0 evaluări0% au considerat acest document util (0 voturi)
283 vizualizări14 pagini
Microsoft SQL 2012 User-Defined Server Roles Hands-on Lab. Lab uses two virtual machines with the following details: computer Name SQLDENALI01 Function Microsoft(r) SQL Server(r) Standalone Instance Operating System Windows Server 2008 R2 IP 192.168.1.
Microsoft SQL 2012 User-Defined Server Roles Hands-on Lab. Lab uses two virtual machines with the following details: computer Name SQLDENALI01 Function Microsoft(r) SQL Server(r) Standalone Instance Operating System Windows Server 2008 R2 IP 192.168.1.
Microsoft SQL 2012 User-Defined Server Roles Hands-on Lab. Lab uses two virtual machines with the following details: computer Name SQLDENALI01 Function Microsoft(r) SQL Server(r) Standalone Instance Operating System Windows Server 2008 R2 IP 192.168.1.
MICROSOFT SQL SERVER 2012 CODENAME DENALI User-Defined Server Roles Hands-on Lab
Microsoft SQL 2012 | User-Defined Server Roles 2 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS!
Table of Contents
Table of Contents................................................................................................................. 2 Lab Environment .................................................................................................................. 3 Lab Overview ....................................................................................................................... 4 About This Lab ..................................................................................................................... 5 Exercise: Creating User-defined Server Roles ..................................................................... 8
Microsoft SQL 2012 | User-Defined Server Roles 3 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS!
Lab Environment During this lab, you will work in a simulated environment with the following virtual machines.
Computers and virtual machines used in this lab
This lab uses two virtual machines with the following details:
Setting Value Computer Name DC Function tanduc.local Domain Controller Operating System Windows Server 2008 R2 IP 192.168.1.1
Computer Name SQLDENALI01 Function Microsoft SQL Server Standalone Instance Operating System Windows Server 2008 R2 SP1 SQL Server Instances SQL Server 2012 RC0 IP 192.168.1.10
Logon credentials
Log on to the Hands-on Lab environment using the following credentials, unless specified differently in the lab manual.
User Name Password Role TANDUC\SQLAdmin01 P@ssword Administrator of SQLDENALI01
If you are required to log on, use the following key combinations:
Microsoft SQL 2012 | User-Defined Server Roles 4 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! Lab Overview Previous versions of SQL Server allowed you to create user-defined roles for database-specific administration, but roles at the instance-level were predefined and fixed. Microsoft SQL Server 2005 introduced the ability to assign server level permissions to logins, but these permissions could not be assigned to roles. This meant that server administrators did not have any flexibility when it came to assigning instance-level security permissions to logins. SQL Server Denali extends the concept of server permissions by allowing administrators to create server-level user-defined roles. These roles allow server-level permissions to be associated with them, allowing administrators to have total flexibility when designing server-level authorization for database users. Learning Objectives After completing all of the exercises in this lab, you will understand: How user-defined server roles are used. How to create a user-defined server role. How to define permissions associated with a user-defined server role.
Estimated lab time: 30 minutes The estimated time to complete this lab depends on the virtual machine infrastructure.
Microsoft SQL 2012 | User-Defined Server Roles 5 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! About This Lab Scenario This lab introduces the concept of user-defined server roles, which is a new feature of SQL Server Denali. User-defined server roles allow application administrators to create a role (basically a collection of server principals) and assign granular permissions to the role. SQL Server Denali maintains all existing fixed server roles for backwards compatibility purposes, so it is important for administrators to understand the existing roles and their permissions before implementing new user-defined roles. Existing Fixed Server Roles Existing SQL Server fixed server roles include: Fixed Server Role Server Level Permissions sysadmin Members of the sysadmin fixed server role can perform any activity in the server. serveradmin Members of the serveradmin fixed server role can change server-wide configuration options and shut down the server. securityadmin Members of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, they can reset passwords for SQL Server logins. processadmin Members of the processadmin fixed server role can end processes that are running in an instance of SQL Server. setupadmin Members of the setupadmin fixed server role can add and remove linked servers. bulkadmin Members of the bulkadmin fixed server role can run the BULK INSERT statement. diskadmin The diskadmin fixed server role is used for managing disk files. dbcreator Members of the dbcreator fixed server role can create, alter, drop, and restore any database. public Every SQL Server login belongs to the public server role. When a server principal has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object. Only assign public permissions on any object when you want the object to be available to all users. You cannot change membership in public.
Microsoft SQL 2012 | User-Defined Server Roles 6 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! Server Level Permissions Only server level permissions can be assigned to user-defined server roles. These permissions and their impact on the server are as follows: Permission Impact on Server ADMINISTER BULK OPERATIONS Grants or denies the ability to run BULK INSERT commands. However, INSERT permissions must exist for the login with respect to the table being loaded. In addition, ALTER TABLE permissions may also be required. The bulkadmin fixed server role is granted this permission implicitly. ALTER ANY CONNECTION Grants or denies the ability to manage existing connections to SQL Server such as through the use of the KILL reserved word. The processadmin fixed server role has this permission granted implicitly. ALTER ANY CREDENTIAL Grants or denies the ability to manage credentials. Credentials are Windows user account/password combinations which can be used outside of SQL Server. They are used with SQL Server Agent jobs to set security context for a job running outside of SQL Server. ALTER ANY DATABASE Grants or denies the ability to drop or modify existing databases as well as create new databases. The dbcreator fixed server role has this permission granted implicitly. ALTER ANY ENDPOINT Grants or denies the ability to create, drop, or modify endpoints. The sysadmin fixed server role has this permission granted implicitly. ALTER ANY EVENT NOTIFICATION Grants or denies the ability to create any event notification using CREATE EVENT NOTIFICATION with respect to Service Broker. ALTER ANY LINKED SERVER Grants or denies the ability to create, drop, or modify linked server connections. ALTER ANY LOGIN Grants or denies the ability to create, drop, or modify logins. To affect a login which is a member of the sysadmin fixed server role or a login which has been granted CONTROL SERVER permissions, you must also have CONTROL SERVER permissions. The securityadmin fixed server role has this permission granted implicitly. ALTER ANY RESOURCES Grants or denies the ability to manage disk resources for SQL Server. The diskadmin and serveradmin fixed server roles are granted this permission implicitly. ALTER SERVER STATE Grants or denies the ability to manage some aspects of the server, such as DBCC FREEPROCCACHE and DBCC FREESYSTEMCACHE. ALTER SETTINGS Grants or denies the ability to run sp_configure and change settings. Also grants or denies the ability to run RECONFIGURE afterwards. This permission is granted by default to members of the serveradmin and sysadmin fixed server role. ALTER TRACE Grants or denies the ability to run a server-side or SQL Server Profiler trace. Without this permission, the only logins capable of running traces are members of the sysadmin fixed server role.
Microsoft SQL 2012 | User-Defined Server Roles 7 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! Permission Impact on Server AUTHENTICATE SERVER Grants or denies the ability to use a particular signature across all databases on the server when impersonation is used. CONNECT SQL Grants or denies the ability to connect to the SQL Server. All logins, when newly created, are granted this permission automatically. CONTROL SERVER Grants or denies the ability to do anything on the SQL Server. The sysadmin fixed server role has this permission granted implicitly. CREATE ANY DATABASE Grants or denies the ability to create new databases. The dbcreator fixed server role has this permission granted implicitly. CREATE DDL EVENT NOTIFICATION Grants or denies the ability to create a DDL event notification using CREATE EVENT NOTIFICATION with respect to Service Broker. CREATE ENDPOINT Grants or denies the ability to create an endpoint, which is a connection into SQL Server. The serveradmin and sysadmin fixed server roles have this permission granted implicitly. CREATE TRACE EVENT NOTIFICATION Grants or denies the ability to create a trace event notification using CREATE EVENT NOTIFICATION with respect to Service Broker. EXTERNAL ACCESS ASSEMBLY Grants or denies the ability to add CLR assemblies to SQL Server that have a permissions set = EXTERNAL_ACCESS. SHUTDOWN Grants or denies the ability to shut down the SQL Server service. The sysadmin and serveradmin fixed servers have this permission implicitly. UNSAFE ASSEMBLY Grants or denies the ability to add CLR assemblies to SQL Server that have a permissions set = UNSAFE. VIEW ANY DATABASE Grants or denies the ability to see metadata on databases through sys.databases, sysdatabases, or sp_helpdb. The public fixed server role has this permission implicitly (meaning anyone who can connect to the SQL Server instance). VIEW ANY DEFINITION Grants or denies the abilities to see the T-SQL code and any metadata for any object within the server. VIEW SERVER STATE Grants or denies the ability to see server level configuration information. The serveradmin fixed server role has this permission implicitly.
Microsoft SQL 2012 | User-Defined Server Roles 8 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! Exercise: Creating User-defined Server Roles Scenario In previous versions of SQL Server, server permissions were granted either through the use of fixed server roles, or by assigning specific permissions directly to logins. This technique was difficult to document and sometimes led to excessive permissions being applied. SQL Server Denali introduces the concept of user-defined server roles, allowing application administrators to be very specific about assigning server-level permissions while maintaining the ability to group users for administrative purposes. By the end of this exercise you will be able to: Use Dynamic Management Views (DMVs) to monitor existing server level permissions assigned to logins. Create a user-defined server role. Assign permissions to a user-defined server role. Assign logins to a user-defined server role.
Task 1: Working with User Defined Server Roles
This Task is executed on SQLDENALI01
If you need to logon to this server use the following credentials: Username: TANDUC\SQLAdmin01 Password: P@ssw0rd
Initialize the Lab Environment If you have not done the Contained Database lab: 1. Log on to the SQLDENALI01 2. Click Start, Run, type C:\Labfiles\ContainedDB 3. Right-click SetupLab.cmd, click Run as administrator 4. Wait until the command window closes approximately five minutes View existing server-level permissions 5. Log on to the SQLDENALI01 virtual machine. 6. Click Start | All Programs | Microsoft SQL Server 2012 CR0 | SQL Server Management Studio. 7. Connect to the SQLDENALI01\INSTANCE2 instance using Windows Authentication. 8. On the toolbar, click New Query.
Microsoft SQL 2012 | User-Defined Server Roles 9 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! 9. Run the following T-SQL command: Note: You can also find the script here: C:\Labfiles\UserDefinedRoles\Scripts\ViewServPermissions.sql. SELECT sp.name, sp.type_desc, p.permission_name, p.state_desc FROM sys.server_permissions p JOIN sys.server_principals sp ON p.grantee_principal_id = sp.principal_id WHERE sp.type IN (S,U,G);
The result from the query will show all logins that have been assigned any type of server right. You will notice that there are serveral built-in logins that have server level permissions beyond the required CONNECT SQL permission.
Create a new SQL Server login and check server-level permissions 10. In the Object Explorer pane, right-click the Security node, click New, and then select Login. 11. On the Login New page, in the Login name box, type User1. 12. Select SQL Server Authentication. 13. Type pass@word1 in the Password and Confirm password boxes. 14. Clear the User must change password at next login check box. 15. Select AdventureWorks in the Default database list. 16. Select the User Mapping page from the Select a page pane.
Microsoft SQL 2012 | User-Defined Server Roles 10 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! 17. In the Users mapped to this login section, select the AdventureWorks database. 18. Click OK.
19. Run the T-SQL command from step 9 above and notice the new row in the result set.
When new logins are created and allowed to log on to the server, the server-level permission CONNECT SQL is assigned automatically.
Microsoft SQL 2012 | User-Defined Server Roles 11 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! Create a new user-defined server role 20. In the Object Explorer pane, right-click the Security node, click New, and then select Server role. 21. On the New Server Role page, in the Server role name box, type DatabaseTuner. 22. In the Securables section, expand the Servers node, and then select SQLDENALI01\INSTANCE2. 23. In the Permissions for SQLDENALI01\INSTANCE2 box, select the Alter server state row, and then select the Grant check box. 24. Click OK.
25. Run the query from step 9 above. Note that there are no additional rows in the result set.
When new user-defined server roles are created and assigned permissions, they do not show up in the query as written. They will show up as Server Principals, but these views do not have the ability to walk the membership to determine what logins have the rights assigned. It is very important to document the rights assigned to each of the user- defined roles as they are created.
Microsoft SQL 2012 | User-Defined Server Roles 12 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! Test existing permissions of the User1 login 26. In the Object Explorer pane, in the Connect list, select Database Engine. 27. Connect to the SQLDENALI01\INSTANCE2 instance with SQL Server Authentication and the User1 login that you created above, using the password pass@word1. You will now have two connections to the SQLDENALI01\INSTANCE2 instance. (You may want to expand the Object Explorer pane so you can see which login is being used.)
28. Right-click the second connection for SQLDENALI01\INSTANCE2 (the User1 connection) and select New Query. 29. In the query window, attempt to run the following T-SQL command: DBCC FREEPROCCACHE;
Microsoft SQL 2012 | User-Defined Server Roles 13 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS!
Even though the login has the rights to use the AdventureWorks database, it does not have the server-level rights necessary to run the DBCC command. This can be a problem for administrators who want to give database developers the rights to tune queries (DBCC FREEPROCCACHE is an important part of query tuning) but do not want to give them elevated permissions at the server level.
Assign the User1 Login to the DatabaseTuner Server Role 30. In the Object Explorer pane, right-click the first connection to SQLDENALI01\INSTANCE2 (the SQLAdmin01 connection), and then click New Query. 31. In the query window, run the following T-SQL command: ALTER SERVER ROLE [DatabaseTuner] ADD MEMBER [User1];
Microsoft SQL 2012 | User-Defined Server Roles 14 CNG TY C PHN TRNG CNTT TN C TAN DUC INFORMATION TECHNOLOGY SCHOOL JSC
LEARN MORE WITH LESS! 32. Switch back to the query window that contains the failed DBCC command execution. 33. Run the DBCC FREEPROCCACHE command again, and note the successful execution.
Unlike groups in Windows Server, SQL Server Roles do not assign a token to the user at logon, so there is no need to log off and back on when the role membership changes. SQL Server performs the authorization check at the time the access is requested and if the user has access to the required permissions, the command will run successfully. 34. Close SQL Server Management Studio. 35. Log off the SQLDENALI01 virtual machine.
Review In this exercise you examined the current server-level rights that are assigned to server principals. You then created a new SQL Server login and a server-level role. You attempted to run a common DBCC command while logged in as the new login. Finally you assigned the logon to the user- defined role and ran the DBCC command successfully.