Download 6231B_10

Module 10
Assigning Server and
Database Roles
Module Overview
• Working with Server Roles
• Working with Fixed Database Roles
• Creating User-defined Database Roles
Lesson 1: Working with Server Roles
• Server-scoped Permissions
• Typical Server-scoped Permissions
• Overview of Fixed Server Roles
• public Server Role
• Demonstration 1A: Assigning Fixed Server Roles
Server-scoped Permissions
• Permissions at the server level can be assigned in two ways:

Fixed server roles

Specific server-scoped permissions
• Minimize the use of fixed server roles

Assign more specific permissions
USE master;
GO
GRANT ALTER ON LOGIN::HRApp
TO [AdventureWorks\Holly];
GO
GRANT ALTER ANY DATABASE
TO [AdventureWorks\Holly];
GO
Typical Server-scoped Permissions
• Current database must be master when assigning server-
scoped permissions
• Permissions assignments are visible by querying the
sys.server_permissions view
Typical Server-scoped Permissions
ALTER ANY DATABASE
ALTER TRACE
BACKUP DATABASE
BACKUP LOG
CONNECT
CREATE DATABASE
VIEW ANY DEFINITION
VIEW SERVER STATE
Overview of Fixed Server Roles
Role
Description
Server-level Permission
sysadmin
Perform any activity
CONTROL SERVER (with GRANT option)
dbcreator
Create and alter databases
ALTER ANY DATABASE
diskadmin
Manage disk files
ALTER RESOURCES
serveradmin
Configure server-wide settings
ALTER ANY ENDPOINT, ALTER
RESOURCES, ALTER SERVER STATE,
ALTER SETTINGS, SHUTDOWN, VIEW
SERVER STATE
securityadmin
Manage and audit server logins
ALTER ANY LOGIN
processadmin
Manage SQL Server processes
ALTER ANY CONNECTION
ALTER SERVER STATE
bulkadmin
Run the BULK INSERT statement
ADMINISTER BULK OPERATIONS
setupadmin
Configure replication and linked
servers
ALTER ANY LINKED SERVER
public Server Role
public is a special server role with server-scope.
• Not considered a fixed server role as its permissions can be
changed
• By default, is granted:

VIEW ANY DATABASE permission

CONNECT permission on default endpoints
Demonstration 1A: Assigning Fixed Server Roles
• In this demonstration, you will see:

How to view the available fixed server roles using the GUI

How to assign a fixed server role using the GUI

How to view the available fixed server roles using T-SQL

How to assign a fixed server role using T-SQL

How to view the members of fixed server roles using T-SQL

How to view the server permissions that are currently
assigned
Lesson 2: Working with Fixed Database Roles
• Database-scoped Permissions
• Overview of Fixed Database Roles
• Assigning Users to Roles
• Database Owner
• Demonstration 2A: Managing Roles and Users
Database-scoped Permissions
• Permissions at the database level can be assigned in three ways:

Fixed database roles

User-defined database roles

Specific database-scoped permissions
• Minimize the use of fixed database roles

Assign more specific permissions
USE AdventureWorks2008R2;
GO
GRANT CREATE TABLE TO HRManager;
GO
GRANT VIEW DEFINITION TO James;
GO
Overview of Fixed Database Roles
Role
Description
db_owner
Perform any configuration and maintenance activities on the
DB and can drop it
db_securityadmin
Modify role membership and manage permissions
db_accessadmin
Add or remove access to the DB for logins
db_backupoperator
Back up the DB
db_ddladmin
Run any DDL command in the DB
db_datawriter
Add, delete, or change data in all user tables
db_datareader
Read all data from all user tables
db_denydatawriter
Cannot add, delete, or change data in user tables
db_denydatareader
Cannot read any data in user tables
Assigning Users to Roles
• Users can be assigned to roles

Using GUI

Using T-SQL
USE AdventureWorks2008R2;
GO
EXEC sp_addrolemember
'db_datareader',
'James';
GO
Database Owner
dbo
The sa login and members of sysadmin role
are mapped to dbo account, along with the
owner of the database
Demonstration 2A: Managing Roles and Users
• In this demonstration you will see:

How to view the available fixed database roles using the GUI

How to assign a fixed database role using the GUI

How to view the available fixed database roles using T-SQL

How to assign a fixed database role using T-SQL

How to view the members of fixed database roles using T-SQL
Lesson 3: Creating User-defined Database Roles
• Working with User-defined Database Roles
• Applying Roles in Common Scenarios
• Demonstration 3A: User-defined Database Roles
• Defining Application Roles
• Demonstration 3B: Application Roles
Working with User-defined Database Roles
• Database roles can be created, modified, and dropped

CREATE ROLE statement to create

Roles have owners

Permissions are granted to role

Role permissions are inherited by role members
USE MarketDev;
GO
CREATE ROLE MarketingReaders
AUTHORIZATION dbo;
GO
GRANT SELECT ON SCHEMA::Marketing
TO MarketingReaders;
GO
Applying Roles in Common Scenarios
• Typical scenario

Define dbo users and other administrative roles

Define permission groups within the database

Consider the use of the public role for common permissions

Create roles and assign permissions to them

Add users to roles
• For decision-making within code

IS_SRVROLEMEMBER, IS_MEMBER
IF IS_MEMBER('BankManagers') = 0
BEGIN
PRINT 'Operation is only for bank manager use';
ROLLBACK;
END;
Demonstration 3A: User-defined Database Roles
• In this demonstration you will see:

How to create a user-defined database role using the GUI

How to create a user-defined database role using T-SQL

How to view the available database roles using T-SQL
Defining Application Roles
User runs
app
App connects
to db as user
App authenticates
using sp_setapprole
App assumes
app role
Application roles are used to enable permissions for users
only while they are running particular applications.
Demonstration 3B: Application Roles
• In this demonstration, you will see how to:

Create an application role

Change security context to an application role
Lab 10: Assigning Server and Database Roles
• Exercise 1: Assign Server Roles
• Exercise 2: Assign Fixed Database Roles
• Exercise 3: Create and Assign User-defined Database
Roles
• Challenge Exercise 4: Check Role Assignments (Only if
time permits)
Logon information
Virtual machine
623XB-MIA-SQL
User name
AdventureWorks\Administrator
Password
Pa$$w0rd
Estimated time: 45 minutes
Lab Scenario
You have created the SQL Server logins and Database
users. You now need to assign the logins and users to the
required roles based upon the security requirements for the
MarketDev database. You should assign the minimum level
of access that will allow each user to perform their job. This
will require a combination of server, fixed database, and
user defined database roles.
Do not be concerned with object and schema permissions as
these will be assigned in Module 11 but you do need to
consider the role requirements that will be required at that
time.
Note: the changes you make will later be migrated to the
production environment. You should use T-SQL commands
to implement the required changes.
Lab Review
• What is the biggest challenge when assigning permissions
to users?
• Why do users often get granted more permissions than
they need to do their work?
Module Review and Takeaways
• Review Questions
• Best Practices