Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

PermissionsPermissionsLesson 13

Skills MatrixSkills Matrix

Security ModesSecurity Modes

• Maintaining data integrity involves creating users, controlling their access and limiting their ability to read, change, add or delete data.

• SQL Server processes user names and passwords according to an authentication mode. SQL Server provides two such modes: – Windows Authentication.– Mixed.

Windows Authentication ModeWindows Authentication Mode• With this mode, users can sit down at their

computers, log in to the Windows domain, and gain access to SQL Server using the Kerberos security protocol.

• Use Windows Authentication mode so users don’t have to remember multiple usernames and passwords.

• Only users with Windows accounts can open a trusted connection to SQL Server. – This means others, such as Apple or Linux

clients, can’t use Windows Authentication mode because they don’t have a Windows user account.

Mixed ModeMixed Mode

• Mixed mode allows both Windows Authentication and SQL Server Authentication (or Standard Authentication).

• Anyone can gain access to SQL Server using Mixed mode. Mac users, Novell users, Unix users, and the like, can gain access using SQL Server authentication.

PermissionsPermissions

• Now that you’ve created user accounts for everyone, you need to restrict what those users can do with the database.

• You do so by assigning permissions directly to the users or adding the users to a database role with a predefined set of permissions.

PermissionsPermissions

• These permissions control create, alter and drop actions on:– Databases– Tables– Views– Procedures– Indexes– Rules– Defaults

Object PermissionsObject Permissions

• Once the structure exists to hold the data, you need to give users permission to start working with the data in the databases.

• You accomplish this by granting object permissions to your users.

• Using object permissions, you can control who may read from, write to, or otherwise manipulate your data.

Object PermissionsObject Permissions• Alter• Control• Create• Delete• Execute• Impersonate

• Insert• References• Select• Take Ownership• Update• View Definition

Permission StatesPermission States

• All the permissions in SQL Server can exist in one of three states:– Granted– Revoked– Denied

Using ImpersonationUsing Impersonation• SQL Server supports the ability to impersonate

another principal either explicitly by using the stand-alone EXECUTE AS statement, or implicitly by using the EXECUTE AS clause on modules.

• The stand-alone EXECUTE AS statement can be used to impersonate server-level principals, or logins, by using the EXECUTE AS LOGIN statement. – The stand-alone EXECUTE AS statement can

also be used to impersonate database level principals, or users, by using the EXECUTE AS USER statement.

Using ImpersonationUsing Impersonation

• Implicit impersonations that are performed through the EXECUTE AS clause on modules impersonate the specified user or login at the database or server level. – This impersonation depends on

whether the module is a database-level module, such as a stored procedure or function, or a server-level module, such as a server-level trigger.

Cross-Database OwnershipCross-Database Ownership• SQL Server can be configured to allow ownership

chaining between specific databases or across all databases inside a single instance of SQL Server.

• Cross-database ownership chaining is disabled by default.

• When multiple database objects access each other sequentially, the sequence is known as a chain.

• Ownership chaining enables managing access to multiple objects, such as multiple tables, by setting permissions on one object, such as a view.

SummarySummary• SQL Server has a sophisticated security

system that allows you to carefully implement your security plan. – SQL Server can operate in Mixed security

mode, which means Windows users and groups can be given access directly to SQL Server; or you can create separate, unique accounts that reside only in SQL Server.

– If SQL Server runs in Windows Authentication mode, every user must first connect with a preauthorized Windows account.

SummarySummary

• Each database in SQL Server has its own independent permissions.

• You looked at the two types of user permissions: statement permissions, which are used to create or change the data structure, and object permissions, which manipulate data.

• Remember that statement permissions can’t be granted to other users.

SummarySummary• This lesson examined the processes of

creating and managing logins, groups, and users.

• You learned how to create a Standard login and a Windows user or group login using SQL Server Management Studio or T-SQL, and you learned the appropriate use of each.

• If you have a well-designed security plan that incorporates growth, managing your user base can be a painless task.

Summary for Certification ExaminationSummary for Certification Examination

• Know the differences in authentication modes.

• Know when to use Mixed mode versus Windows Authentication mode.

• Mixed mode allows users who do not have an Active Directory account, such as Novell or Unix users, to access the SQL Server.

• Windows Authentication mode allows only users with Active Directory accounts to access SQL Server.

Summary for Certification ExaminationSummary for Certification Examination• Understand permissions. Know what the

permissions are, what they are for, as well as how to assign them.

• Don’t forget that two types of permissions exist, object and statement.

• Object permissions control a user’s ability to create or modify database objects, such as tables and views.

• Statement permissions control a user’s ability to manipulate data using statements such as SELECT or INSERT.