter – Will deny permission in the database to add, modify,
■
■
or delete any data in the user tables
db_denydatareader – Will deny permission in the database to read any data
■
■
in the user tables
These objects can be helpful when working with Database-level roles:
sp_helpdbfixedrole – Returns a list of the fixed database roles
■
■
sp_dbfixedrolepermission – Displays the permissions of a fixed database role
■
■
sp_helprole – Returns information about the roles in the current database
■
■
sp_helprolemember – Returns information about the members of a role
■
■
in the current database
sys.database_role_members – Returns one row for each member of each
■
■
database role
IS_MEMBER – Indicates whether the current user is a member of the
■
■
specified Microsoft Windows group or Microsoft SQL Server database role CREATE_ROLE – Creates a new database role in the current database
■
■
ALTER_ROLE – Changes the name of a database role
■
■
DROP_ROLE – Removes a role from the database
■
■
Trang 3sp_addrole – Creates a new database role in the current database.
■
■
sp_droprole – Removes a database role from the current database
■
■
sp_addrolemember – Adds a database user, database role, Windows login,
■
■
or Windows group to a database role in the current database
sp_droprolemember – Removes a security account from a SQL Server role
■
■
in the current database
Figure 4.1 Fixed Server-Level Roles
exam Warning
Understand the difference between Server-level and Database-level
Roles as well as their permissions scope.
Figure 4.1 shows the fixed server roles Figure 4.2 shows the predefined
database roles
Trang 4Figure 4.2 Database-Level Roles
ExERciSE 4.1
Create a New Database role
You need to create a new Database Role owned by the HumanResources role that will permit members to also use objects in the purchasing schema.
1 in the SQL Server Management Studio, locate the Database Roles folder under Security/Roles in the AdventureWorks2008 database.
2 Right-click on the Database Roles folder and select New Database
Role… from the menu.
3 in the Database Role – New window, type Purchasing into the
Role name text box.
Trang 5The “Principle of Least Privilege”
In order to maintain a secure SQL Server environment it is important to take the
approach of granting the minimum amount of permissions possible to any entity
requesting a SQL Server resource So it is very important to do your due diligence
when adding a user to a specific role or granting any additional permissions If you
are not familiar with what access you are granting, you may inadvertently elevate
4 in the Owner text box, browse and select HumanResources as the
Owner.
5 in the Owned Schemas section, locate and select the Purchasing
schema.
6 Your window should look like Figure 4.3 By creating your new
role, notice the schemas owned by your new role by default.
7 click OK Your newly created database role will appear in the
database role folder.
Figure 4.3 Database Role Properties