Professional Documents
Culture Documents
Security
Endpoints
A SQL Server endpoint is the point of entering into SQL Server.
It is implemented as a database object that defines the ways and
means in which SQL Server may communicate over the network.
An endpoint has a transport, (either HTTP or TCP).
You also specify a 'payload', which is one of TSQL, Service_Broker,
Database_Mirroring, or SOAP.
SOAP must use HTTP, and the others must use TCP.
The endpoints, other than TSQL, have a number of special-purpose
properties that define the way that the service using them
communicates, and operates.
Endpoints can be created and managed and dropped with CREATE
ENDPOINT, ALTER ENDPOINT and DROP ENDPOINT statements.
More on endpoints
CREATE ENDPOINT [MyFirstUserConnection]
STATE = STARTED
AS TCP
(LISTENER_PORT = 1680, LISTENER_IP =114.221.1.1)
FOR TSQL() ;
Permission to connect to the default System endpoints is
implicitly granted to users when logins are created.
To see the list of endpoints
• SELECT * FROM sys.endpoints
Endpoint categories
sys.endpoints All endpoints and all generic properties
sys.database_mirroring_endpoints The Database Mirroring endpoints
sys.service_broker_endpoints The Service Broker endpoints
Note that server logins are mapped to server securables, while database
login are mapped to database objects
Schemas
The first layer of grouping database object
for security related management
A database object is referred in four levels:
Server.database.sechema.object
Schemas are containers to organize objects
to simplify granting permissions as opposed
to the earlier notion of owner.
SQL Server & Database Objects
Server logins (both Windows and Server)
can have permissions to the followings
• Servers, Endpoints, and Logins
A database object can have permissions to
Table Type
View Rule
Function Default
Procedure Synonym
Queue Aggregate
......
Role based Access
Same ideas as Groups in Active Directory
Build In Server Roles
• Table 9.2 page 356
Build in Database Roles
• Table 9.3 page 357
Build in Server Roles
Sysadmin
• to perform any task in SQL Server, DBA only
Serveradmin
• can set serverwide configuration options, such as how much memory SQL Server
can use or how much information to send over the network in a single frame, or
even shut down the server.
Setupadmin
• can install replication and manage extended stored procedures
Securityadmin
• manage security issues such as creating and deleting logins, reading
• the audit logs, and granting users permission to create databases
Processadmin
• can end (kill) a process, good for developers to be in
Dbcreator
• can create and make changes to databases
Diskadmin
• manage files on disk. They perform actions such as mirroring databases and adding
backup devices
Bulkadmin
• can execute the BULK INSERT statement
built-in database roles
These are built-in to each database:
• Db_owner
• Db_accessadmin
• Db_datareader
• Db_datawriter
• Db_ddladmin
• Db_securityadmin
• Db_backupoperator
• Db_denydatareader
• Db_denydatawriter
• Public
Application Roles
This is a special role that must be activated
using a password
It is designed to force users to use a specific
application to access data
The activation code can be hardwired into
your custom applications
It does not contain any users
Ownership Chains
When a user queries a view, or executes a stored
procedure, SQL Server checks the owner of the
underlying object
If the owners are the same, only permissions on
the queried object are verified
If they are different, permissions on both objects
are verified and honored with the lesser of the two
• This is called a broken ownership chain