Understanding roles in SQL Server security
Logins, Users, and Role
SQL Server has a long list of roles for server, database,
and applications that outline things like permissions,
data selection and modification, and disk management.
Most SQL Server databases have a number of users viewing and
accessing data, which makes security a major concern for the
administrator. The smart administrator will take full advantage of SQL
Server security roles, which grant and deny permissions to groups of users,
greatly reducing the security workload.
The first step in protecting your client’s data is determining which users
need to view which data and then allowing access to only those users. For
example, a payroll clerk probably views salary figures for everyone in your
company while team managers have access to salaries for team members.
Individual employees have no need to view salaries at all.
The benefits of using roles
Roles are a part of the tiered security model:
Login security—Connecting to the server
Database security—Getting access to the database
Database objects—Getting access to individual database objects
and data
First, the user must log in to the server by entering a password. Once
connected to the server, access to the stored databases is determined by
user accounts. After gaining access to an actual database, the user is
restricted to the data he or she can view and modify.
�Role types:
Server roles are maintained by the database administrator (DBA) and apply to the entire server, not
an individual database file. The public role sets the basic default permissions for all users. Every user
that’s added to SQL Server is automatically assigned to the public role—you don’t need to do
anything. Database roles are applied to an individual database.
Predefined database roles:
you may need to create your own, but you have access to several predefined database roles:
db_owner: Members have full access.
db_accessadmin: Members can manage Windows groups and SQL
Server logins.
db_datareader: Members can read all data.
db_datawriter: Members can add, delete, or modify data in the tables.
db_ddladmin: Members can run dynamic-link library (DLL)
statements.
db_securityadmin: Members can modify role membership and
manage permissions.
db_bckupoperator: Members can back up the database.
db_denydatareader: Members can’t view data within the database.
db_denydatawriter: Members can’t change or delete data in tables or
views.
Fixed roles:
The fixed server roles are applied server wide, and there are several
predefined server roles:
SysAdmin: Any member can perform any action on the server.
ServerAdmin: Any member can set configuration options on the
server.
SetupAdmin: Any member can manage linked servers and SQL
Server startup options and tasks.
Security Admin: Any member can manage server security.
ProcessAdmin: Any member can kill processes running on SQL
Server.
DbCreator: Any member can create, alter, drop, and restore
databases.
DiskAdmin: Any member can manage SQL Server disk files.
BulkAdmin: Any member can run the bulk insert command.
