Security.sql in SQL Server 2005- All others SQL Server 2005 Script have moved to Article under SQL Server

<< MaiJohnsworkandfamilyGallery | Home | What is Atlas? >>

Posted on Tuesday, June 27, 2006 4:54 PM

-------------------------

-- *** Windows Logins ***

-- **********************

-- This code assumes that JoeAppdev and JaneAppdev already exist as a Windows login

-- Add a Windows login to SQL Server

-- Note that the brackets are required for a Windows login

CREATE

USE

CREATE

WITH DEFAULT_SCHEMA = Production

-- Or, rename the user in the database

DROP

CREATE

-- Alter the login to add a default schema

ALTER

WITH DEFAULT_SCHEMA = Production

-- Add one of the built-in Windows groups

CREATE

-- *** SQL Server Logins ***

-- *************************

CREATE

USE

CREATE

WITH DEFAULT_SCHEMA = HumanResources

-- Or, rename the user in the database

DROP

CREATE

WITH DEFAULT_SCHEMA = HumanResources

-- *** Password Policies ***

-- *************************

-- Requires that SQL Server be running on Windows Server 2003 or later

-- and that password policies be enabled in Local Security Settings.

USE

CREATE

ALTER

CHECK_EXPIRATION = OFF, CHECK_POLICY = OFF

ALTER

-- *** Authorization ***

*********************

-- *** Server Roles

-- Add login Topaz to the sysadmin role

sp_addsrvrolemember

'Topaz', 'sysadmin'

-- Get a list of all server roles

EXEC

sp_helpsrvrole

-- Get the description of a single server role

EXEC

-- Get list of members of the diskadmin role

EXEC

-- *** Database roles

/*** Execution Context

**********************/

-- Execution Context Sample

-- *** Create the database for this demo ***

USE

CREATE

USE

-- Create the users

CREATE

-- Create the schemas

CREATE

-- Create a table and a proc in different schemas to ensure that

-- there is no ownerhship chaining.

CREATE

TABLE SchemaUserTable.Vendor (ID int, name varchar(50), state char(2), phno char(12))

INSERT

INTO SchemaUserTable.Vendor VALUES (1,'Vendor1','AK','123-345-1232')

INSERT

INTO SchemaUserTable.Vendor VALUES (2,'Vendor2','WA','454-765-3233')

INSERT

INTO SchemaUserTable.Vendor VALUES (3,'Vendor3','OR','345-776-3433')

INSERT

INTO SchemaUserTable.Vendor VALUES (4,'Vendor4','AK','232-454-5654')

INSERT

INTO SchemaUserTable.Vendor VALUES (5,'Vendor5','OR','454-545-5654')

INSERT

INTO SchemaUserTable.Vendor VALUES (6,'Vendor6','HI','232-655-1232')

INSERT

INTO SchemaUserTable.Vendor VALUES (7,'Vendor7','HI','453-454-1232')

INSERT

INTO SchemaUserTable.Vendor VALUES (8,'Vendor8','WA','555-654-1232')

INSERT

INTO SchemaUserTable.Vendor VALUES (9,'Vendor9','AK','555-345-1232')

-- Create the stored procedure in SchemaUserProc

CREATE

PROC SchemaUserProc.VendorAccessProc @state char(2)

SELECT * FROM SchemaUserTable.Vendor WHERE state = @state

-- Grant permissions on the stored procedure

GRANT

-- *** Ready to test execution context ***

-- Now try and access the proc as RealUser

EXECUTE

AS user = 'RealUser'

EXEC

SchemaUserProc.VendorAccessProc 'AK'

-- The permission is denied on the underlying table.

-- But do not want to have to grant permissions to all callers on the underlying table.

-- Instead have the proc run as UserTable, which has SELECT permissions on the table,

-- since that user owns the schema it is in.

REVERT

-- Alter the procedure with UserTable as the execution context

-- ALTER preserves the permissions on the object

ALTER

PROC SchemaUserProc.VendorAccessProc @state char(2)

WITH

EXECUTE AS 'UserTable'

SELECT * FROM SchemaUserTable.Vendor WHERE state = @state

-- Now try and execute the proc as RealUser

EXECUTE

AS user = 'RealUser'

EXEC

SchemaUserProc.VendorAccessProc 'AK'

REVERT

-- Clean up

USE

DROP

/*** Metadata Security

**********************/

USE

CREATE

-- Use the database of your choice

USE

CREATE

EXECUTE

AS LOGIN = 'User1'

SELECT

-- Because the user has no permissions in the database, no rows are returned

* FROM sys.objects

REVERT

-- Give User1 rights to a table and stored procedure

GRANT

-- Execute again as User1

EXECUTE

AS LOGIN = 'User1'

SELECT

-- Attempt to drop a table in the database

-- Throws an error that doesn't confirm the existence of the table

* FROM sys.objects

DROP

REVERT

-- Clean up

DROP

USE

DROP

LOGIN User1 master USER User1 TABLE Production.Product EXECUTE ON dbo.uspGetBillOfMaterials TO User1 SELECT ON Person.Contact TO User1 USER User1 AdventureWorks master DATABASE ExecuteContextDB LOGIN RealUser LOGIN UserTable LOGIN UserProc master EXECUTE ON SchemaUserProc.VendorAccessProc TO RealUser SCHEMA SchemaUserTable AUTHORIZATION UserTable SCHEMA SchemaUserProc AUTHORIZATION UserProc USER RealUser USER UserTable USER UserProc ExecuteContextDB DATABASE ExecuteContextDB master sp_helpsrvrolemember securityadmin sp_helpsrvrole securityadmin LOGIN Topaz WITH PASSWORD = 'Bo3EXNWJ#N6ndg5' UNLOCK

-- Unlock after too many unsuccessful login attempts

master USER TopazD FOR LOGIN Topaz USER Topaz USER Topaz FOR LOGIN Topaz AdventureWorks USER Jane USER Jane FOR LOGIN [Home\Mhn002AppDev] USER [Home\Mhn002AppDev] USER [Home\Mhn002AppDev] FOR LOGIN [Home\Mhn002AppDev] AdventureWorks

One Comment

Comments

# re: Security.sql in SQL Server 2005

Security are our future computing...thanks!!

Left by Todd Dawnson on 6/29/2006 6:56 PM

Leave Your Comment

Title*
Name*
Email (never displayed): (will show your gravatar)
Url
Comment*
Please add 7 and 5 and type the answer here: Enter the code shown above:

Geekette Mai

Blog

Twitter

Comments

Leave Your Comment

Preview Your Comment.