User Defined Server Roles PDF

Microsoft SQL 2012 | User-Defined Server Roles 1
CNG TY C PHN TRNG CNTT TN C

TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC

LEARN MORE WITH LESS!

MICROSOFT SQL SERVER 2012
CODENAME DENALI
User-Defined
Server Roles
Hands-on Lab



Table of Contents

Table of Contents................................................................................................................. 2
Lab Environment .................................................................................................................. 3
Lab Overview ....................................................................................................................... 4
About This Lab ..................................................................................................................... 5
Exercise: Creating User-defined Server Roles ..................................................................... 8



Lab Environment
During this lab, you will work in a simulated environment with the following virtual
machines.

Computers and virtual machines used in this lab

This lab uses two virtual machines with the following details:

Setting Value
Computer Name
DC
Function
tanduc.local Domain Controller
Operating System
Windows Server 2008 R2
IP
192.168.1.1

Computer Name SQLDENALI01
Function Microsoft SQL Server Standalone Instance
Operating System Windows Server 2008 R2 SP1
SQL Server Instances SQL Server 2012 RC0
IP 192.168.1.10

Logon credentials

Log on to the Hands-on Lab environment using the following credentials, unless
specified differently in the lab manual.

User Name Password Role
TANDUC\SQLAdmin01 P@ssword Administrator of SQLDENALI01

If you are required to log on, use the following key combinations:

Virtualization Strategy Logon Key Combination
Hyper-V
Ctrl+Alt+End


Lab Overview
Previous versions of SQL Server allowed you to create user-defined roles for database-specific
administration, but roles at the instance-level were predefined and fixed. Microsoft SQL Server
2005 introduced the ability to assign server level permissions to logins, but these permissions
could not be assigned to roles. This meant that server administrators did not have any flexibility
when it came to assigning instance-level security permissions to logins.
SQL Server Denali extends the concept of server permissions by allowing administrators to create
server-level user-defined roles. These roles allow server-level permissions to be associated with
them, allowing administrators to have total flexibility when designing server-level authorization
for database users.
Learning Objectives
After completing all of the exercises in this lab, you will understand:
How user-defined server roles are used.
How to create a user-defined server role.
How to define permissions associated with a user-defined server role.

Estimated lab time: 30 minutes
The estimated time to complete this lab depends on the virtual machine infrastructure.


About This Lab
Scenario
This lab introduces the concept of user-defined server roles, which is a new feature of SQL Server
Denali. User-defined server roles allow application administrators to create a role (basically a
collection of server principals) and assign granular permissions to the role. SQL Server Denali
maintains all existing fixed server roles for backwards compatibility purposes, so it is important
for administrators to understand the existing roles and their permissions before implementing
new user-defined roles.
Existing Fixed Server Roles
Existing SQL Server fixed server roles include:
Fixed Server
Role
Server Level Permissions
sysadmin Members of the sysadmin fixed server role can perform any activity in the server.
serveradmin Members of the serveradmin fixed server role can change server-wide configuration
options and shut down the server.
securityadmin Members of the securityadmin fixed server role manage logins and their properties. They
can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY,
and REVOKE database-level permissions if they have access to a database. Additionally,
they can reset passwords for SQL Server logins.
processadmin Members of the processadmin fixed server role can end processes that are running in an
instance of SQL Server.
setupadmin Members of the setupadmin fixed server role can add and remove linked servers.
bulkadmin Members of the bulkadmin fixed server role can run the BULK INSERT statement.
diskadmin The diskadmin fixed server role is used for managing disk files.
dbcreator Members of the dbcreator fixed server role can create, alter, drop, and restore any
database.
public Every SQL Server login belongs to the public server role. When a server principal has not
been granted or denied specific permissions on a securable object, the user inherits the
permissions granted to public on that object. Only assign public permissions on any
object when you want the object to be available to all users. You cannot change
membership in public.


Server Level Permissions
Only server level permissions can be assigned to user-defined server roles. These permissions and
their impact on the server are as follows:
Permission Impact on Server
ADMINISTER
BULK
OPERATIONS
Grants or denies the ability to run BULK INSERT commands. However, INSERT
permissions must exist for the login with respect to the table being loaded. In addition,
ALTER TABLE permissions may also be required. The bulkadmin fixed server role is
granted this permission implicitly.
ALTER ANY
CONNECTION
Grants or denies the ability to manage existing connections to SQL Server such as
through the use of the KILL reserved word. The processadmin fixed server role has this
permission granted implicitly.
ALTER ANY
CREDENTIAL
Grants or denies the ability to manage credentials. Credentials are Windows user
account/password combinations which can be used outside of SQL Server. They are
used with SQL Server Agent jobs to set security context for a job running outside of SQL
Server.
ALTER ANY
DATABASE
Grants or denies the ability to drop or modify existing databases as well as create new
databases. The dbcreator fixed server role has this permission granted implicitly.
ALTER ANY
ENDPOINT
Grants or denies the ability to create, drop, or modify endpoints. The sysadmin fixed
server role has this permission granted implicitly.
ALTER ANY
EVENT
NOTIFICATION
Grants or denies the ability to create any event notification using CREATE EVENT
NOTIFICATION with respect to Service Broker.
ALTER ANY
LINKED SERVER
Grants or denies the ability to create, drop, or modify linked server connections.
ALTER ANY
LOGIN
Grants or denies the ability to create, drop, or modify logins. To affect a login which is a
member of the sysadmin fixed server role or a login which has been granted CONTROL
SERVER permissions, you must also have CONTROL SERVER permissions. The
securityadmin fixed server role has this permission granted implicitly.
ALTER ANY
RESOURCES
Grants or denies the ability to manage disk resources for SQL Server. The diskadmin and
serveradmin fixed server roles are granted this permission implicitly.
ALTER SERVER
STATE
Grants or denies the ability to manage some aspects of the server, such as DBCC
FREEPROCCACHE and DBCC FREESYSTEMCACHE.
ALTER
SETTINGS
Grants or denies the ability to run sp_configure and change settings. Also grants or
denies the ability to run RECONFIGURE afterwards. This permission is granted by default
to members of the serveradmin and sysadmin fixed server role.
ALTER TRACE
Grants or denies the ability to run a server-side or SQL Server Profiler trace. Without
this permission, the only logins capable of running traces are members of the sysadmin
fixed server role.


Permission Impact on Server
AUTHENTICATE
SERVER
Grants or denies the ability to use a particular signature across all databases on the
server when impersonation is used.
CONNECT SQL
Grants or denies the ability to connect to the SQL Server. All logins, when newly
created, are granted this permission automatically.
CONTROL
SERVER
Grants or denies the ability to do anything on the SQL Server. The sysadmin fixed server
role has this permission granted implicitly.
CREATE ANY
DATABASE
Grants or denies the ability to create new databases. The dbcreator fixed server role has
this permission granted implicitly.
CREATE DDL
EVENT
NOTIFICATION
Grants or denies the ability to create a DDL event notification using CREATE EVENT
CREATE
ENDPOINT
Grants or denies the ability to create an endpoint, which is a connection into SQL
Server. The serveradmin and sysadmin fixed server roles have this permission granted
implicitly.
CREATE TRACE
EVENT
NOTIFICATION
Grants or denies the ability to create a trace event notification using CREATE EVENT
EXTERNAL
ACCESS
ASSEMBLY
Grants or denies the ability to add CLR assemblies to SQL Server that have a permissions
set = EXTERNAL_ACCESS.
SHUTDOWN
Grants or denies the ability to shut down the SQL Server service. The sysadmin and
serveradmin fixed servers have this permission implicitly.
UNSAFE
ASSEMBLY
Grants or denies the ability to add CLR assemblies to SQL Server that have a permissions
set = UNSAFE.
VIEW ANY
DATABASE
Grants or denies the ability to see metadata on databases through sys.databases,
sysdatabases, or sp_helpdb. The public fixed server role has this permission implicitly
(meaning anyone who can connect to the SQL Server instance).
VIEW ANY
DEFINITION
Grants or denies the abilities to see the T-SQL code and any metadata for any object
within the server.
VIEW SERVER
STATE
Grants or denies the ability to see server level configuration information. The
serveradmin fixed server role has this permission implicitly.


Exercise: Creating User-defined Server Roles
Scenario
In previous versions of SQL Server, server permissions were granted either through the use of
fixed server roles, or by assigning specific permissions directly to logins. This technique was
difficult to document and sometimes led to excessive permissions being applied.
SQL Server Denali introduces the concept of user-defined server roles, allowing application
administrators to be very specific about assigning server-level permissions while maintaining the
ability to group users for administrative purposes.
By the end of this exercise you will be able to:
Use Dynamic Management Views (DMVs) to monitor existing server level permissions
assigned to logins.
Create a user-defined server role.
Assign permissions to a user-defined server role.
Assign logins to a user-defined server role.

Task 1: Working with User Defined Server Roles

This Task is executed on SQLDENALI01

If you need to logon to this server use the following credentials:
Username: TANDUC\SQLAdmin01
Password: P@ssw0rd

Initialize the
Lab
Environment
If you have not done the Contained Database lab:
1. Log on to the SQLDENALI01
2. Click Start, Run, type C:\Labfiles\ContainedDB
3. Right-click SetupLab.cmd, click Run as administrator
4. Wait until the command window closes approximately five
minutes
View existing
server-level
permissions
5. Log on to the SQLDENALI01 virtual machine.
6. Click Start | All Programs | Microsoft SQL Server 2012 CR0 |
SQL Server Management Studio.
7. Connect to the SQLDENALI01\INSTANCE2 instance using Windows
Authentication.
8. On the toolbar, click New Query.


9. Run the following T-SQL command:
Note: You can also find the script here:
C:\Labfiles\UserDefinedRoles\Scripts\ViewServPermissions.sql.
SELECT sp.name, sp.type_desc, p.permission_name, p.state_desc
FROM sys.server_permissions p JOIN sys.server_principals sp
ON p.grantee_principal_id = sp.principal_id
WHERE sp.type IN (S,U,G);

The result from the query will show all logins that have been
assigned any type of server right. You will notice that there
are serveral built-in logins that have server level permissions
beyond the required CONNECT SQL permission.

Create a new
SQL Server
login and check
server-level
permissions
10. In the Object Explorer pane, right-click the Security node, click New,
and then select Login.
11. On the Login New page, in the Login name box, type User1.
12. Select SQL Server Authentication.
13. Type pass@word1 in the Password and Confirm password boxes.
14. Clear the User must change password at next login check box.
15. Select AdventureWorks in the Default database list.
16. Select the User Mapping page from the Select a page pane.


17. In the Users mapped to this login section, select the
AdventureWorks database.
18. Click OK.

19. Run the T-SQL command from step 9 above and notice the new row
in the result set.

When new logins are created and allowed to log on to
the server, the server-level permission CONNECT SQL is
assigned automatically.


Create a new
user-defined
server role
20. In the Object Explorer pane, right-click the Security node, click New,
and then select Server role.
21. On the New Server Role page, in the Server role name box, type
DatabaseTuner.
22. In the Securables section, expand the Servers node, and then select
SQLDENALI01\INSTANCE2.
23. In the Permissions for SQLDENALI01\INSTANCE2 box, select the
Alter server state row, and then select the Grant check box.
24. Click OK.

25. Run the query from step 9 above. Note that there are no additional
rows in the result set.

When new user-defined server roles are created
and assigned permissions, they do not show up in
the query as written. They will show up as Server
Principals, but these views do not have the ability
to walk the membership to determine what logins
have the rights assigned. It is very important to
document the rights assigned to each of the user-
defined roles as they are created.


Test existing
permissions of
the User1 login
26. In the Object Explorer pane, in the Connect list, select Database
Engine.
27. Connect to the SQLDENALI01\INSTANCE2 instance with SQL Server
Authentication and the User1 login that you created above, using
the password pass@word1.
You will now have two connections to the
SQLDENALI01\INSTANCE2 instance. (You may want to expand the
Object Explorer pane so you can see which login is being used.)

28. Right-click the second connection for SQLDENALI01\INSTANCE2 (the
User1 connection) and select New Query.
29. In the query window, attempt to run the following T-SQL command:
DBCC FREEPROCCACHE;



Even though the login has the rights to use the
AdventureWorks database, it does not have the
server-level rights necessary to run the DBCC
command. This can be a problem for administrators
who want to give database developers the rights to
tune queries (DBCC FREEPROCCACHE is an
important part of query tuning) but do not want to
give them elevated permissions at the server level.

Assign the
User1 Login
to the
DatabaseTuner
Server Role
30. In the Object Explorer pane, right-click the first connection to
SQLDENALI01\INSTANCE2 (the SQLAdmin01 connection), and then
click New Query.
31. In the query window, run the following T-SQL command:
ALTER SERVER ROLE [DatabaseTuner] ADD MEMBER [User1];


32. Switch back to the query window that contains the failed DBCC
command execution.
33. Run the DBCC FREEPROCCACHE command again, and note the
successful execution.

Unlike groups in Windows Server, SQL Server Roles do
not assign a token to the user at logon, so there is no
need to log off and back on when the role
membership changes. SQL Server performs the
authorization check at the time the access is
requested and if the user has access to the required
permissions, the command will run successfully.
34. Close SQL Server Management Studio.
35. Log off the SQLDENALI01 virtual machine.

Review
In this exercise you examined the current server-level rights that are assigned to server principals.
You then created a new SQL Server login and a server-level role. You attempted to run a common
DBCC command while logged in as the new login. Finally you assigned the logon to the user-
defined role and ran the DBCC command successfully.

User Defined Server Roles PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

User Defined Server Roles PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Microsoft SQL 2012 | User-Defined Server Roles 1

CNG TY C PHN TRNG CNTT TN C

S-ar putea să vă placă și