SQL Server Permission Management: 12 Pitfalls and Misconceptions
-
Upload
sebastian-meine -
Category
Technology
-
view
63 -
download
0
description
Transcript of SQL Server Permission Management: 12 Pitfalls and Misconceptions
SQL ServerPermission Management
12 Pitfalls & Misconceptions
About Me
Sebastian
Meine
Clean Code
SQL Stylistsqlity.
netFast
Code
About Me
Sebastian
Meine
Clean Code
SQL Stylistsqlity.
netFast
Code
Overview
©2011 sqlity.net llc, all rights reserved. emptyPic
Permission Management• What• When• Why• How
12 P&Ms• Pitfalls• Misconceptions
I
Permission Management-
Why?
ALTER SERVER ROLE sysadmin ADD MEMBER [public];
©2011 sqlity.net llc, all rights reserved. HoBT
SQL Injection
©2011 sqlity.net llc, all rights reserved. HoBT
Exce
rpte
d fr
om
OW
ASP
Top
10 –
201
3 (P
age
4)
I
Permission Management-
What?
I
Permission Management-
When?
After development is done.
©2011 sqlity.net llc, all rights reserved. HoBT
Security cannot be an afterthought
I
Permission Management-
How?
Permission Management
GRANT REVOKE DENY
Database Role
ServerRole
Application Role
©2011 sqlity.net llc, all rights reserved. HoBT
GRANT Statement
©2011 sqlity.net llc, all rights reserved. HoBT
GRANT Privilege ON Securable TO Principal;
GRANTREVOKEDENY
Privilege
SELECT UPDATE
CREATE ALTER
CONTROL …©2011 sqlity.net llc, all rights reserved. HoBT
Securable
Table Schema
Database Server
Endpoint …©2011 sqlity.net llc, all rights reserved. HoBT
Principal
ServerRole
Database Role
Application Role Login
User©2011 sqlity.net llc, all rights reserved. HoBT
II
12 Pitfalls
& Misconceptions
12 P&Ms
REVOKE = DENY
ALL PRIVILEGES
GRANT on all Columns =
GRANT on Table
REVOKE un-granted Column
Permission
REVOKE CONTROL
(Non)CASCADE
DENY (Non)CASCADE
Column GRANT >
Table DENY
DENY CONTROL
Role Ownership Implications
CONTROL SERVER Impact on
Securable Owner
Implicit User Creation Failure
Ownership Chaining
Quandary
©2011 sqlity.net llc, all rights reserved. HoBT
References
SQL Stylist with sqlity.net
Sebastian Meine
©2011 sqlity.net llc, all rights reserved.
SQL Server Permission Management 12 P&Ms
http://goo.gl/YhsW1M