Explaining SQL Server Security, Part 3: Permissions
In an earlier couple of posts, I had described three critical elements of SQL Server security: pieces, people and permissions.
For a non-technical person (such as, perhaps, an auditor) to understand SQL Server security, they need to have a grasp of all three elements.
In this post, I’m going to cover the third essential element: Permissions.
Part III: Permissions
Now we have the pieces and the people. But how can they do anything?
In other words, what can the people (the logins/users) do to the pieces (the databases/schemas and views)? For our purposes, we care about their abilities to add or change data in the database.
We can grant that ability in two ways:
Through a direct permission
In a database, someone has a permission when they can something to something. For example, they can insert (i.e. add a new) record to the General Ledger Transaction table. Or they can update (i.e. change) records in that table or delete them.
Given the above definitions, we can grant permissions to people to Insert, Update and Delete data in a couple of ways:
- We can grant a user or group permission on an individual table. For example, we can give NH\ajacobson the ability to update the general ledger transaction table.
- We can grant a given user or group permission to an entire schema. Let’s say we want to give an entire group access to a given application that uses a certain schema. Rather than go table by table, we can give rights at the schema level. For example, let’s say that in addition to dbo, we had another schema called custom. We could let users in the NH\r3grp update the custom schema.
Through server or database roles
Of course, just as it would be tedious to handle permission for every user, it would be equally tedious to handle every permission on a table-by-table (or other object) basis.
Therefore, SQL Server has what’s called roles. A role gives certain overarching rights (such as read data on an entire database). Roles exist at both the database level and instance level.
Roles can be assigned at the database level and at the server level.
Roles that we care about for our immediate purpose at the database level include:
- db_owner —can do anything to the database, (including update data)
- db-datawriter —can write data to any table on the database.
At the instance level, we care most about sysadmin, which gives rights to anyone to do anything. It essentially makes them the equivalent of sa. And we don’t want to give this permission to many people.
In these three posts, I’ve tried to give an overview of SQL Server security for folks with minimal understanding of it, which can include auditors.
Let me recap by highlighting the key terms:
If you know these terms, you’ve got a place to start.
Of course, tracking all these permissions can be tedious. The good news is that all of this is stored in SQL Server meta data. And I have queries (which I’m working on cleaning up) that report on all this.
If you’d like the queries, please let me know.