Post on 17-Jan-2016
Module 11
Authorizing Users to Access Resources
Module Overview
• Authorizing User Access to Objects
• Authorizing Users to Execute Code
• Configuring Permissions at the Schema Level
Lesson 1: Authorizing User Access to Objects
• What Are Principals?
• What Are Securables?
• GRANT, REVOKE, DENY
• Securing Tables and Views
• Column-level Security
• WITH GRANT Option
• Demonstration 1A: Authorizing User Access to Objects
What Are Principals?
Server Role
SQL Server Login
Windows Group
Domain User Account
Local User Account
SQL ServerSQL Server
DatabaseDatabase
WindowsWindows
SecurablesPermissions
Principals
User
Database Role
Application Role
What Are Securables?
• Resources that can be secured
• Securables are contained within scopes Server Database Schema
GRANT, REVOKE, DENY
• GRANT is used to assign a permission
• DENY is used to explicitly deny a permission Used where permissions inherited through group or role
membership
Should only be used in exceptional circumstances
• REVOKE removes either a GRANT or a DENY
Securing Tables and Views
• Several object permissions apply to tables and views SELECT INSERT, UPDATE, DELETE REFERENCES
USE MarketDev;GO
GRANT SELECT ON OBJECT::Marketing.Salesperson TO HRApp;GO
GRANT SELECT ON Marketing.Salesperson TO HRApp;GO
USE MarketDev;GO
GRANT SELECT ON OBJECT::Marketing.Salesperson TO HRApp;GO
GRANT SELECT ON Marketing.Salesperson TO HRApp;GO
Column-level Security
• Permissions can be assigned at the column level
• Multiple column permissions can be assigned in a single statement
• A column-level GRANT overrides a table-level DENY
GRANT SELECT ON Marketing.Salesperson ( SalespersonID, EmailAlias) TO James;GODENY SELECT ON Marketing.Salesperson TO Holly;GOGRANT SELECT ON Marketing.Salesperson ( SalespersonID, FirstName, LastName) TO Holly;GO
GRANT SELECT ON Marketing.Salesperson ( SalespersonID, EmailAlias) TO James;GODENY SELECT ON Marketing.Salesperson TO Holly;GOGRANT SELECT ON Marketing.Salesperson ( SalespersonID, FirstName, LastName) TO Holly;GO
WITH GRANT Option
• Permissions granted with the WITH GRANT OPTION can be granted to other principals by the grantee
• CASCADE is used to also revoke permissions granted by the grantee Can apply to DENY also
GRANT UPDATE ON Marketing.Salesperson TO James WITH GRANT OPTION;GO
REVOKE UPDATE ON Marketing.Salesperson FROM James CASCADE;GO
GRANT UPDATE ON Marketing.Salesperson TO James WITH GRANT OPTION;GO
REVOKE UPDATE ON Marketing.Salesperson FROM James CASCADE;GO
Demonstration 1A: Authorizing User Access to Objects
• In this demonstration, you will see: How to view the complete list of server principals
How to view the complete list of database principals
How to grant permissions on a table
How to grant permissions at the column level
Lesson 2: Authorizing Users to Execute Code
• Securing Stored Procedures
• Securing User-defined Functions
• Securing Managed Code
• Managing Ownership Chains
• Demonstration 2A: Authorizing Users to Execute Code
Securing Stored Procedures
• Stored procedures require: EXECUTE permission
before they can be called ALTER permission for
modification VIEW DEFINITION for
documentation access
USE MarketDev;GO
GRANT EXECUTE ON Reports.GetProductColors TO Mod11User;GO
USE MarketDev;GO
GRANT EXECUTE ON Reports.GetProductColors TO Mod11User;GO
Securing User-defined Functions
• Users require EXECUTE permission before using scalar UDFs
• Users require SELECT permission for TVFs
• REFERENCES permission is used for CHECK constraints, DEFAULT values or computed columns
GRANT EXECUTE ON dbo.FormatPhoneNumber TO public;GO
GRANT EXECUTE ON dbo.FormatPhoneNumber TO public;GO
Securing Managed Code
• SQL CLR based code has additional permission requirements above those required for T-SQL code
• CLR assemblies are registered with one of three permission sets: SAFE (the default)
EXTERNAL_ACCESS
UNSAFE
• EXTERNAL_ACCESS and UNSAFE permission sets require additional configuration on the database
Managing Ownership Chains
Demonstration 2A: Authorizing Users to Execute Code
• In this demonstration you will see: How to assign permission to execute stored procedures
How to assign permissions for executing functions
Lesson 3: Configuring Permissions at the Schema Level
• Overview of User-schema Separation
• Object Name Resolution
• Granting Permissions at the Schema Level
• Demonstration 3A: Configuring Permissions at the Schema Level
Overview of User-schema Separation
• Schemas Concept changed in SQL Server 2005 No longer equivalent to database users Containers for database objects Created via CREATE SCHEMA Listed by querying sys.schemas view
• Users have default schemas
• Built-in Schemas dbo guest sys INFORMATION_SCHEMA
Object Name Resolution
• If the schema name is omitted, rules apply to how the name will be resolved Each user has a default schema (does not apply to Windows
groups)
Users with no defined default schema will have dbo as their default schema
First search is in the user's default schema
If not found, the dbo schema is searched also
• Whenever referencing an object in a statement, users should specify both the schema and the object name SELECT ProductID FROM Production.Product
Granting Permissions at the Schema Level
• Instead of assigning individual permissions on tables, views, stored procedures, etc. permissions can be granted at the schema level Applicable to all relevant objects within the schema Easier to manage
USE MarketDev;GOGRANT EXECUTE ON SCHEMA::Marketing TO Mod11User;GOGRANT SELECT ON SCHEMA::DirectMarketing TO Mod11User;GO
USE MarketDev;GOGRANT EXECUTE ON SCHEMA::Marketing TO Mod11User;GOGRANT SELECT ON SCHEMA::DirectMarketing TO Mod11User;GO
Demonstration 3A: Configuring Permissions at the Schema Level
• In this demonstration, you will see how to: Revoke permissions on a stored procedure
Assign EXECUTE permission at the schema level
Assign SELECT permission at the schema level
Explore covering or implied permissions.
Lab 11: Authorizing Users to Access Resources
• Exercise 1: Assign Schema-level Permissions
• Exercise 2: Assign Object-level Permissions
• Challenge Exercise 3: Test Permissions (Only if time permits)
Logon information
Estimated time: 45 minutes
Virtual machine 623XB-MIA-SQL
User name AdventureWorks\Administrator
Password Pa$$w0rd
Lab Scenario
You have created the SQL Server logins and Database users and assigned them to appropriate roles. You now need to grant permissions to the database users and roles so that users can access the resources they need within the MarketDev database, based on the supplied security requirements.
Lab Review
• What makes fixed database roles of limited usefulness for most practical security architectures?
• When should permissions be assigned directly to a user?
Module Review and Takeaways
• Review Questions
• Best Practices