Transcript No Slide Title

Chapter 17
How to manage
database security
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 1
Objectives
Applied
 Given the specifications for a new user’s security permissions,
write the Transact-SQL statements that create the new user and
grant the security permissions.
 Given the specifications for a new user’s security permissions, use
the Management Studio to create the new user and grant the
security permissions.
 Given the specifications for a set of security permissions, write the
Transact-SQL statements to create a new role and assign users or
groups to it.
 Given the specifications for a set of security permissions, use the
Management Studio to create a new role and assign users or
groups to it.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 2
Objectives (continued)
 Use system stored procedures or the Management Studio to add
users to the fixed server roles or to add users and roles to the fixed
database roles.
Knowledge
 Identify the two ways that SQL Server can authenticate a login
ID.
 Identify the two SQL Server authentication modes.
 Describe these terms: principals and securables.
 Describe the difference between an object permission and a
database permission.
 Describe the guidelines for a strong password.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 3
Objectives (continued)
 Describe what a user can do when given any of the standard
permissions for a SQL Server object: Select, Update, Insert,
Delete, Executive, and References.
 Describe the difference between a denied permission and a
revoked permission.
 Describe the two types of fixed roles provided by SQL Server:
fixed server roles and fixed database roles.
 Describe the use of application roles.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 4
How users gain access to a SQL Server database
Database
Users
Connection and Login
Windows authentication
(uses Windows login ID)
User
Security
Permission
Schema
Object
Or
Group
User
Murach’s SQL Server 2008, C17
SQL Server authentication
(uses SQL Server login ID)
Role Permission
© 2008, Mike Murach & Associates, Inc.
Specific SQL
DDL statement
Slide 5
Two ways to configure SQL Server security
Method
Transact-SQL
Description
Use Transact-SQL statements to manage login
IDs, database users, permissions, and roles.
Management Studio Use the Management Studio to configure all
aspects of system security.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 6
An introduction to SQL Server security
 Typically, a network user must log on to the network at a PC
using a login ID and password.
 If the client PC uses Windows, SQL Server can use the Windows
login ID defined for the user. If the client PC doesn’t use
Windows, you can create a separate SQL Server login ID.
 Once a user is logged on to SQL Server, the security configuration
determines which database objects the user can work with and
which SQL statements the user can execute.
 Permissions determine the actions a user can take. Object
permissions determine what actions a user can take on a specific
database object. Database permissions determine what actions a
user can take on a database.
 A role is a collection of permissions that you can assign to a user
by assigning the user to that role.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 7
An introduction to SQL Server security (cont.)
 You can create a collection of users in Windows called a group.
Then you can assign permissions and roles either to individual
users or to a group of users.
 The users, groups, and roles that have access to a server are called
principals.
 The entities that can be secured on a server, including the server
itself, are called securables.
 If you need to set up a new system with many users, it’s often
easier to code SQL scripts using the SQL security statements. The
Management Studio is better for making changes to an existing
system or for setting up a small system.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 8
The Security tab of the Properties dialog box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 9
The two SQL Server authentication modes
Mode
Description
Windows Authentication mode Only Windows authentication is
allowed. This is the default.
Mixed mode
Both Windows authentication and
SQL Server authentication are
allowed. To use this mode, select the
SQL Server and Windows
Authentication Mode option.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 10
The syntax of the CREATE LOGIN statement
For Windows authentication
CREATE LOGIN login_name FROM WINDOWS
[WITH [DEFAULT_DATABASE = database]
[, DEFAULT_LANGUAGE = language]]
For SQL Server authentication
CREATE LOGIN login_name
WITH PASSWORD = 'password' [MUST_CHANGE]
[, DEFAULT_DATABASE = database]
[, DEFAULT_LANGUAGE = language]
[, CHECK_EXPIRATION = {ON|OFF}
[, CHECK_POLICY = {ON|OFF}
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 11
A statement that creates a new login ID from a
Windows account
CREATE LOGIN [Accounting\SusanRoberts] FROM WINDOWS
A statement that creates a new SQL Server
login ID
CREATE LOGIN JohnDoe WITH PASSWORD = 'pt8806FG$B',
DEFAULT_DATABASE = AP
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 12
Guidelines for strong passwords
 Cannot be blank or null or the values “Password”, “Admin”,
“Administrator”, “sa”, or “sysadmin”
 Cannot be the name of the current user or the machine name
 Must contain more than 8 characters
 Must contain at least three of following: uppercase letters,
lowercase letters, numbers, and non-alphanumeric characters (#,
%, &, etc.)
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 13
The syntax of the DROP LOGIN statement
DROP LOGIN login_name
The syntax of the ALTER LOGIN statement
For Windows authentication
ALTER LOGIN login_name {{ENABLE|DISABLE}|WITH
[NAME = login_name]]
[, DEFAULT_DATABASE = database]
[, DEFAULT_LANGUAGE = language]}
For SQL Server authentication
ALTER LOGIN login_name {{ENABLE|DISABLE}|WITH
[PASSWORD = 'password'
[OLD_PASSWORD = 'oldpassword']
[MUST_CHANGE]]
[, NAME = login_name]
[, DEFAULT_DATABASE = database]
[, DEFAULT_LANGUAGE = language]
[, CHECK_EXPIRATION = {ON|OFF}
[, CHECK_POLICY = {ON|OFF}}
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 14
Statements that use the ALTER LOGIN and DROP
LOGIN statements
A statement that changes the password for a SQL Server
login ID
ALTER LOGIN JohnDoe WITH PASSWORD = 'lg22A%G45x'
A statement that disables a Windows login ID
ALTER LOGIN [Accounting\SusanRoberts] DISABLE
A statement that changes a login name
ALTER LOGIN JohnDoe WITH NAME = JackWilliams
A statement that deletes a SQL Server login ID
DROP LOGIN JackWilliams
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 15
The syntax of the CREATE USER statement
CREATE USER user_name
[{FOR|FROM} LOGIN login_name]
[WITH DEFAULT_SCHEMA = schema_name]
The syntax of the ALTER USER statement
ALTER USER user_name WITH
[NAME = new_user_name]
[, DEFAULT_SCHEMA = schema_name]
The syntax of the DROP USER statement
DROP USER user_name
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 16
Working with database users: A statement that…
Creates a database user with the same name as a login ID
CREATE USER JohnDoe
Creates a database user for a Windows user account
CREATE USER SusanRoberts FOR LOGIN
[Accounting\SusanRoberts]
Creates a database user and assigns a default schema
CREATE USER SusanRoberts FOR LOGIN
[Accounting\SusanRoberts]
WITH DEFAULT_SCHEMA = Accounting
Changes a user name
ALTER USER SusanRoberts WITH NAME = SusanStanley
Assigns a default schema to a user
ALTER USER JohnDoe WITH DEFAULT_SCHEMA = Marketing
Deletes a database user
DROP USER JohnDoe
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 17
The syntax of the CREATE SCHEMA statement
CREATE SCHEMA schema_name [AUTHORIZATION owner_name]
[table_definition]...
[view_definition]...
[grant_statement]...
[revoke_statement]...
[deny_statement]...
The syntax of the ALTER SCHEMA statement
ALTER SCHEMA schema_name TRANSFER securable_name
The syntax of the DROP SCHEMA statement
DROP SCHEMA schema_name
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 18
Statements that work with schemas
A statement that creates a schema
CREATE SCHEMA Accounting
A statement that creates a schema and a table within that
schema
CREATE SCHEMA Marketing
CREATE TABLE Contacts
(ContactID
INT
ContactName VARCHAR(50)
ContactPhone VARCHAR(50)
ContactEmail VARCHAR(50)
NOT NULL IDENTITY PRIMARY KEY,
NOT NULL,
NULL,
NULL)
A statement that transfers a table from one schema to
another
ALTER SCHEMA Accounting TRANSFER Marketing.Contacts
A statement that deletes a schema
DROP SCHEMA Marketing
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 19
How to grant object permissions
The syntax of the GRANT statement for object
permissions
GRANT {ALL|permission [, ...]}
ON [schema_name.]object_name [(column [, ...])]
TO database_principal [, ...]
[WITH GRANT OPTION]
A GRANT statement that grants SELECT permission for
the Invoices table
GRANT SELECT
ON Invoices
TO [Accounting\SusanRoberts]
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 20
How to revoke object permissions
The syntax of the REVOKE statement for object
permissions
REVOKE [GRANT OPTION FOR] {ALL|permission [, ...]}
ON [schema_name.]object_name [(column [, ...])]
FROM database_principal [, ...]
[CASCADE]
A REVOKE statement that revokes SELECT permission
REVOKE SELECT
ON Invoices
FROM [Accounting\SusanRoberts]
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 21
The standard permissions for SQL Server objects
Permission Lets the user…
SELECT
Select the data.
UPDATE
INSERT
DELETE
EXECUTE
REFERENCES
ALL
Applies to
Tables, views, table-valued
functions
Update existing data. Tables, views, table-valued
functions
Insert new data.
Tables, views, table-valued
functions
Delete existing data. Tables, views, table-valued
functions
Execute a procedure Stored procedures, scalar and
or function.
aggregate functions
Create objects that
Tables, views, functions
refer to the object.
Have all applicable Tables, views, stored
object permissions. procedures, functions
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 22
A GRANT statement that grants permission to run
action queries
GRANT INSERT, UPDATE, DELETE
ON Invoices
TO [Accounting\SusanRoberts]
A REVOKE statement that revokes the DELETE
permission
REVOKE DELETE
ON Invoices
FROM [Accounting\SusanRoberts]
A GRANT statement that grants permission to
execute a stored procedure
GRANT EXECUTE
ON spInvoiceReport
TO [Payroll\MarkThomas], JohnDoe, TomAaron
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 23
A REVOKE statement that revokes all permissions
for the Vendors table
REVOKE ALL
ON Vendors
FROM [Payroll\MarkThomas]
A GRANT statement that grants SELECT
permission to specific columns
GRANT SELECT
ON Vendors (VendorName,VendorAddress1,VendorCity,
VendorState,VendorZipCode)
TO TomAaron, [Payroll\MarkThomas]
A GRANT statement that grants REFERENCES
permission to the Contacts table in the
Accounting schema
GRANT REFERENCES
ON Accounting.Contacts
To JohnDoe
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 24
How to grant schema permissions
The syntax of the GRANT statement for schema
permissions
GRANT permission [, ...]
ON SCHEMA :: schema_name
TO database_principal [, ...]
[WITH GRANT OPTION]
A GRANT statement that grants UPDATE permission for
the Accounting schema
GRANT UPDATE
ON SCHEMA :: Accounting
TO JohnDoe
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 25
How to revoke schema permissions
The syntax of the REVOKE statement for schema
permissions
REVOKE [GRANT OPTION FOR] permission [, ...]
ON SCHEMA :: schema_name
FROM database_principal [, ...]
[CASCADE]
A REVOKE statement that revokes UPDATE permission
REVOKE UPDATE
ON SCHEMA :: Accounting
FROM JohnDoe
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 26
How to grant database permissions
The syntax of the GRANT statement for database
permissions
GRANT {ALL|permission [, ...]}
TO database_principal [, ...]
[WITH GRANT OPTION]
A GRANT statement that gives permission to create views
GRANT CREATE VIEW
TO JohnDoe, [Accounting\SusanRoberts]
A GRANT statement that gives permission to use all
statements
GRANT ALL
TO [Payroll\MarkThomas]
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 27
How to revoke database permissions
The syntax of the REVOKE statement for database
permissions
REVOKE {ALL|permission [, ...]}
FROM database_principal [, ...]
[CASCADE]
A REVOKE statement that revokes permission to create
databases and tables
REVOKE CREATE DATABASE, CREATE TABLE
FROM [Administration\SylviaJones]
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 28
Some of the permissions that can be explicitly
permitted
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
DATABASE
TABLE
VIEW
PROCEDURE
FUNCTION
SCHEMA
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 29
How to assign a user to a server role
The syntax for sp_AddSrvRoleMember
sp_AddSrvRoleMember [@loginame = ] 'login_ID',
[@rolename = ] 'server_role_name'
A statement that assigns a user to a server role
EXEC sp_AddSrvRoleMember JohnDoe, sysadmin
How to remove a user from a server role
The syntax for sp_DropSrvRoleMember
sp_DropSrvRoleMember [@loginame = ] 'login_ID',
[@rolename = ] 'server_role_name'
A statement that removes a user from a server role
EXEC sp_DropSrvRoleMember JohnDoe, sysadmin
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 30
Some of the SQL Server fixed server roles
Role
sysadmin
securityadmin
dbcreator
Murach’s SQL Server 2008, C17
Description
Can perform any activity on the server. By default,
all members of the Windows BUILTIN\
Administrators group are members of the this role.
Can manage login IDs and passwords for the
server and can grant, deny, and revoke database
permissions.
Can create, alter, drop, and restore databases.
© 2008, Mike Murach & Associates, Inc.
Slide 31
How to assign a user to a database role
The syntax for sp_AddRoleMember
sp_AddRoleMember [@rolename = ] 'database_role_name',
[@membername = ] 'security_account'
A statement that assigns a user to a database role
EXEC sp_AddRoleMember db_owner, JohnDoe
How to remove a user from a database role
The syntax for sp_DropRoleMember
sp_DropRoleMember [@rolename = ] 'database_role_name',
[@membername = ] 'security_account'
A statement that removes a user from a database role
EXEC sp_DropRoleMember db_owner, JohnDoe
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 32
The SQL Server fixed database roles
Role
db_owner
db_accessadmin
db_securityadmin
db_ddladmin
db_datawriter
db_datareader
Murach’s SQL Server 2008, C17
Description
Has all permissions for the database.
Can add or remove login IDs for the database.
Can manage object permissions, database
permissions, roles, and role memberships.
Can issue all DDL statements except GRANT,
REVOKE, and DENY.
Can insert, delete, or update data from any user
table in the database.
Can select data from any user table in the
database.
© 2008, Mike Murach & Associates, Inc.
Slide 33
The SQL Server fixed database roles (cont.)
Role
db_denydatawriter
Description
Can’t insert, delete, or update data from any
user table in the database.
db_denydatareader Can’t select data from any user table in the
database.
db_backupoperator Can backup the database and run consistency
checks on the database.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 34
The syntax of the CREATE ROLE statement
CREATE ROLE role_name [AUTHORIZATION owner_name]
The syntax of the DROP ROLE statement
DROP ROLE role_name
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 35
Statements that work with user-defined roles
A statement that creates a new user-defined role
CREATE ROLE InvoiceEntry
Statements that grant permissions to the new role
GRANT INSERT, UPDATE
ON Invoices
TO InvoiceEntry
GRANT INSERT, UPDATE
ON InvoiceLineItems
TO InvoiceEntry
Statements that assign users to the new role
EXEC sp_AddRoleMember InvoiceEntry, JohnDoe
EXEC sp_AddRoleMember InvoiceEntry,
[Accounting\SusanRoberts]
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 36
Statements that work with user-defined roles
(cont.)
A statement that assigns the new role to a fixed database
role
EXEC sp_AddRoleMember db_datareader, InvoiceEntry
Statements that delete the new role
EXEC sp_DropRoleMember InvoiceEntry, JohnDoe
EXEC sp_DropRoleMember InvoiceEntry,
[Accounting\SusanRoberts]
DROP ROLE InvoiceEntry
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 37
How to display database role information
The syntax for sp_HelpRole
sp_HelpRole [[@rolename = ] 'database_role_name']
A statement that lists the roles for the current database
EXEC sp_HelpRole
The response from the system
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 38
How to display role member information
The syntax for sp_HelpRoleMember
sp_HelpRoleMember [[@rolename = ] 'role_name']
A statement that lists the members of the InvoiceEntry
role
EXEC sp_HelpRoleMember InvoiceEntry
The response from the system
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 39
The syntax of the DENY statement for object
permissions
DENY {ALL|permission [, ...]}
ON [schema_name.]object_name [(column [, ...])]
TO database_principal [, ...]
[CASCADE]
The syntax of the DENY statement for schema
permissions
DENY permission [, ...]
ON SCHEMA :: schema_name
TO database_principal [, ...]
[CASCADE]
The syntax of the DENY statement for database
permissions
DENY {ALL|permission [, ...]}
TO database_principal [, ...]
[CASCADE]
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 40
A script that assigns membership to the
InvoiceEntry role
EXEC sp_AddRoleMember InvoiceEntry, MartinRey
A SELECT statement entered by the user
SELECT * FROM GLAccounts
The response from the system
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 41
A script that denies SELECT permission to
GLAccounts
DENY SELECT
ON GLAccounts
TO MartinRey
A SELECT statement entered by the user
SELECT * FROM GLAccounts
The response from the system
Server: Msg 229, Level 14, State 5, Line 1
SELECT permission denied on object 'GLAccounts',
database 'AP', schema 'dbo'.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 42
SQL statements for working with application roles
The syntax of the CREATE APPLICATION ROLE
statement
CREATE APPLICATION ROLE role_name
WITH PASSWORD = 'password'
[, DEFAULT_SCHEMA = schema_name]
The syntax of the DROP APPLICATION ROLE statement
DROP APPLICATION ROLE role_name
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 43
System stored procedures for working with
application roles
The syntax for sp_SetAppRole
sp_SetAppRole [@rolename = ] 'role_name',
[@password = ] 'password'
[, [@fCreateCookie = ] {True|False}]
[, [@cookie = ] @cookie OUTPUT]
The syntax for sp_UnsetAppRole
sp_UnsetAppRole @cookie
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 44
Statements that work with application roles
A statement that creates a new application role
CREATE APPLICATION ROLE AppInvoiceQuery
WITH PASSWORD = 'appqrypw'
A statement that adds permissions to the
new application role
GRANT SELECT
ON Invoices
TO AppInvoiceQuery
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 45
A script that tests the application role
SELECT * FROM Invoices
EXEC sp_SetAppRole AppInvoiceQuery, appqrypw
SELECT * FROM Invoices
The response from the system
Server: Msg 229, Level 14, State 5, Line 1
SELECT permission denied on object 'Invoices',
database 'AP', owner 'dbo'.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 46
The General page of the Login - New dialog box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 47
The General page of the Login Properties box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 48
How to change properties for an existing login ID
 Right-click the login ID in the Object Explorer and select
Properties to display the Login Properties dialog box.
 If the login ID uses SQL Server authentication, you can change
the user’s password and login options from the General page of
this dialog box. For either SQL Server or Windows
authentication, you can set the default database and language. You
can’t switch the authentication of an existing user.
 You can use the options on the Status page to deny or grant a
login ID permission to connect to SQL Server. You can also
disable or enable a login ID.
How to delete a login ID
 Right-click the login ID in the Object Explorer, select Delete, and
click the OK button in the Delete Object dialog box.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 49
The dialog boxes for working with server roles
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 50
How to work with server roles for a login ID
 Display the Login Properties dialog box and then display the
Server Roles page. The roles that the login ID is currently
assigned to are checked in the list that’s displayed.
 To add or remove a login ID from a server role, select or deselect
the role.
How to work with the login IDs assigned to a role
 Expand the Server Roles folder in the Object Explorer, then rightclick the role and select Properties to display the Server Role
Properties dialog box.
 To add a login ID to the role, click the Add button and select the
login ID from the dialog box that’s displayed.
 To remove a login ID, highlight the login ID and then click the
Remove button.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 51
The User Mapping page of the Login Properties
dialog box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 52
How to grant or revoke database access for a user
 Display the User Mapping page of the Login Properties dialog
box. Then, select or deselect the Map check box for that database.
 When you grant access, the user name for the database user is
automatically set to the login ID. If you want to use a different
name, change the name in the User column. If the database user
doesn’t already exist, it’s created.
 By default, the default schema for a user is set to dbo. If you want
to specify a different schema, click the button with the ellipsis on
it in the Default Schema column and select the schema from the
dialog box that’s displayed.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 53
How to add or remove a user from a database role
 If the user has access to a database, you can add or remove the
user from the database roles for that database. To do that,
highlight the database to display the database roles in the lower
portion of the dialog box. Then, select or deselect the roles.
 You can also set role memberships for a user from the Database
User dialog box.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 54
The General tab of the Database User dialog box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 55
The Securables page of the Database User box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 56
The Permissions page of the Schema Properties
dialog box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 57
How to assign permissions to the objects in a
schema
 To display the Schema Properties dialog box, expand the Security
and Schemas folders for the database and then right-click the
schema and select Properties.
 Display the Permissions page, then click the Add button and select
the users and roles you want to work with. Use the Remove button
to remove the highlighted user or role.
 Highlight a user or role and then select the appropriate Grant,
With Grant, and Deny options to grant permissions to a schema,
allow the user to grant other users the same permissions, revoke
permissions, or deny permissions.
 To display the combination of the permissions granted with this
dialog box and permissions granted through roles to a schema,
click the Effective Permissions button.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 58
How to create a new schema
 Right-click the Schemas folder and select New Schema to open
the Schema - New dialog box. Enter the schema name and,
optionally, the schema owner.
How to delete a schema
 Right-click the schema name and select Delete to display the
Delete Object dialog box. Click the OK button to delete the
schema.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 59
The General page of the Database Role Properties
dialog box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 60
How to modify an existing database role
 To display the Database Role Properties dialog box, expand the
Security, Roles, and Database Roles folders for the database,
right-click the role name, and select Properties.
 To add a member to the role, click the Add button and then select
the user or role from the dialog box that’s displayed.
 To delete a member from the role, highlight the name and then
click the Remove button.
 To modify the role permissions, display the Securables page.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 61
How to create a new database role
 Right-click the Database Roles folder and select New Database
Role to display the Database Role - New dialog box. This dialog
box works just like the one above except it lets you enter a role
name.
How to delete a database role
 Right-click the role in the Object Explorer, select Delete, and click
OK in the dialog box that’s displayed. You must remove all
members from a role before you can delete it.
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 62
The Permissions page of the Database Properties
dialog box
Murach’s SQL Server 2008, C17
© 2008, Mike Murach & Associates, Inc.
Slide 63