Lecture10

Database Security

Mohamed al-jaafari
Lecture10 – Spring2023
 Contents

 Login Authentication
 Database User Accounts and Roles
 Types of Roles
 Permission Validation
 SQL Server Security Components
 How do Permission Work?
Login Authentication
Database User Accounts and Roles
Permission Validation
 Types of Roles

 Fixed Server Roles

Group administrative privileges at the server level
 Fixed Database Roles
Group administrative privileges at the database level
 User-defined Database Roles
Represent work defined by a group of employees within an
organization
 SQL Server Security Components

To effectively protect SQL Server, you must be able to provide

approved users with the access they need to specific SQL Server
resources, without compromising those or other resources, a process
that involves the use of three important types of components:
 SQL Server Security Components

 Principals
Entities that can be authenticated to access the SQL Server resources.
For example, your Windows login can be configured as a principal
that allows you to connect to a SQL Server database.
SQL Server supports three types of principals: logins, users, and
roles.
 Logins exist at the server level
 Users exist at the database level
 Roles can exist at either level
 SQL Server Security Components

 Securables
SQL Server resources that can be accessed by a principal. Securables
are the actual resources you’re trying to protect, whether at the server
level (e.g., availability groups), database level (e.g., fulltext catalog),
or the schema level (e.g., table or function).
 SQL Server Security Components

 Permissions
Types of access granted on a securable to a specific principal. For
example, you can grant a Windows login (the principal) the ability to
view data (the permission) in a specific database schema (the
securable).
 SQL Server Security Components

Principals V Securables
 SQL Server–Authenticated Logins
 To create an authenticated login use:

CREATE LOGIN login_name

{ WITH PASSWORD = 'password'| FROM WINDOWS }
 To create an authenticated login data_entry with password:

CREATE LOGIN login_name

WITH PASSWORD = ‘testme’
 To create an authenticated login from Windows user:

CREATE LOGIN [DESKTOP-PC\Abdoessalam]

FROM WINDOWS
 SQL Server–Authenticated Logins

CREATE LOGIN NewLogin WITH

PASSWORD=‘NewPassword1', DEFAULT_DATABASE =
MASTER, DEFAULT_LANGUAGE = US_ENGLISH
 SQL Server–Authenticated Logins

 Change Password
ALTER LOGIN Mohamed WITH PASSWORD = 'bestsite';

 Disable a Login
ALTER LOGIN Mohamed DISABLE;

 Enable a Login
ALTER LOGIN Mohamed ENABLE;
 SQL Server–Authenticated Logins

 Rename a Login
ALTER LOGIN Ali WITH NAME= Mohamed;

 Find Logins
SELECT * FROM master.sys.sql_logins

 Drop Logins
DROP LOGIN login_name;
 SQL Server–Authenticated Logins

 After creating a login, the login can connect to SQL Server, but
only has the permissions granted to the public role.
 Consider performing some of the following activities. To connect
to a database, create a database user for the login.
 Create a user-defined server role by using CREATE SERVER
ROLE. Use ALTER SERVER ROLE ... ADD MEMBER to add
the new login to the user-defined server role.
 Use sp_addsrvrolemember to add the login to a fixed server role.
 Use the GRANT statement, to grant server-level permissions to the
new login or to a role containing the login.
 SQL Server–Database Users

 In order for the SQL server login to access a database, a database

user must be created:
CREATE USER user_name FROM LOGIN login_name

 To create a database user data_entry user for the current

database:

CREATE USER data_entry FROM LOGIN data_entry ;

 SQL Server–Database Users

 DROP USER
DROP USER user_name;
 Find Users
SELECT * FROM master.sys.database_principals;
SELECT * FROM master.sys.sysusers;
 Fixed Server-Level Roles

The fixed server-level roles and their capabilities.

 sysadmin
Members of the sysadmin fixed server role can perform any activity
in the server.

 serveradmin
Members of the serveradmin fixed server role can change server
wide configuration options and shut down the server.
 Fixed Server-Level Roles

 securityadmin
Members of the securityadmin fixed server role manage logins and
their properties. They can GRANT, DENY, and REVOKE server-
level permissions. They can also GRANT, DENY, and REVOKE
database level permissions if they have access to a database.
Additionally, they can reset passwords for SQL Server logins.
 processadmin
Members of the processadmin fixed server role can end processes
that are running in an instance of SQL Server.
 Fixed Server-Level Roles

 setupadmin
Members of the setupadmin fixed server role can add and remove
linked servers by using Transact-SQL statements.
 bulkadmin
Members of the bulkadmin fixed server role can run the BULK
INSERT statement.
 diskadmin
The diskadmin fixed server role is used for managing disk files.
 Fixed Server-Level Roles

 dbcreator
Members of the dbcreator fixed server role can create, alter, drop, and
restore any database.
 public
Every SQL Server login belongs to the public server role.
 Manipulating Server Roles

 Add and Remove users from and to Roles.

ALTER SERVVER ROLE server_role_name
{ ADD MEMBER server_principal
| DROP MEMBER server_principal
| WITH NAME = new_server_role_name};
 Manipulating Server Roles
 ADD MEMBER server_principal
Adds the specified server principal to the server role. server_principal
can be a login or a user-defined server role.
 DROP MEMBER server_principal
Removes the specified server principal from the server role.
server_principal can be a login or a user-defined server role.
 WITH NAME =new_server_role_name
Specifies the new name of the user-defined server role. This name
cannot already exist in the server.
 Manipulating Server Roles

 The following example adds a SQL Server login named Ahmed to

the diskadmin fixed server role.

ALTER SERVER ROLE diskadmin ADD MEMBER Ahmed;

 The following example removes a SQL Server login named

Ahmed from the diskadmin fixed server role.

ALTER SERVER ROLE diskadmin DROP MEMBER Ahmed;

 Fixed Database Roles
 fixed-database roles and their capabilities . these roles exist in all
databases.
 db_owner
Can perform all configuration and maintenance activities on the
database , and can also drop the database in SQL Server.
 db_securityadmin
Can modify role membership for custom roles only and manage
permissions.
 Fixed Database Roles
 db_accessadmin
Can add or remove access to the database for windows logins,
windows groups and SQL server logins.
 db_backupoperator
Can back up the database.
 db_ddladmin
Can run any Data Definition Language (DDL) command in a
database.
 db_datawrite
Can add , delete , or change data in all user table.
 Fixed Database Roles

 db_datareader
Can read all data from all user tables and views.
 db_denydatawriter
Cannot add , modify, or delete any data in the user tables within a
database.
 db_denydatareader
Cannot read any data from the user tables and views within a database
 Manipulating Database Roles

 Adds or removes members to or from a database role , or changes

the name of a user-defined database role.
ALTER ROLE role_name
{ ADD MEMBER database_principal
| DROP MEMBER database_principal
| WITH NAME = new_name};
 Manipulating Database Roles

 Role_name
Specifies the database role to change.
 ADD MEMBER database_principal
Adds the specified database principal to the database role.
 DROP MEMBER database_principal
Removes the specified database principal to the database role.
 WITH NAME = new_name
Specifies the new name of the user_defined database role. This name
cannot already exist in the database
 Manipulating Database Roles

 The following example adds the user ‘Ahmed’ to the fixed

database-level role db_datareader

ALTER ROLE db_datar ader ADD MEMBER Ahmed;

 The following example removes a database user ‘Ahmed’ from

the db_datareader fixed database role.

ALTER ROLE db_datar ader DROP MEMBER Ahmed;

 SQL Server - Permissions

 Every SQL Server securable has associated permissions that can

be granted to a principal.
 Permissions in the Database Engine are managed at the server
level assigned to logins and server roles.
 Permissions at the database level assigned to database users and
database roles.
 How do Permission Work?

You can grant users various privileges to tables. These permissions can
be any combination of SELECT, INSERT, UPDATE, DELETE,
REFERENCES, ALTER, or ALL.

 Syntax
GRANT { ALL [ PRIVILEGES ] }
| permission [ ( column [ ,...n ] ) ] [ ,...n ]
[ ON object ] TO name [ ,...n ]
[ WITH GRANT OPTION ]
 How do Permission Work?

 The privileges to assign. It can be any of the following values:

 How do Permission Work?

 Object
The name of the database object that you are granting permissions for.
In the case of granting privileges on a table, this would be the table
name.
 User
The name of the user that will be granted these privileges
 How do Permission Work?
 GRANT SELECT, INSERT, UPDATE, DELETE ON Customers
TO Mohamed;

 GRANT ALL ON Customers TO Ali;

 GRANT SELECT ON Customers TO public;

 GRANT SELECT ON Film (Title, Rate) TO Ahmed;

 GRANT UPDATE ON centre_db TO mohammad

WITH GRANT OPTION ;
 How do Permission work?
Once you have granted privileges, you may need to revoke some or
all of these privileges. To do this, you can run a revoke command.
You can revoke any combination of SELECT, INSERT, UPDATE,
DELETE, REFERENCES, ALTER, or ALL.
 Syntax
REVOKE permission [ ,...n ]
[ ON object ] TO name [ ,...n ]
[ CASCADE]
[ AS database_principal ]
 CASCADE
Indicates that the permission being revoked is also revoked from
other principals to which it has been granted
 How do Permission work?

 It is the privileges to assign. It can be any of the following values:

 How do Permission work?
 Object
The name of the database object that you are revoking privileges for.
In the case of revoking privileges on a table, this would be the table
name.
 User
The name of the user that will have these privileges revoked.
 How do Permission work?

 REVOKE DELETE ON employees FROM Areej;

 REVOKE ALL ON employees FROM Ahmed;

 REVOKE SELECT ON employees FROM public;

 How do Permission work?

Revoke EXECUTE permission on stored procedure

dbo.getStudentSemesters from user Ahmed;

REVOKE EXECUTE ON
OBJECT :: dbo.getStudentSemesters FROM Ahmed ;
 How do Permission work?

Revokes view definition permission on the [SuperMarket] database

from user Ahmed and from all principals to which Ahmed has granted
view definition permission.

REVOKE CREATE TABLE FROM Ahmed CASCADE ;

 How do Permission work?

Denies a permission to a principal. Prevents that principal from

inheriting the permission through its group or role memberships.

DENY <permission> [ ,...n ] }

TO principal [ ,...n ]
[ AS principal ] [;]
 How do Permission work?

Denies a permission to a principal . Prevents that principal from

inheriting the permission through its group or role memberships

DENY DELETE ON Flims TO Ahmed;

DENY UPDATE FROM Ahmed CASCADE ;