Professional Documents
Culture Documents
20764C-ENU-Handbook-Module 02
20764C-ENU-Handbook-Module 02
OF F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
Contents Part 2 / 15
Module 02: Assigning Server and Database Roles
Module Overview 2-1
Lesson 1: Working with Server Roles 2-2
Lesson 2: Working with Fixed Database Roles 2-6
Lesson 3: User-Defined Database Roles 2-9
Module Overview
Using roles simplifies the management of user permissions. With roles, you can control authenticated users’
access to system resources based on each user’s job function—rather than assigning permissions user-by-user, you
can grant permissions to a role, then make users members of roles.
Microsoft® SQL Server® includes support for security roles defined at server level and at database level.
Objectives
After completing this module, you will be able to:
Describe and use server roles to manage server-level security.
Describe and use fixed database roles.
Use custom database roles and application roles to manage database-level security.
MOC 20764C | Administering a SQL Database Infrastructure | Module 02 –Assigning Server and Database Roles | 2 / 11
Server-Scoped Permissions
Permissions at the server level generally relate to
administrative actions, such as creating databases,
altering logins, or shutting down the server. Some
fundamental permissions, such as CONNECT SQL
(which permits a login to connect to the SQL Server
Database Engine), are also managed at server level.
Server sys.fn_builtin_permissions
SELECT *
FROM sys.fn_builtin_permissions('SERVER')
ORDER BY permission_name;
Server permissions are organized as a hierarchy; when you grant a server-level permission to a server
principal (either a login or a role), this implicitly also grants the child permissions of the granted
permission to the principal.
The topmost node in the hierarchy of server-level permissions (and therefore the server permission that
encompasses all other server permissions) is CONTROL SERVER.
You can visualize the hierarchy of server permissions with the following query:
WITH recCTE
AS
(
SELECT permission_name, covering_permission_name AS parent_permission,
1 AS hierarchy_level
FROM sys.fn_builtin_permissions('SERVER')
WHERE permission_name = 'CONTROL SERVER'
UNION ALL
Server permissions can only be granted to server principals (logins and server roles).
For more information on sys.fn_builtin_permissions, see sys.fn_builtin_permissions (Transact-SQL) in
Microsoft Docs:
Sysadmin This role grants permissions to perform any action on the server. You should
limit membership of this role as far as possible.
Serveradmin This role grants permissions to configure server-wide settings and to shut down
the server.
securityadmin This role grants permissions to manage logins. This includes the ability to create
and drop logins and the ability to assign permissions to logins.
Members of this role can grant and deny server-level permissions to other users
and grant and deny database-level permissions to other users on any database to
which they have access. Because of the ability to assign permissions to other
users, membership of this role should be limited as much as possible. This role
should be treated as equivalent to sysadmin.
processadmin This role grants permissions to terminate sessions running on the SQL Server
instance.
Setupadmin This role grants permissions to manage linked servers.
Bulkadmin This role grants permissions to execute the BULK INSERT statement.
Diskadmin This role grants permissions to manage disk files.
Public Every user is a member of public and this cannot be changed. This role does not
initially grant any administrative permissions. Though you can add permissions to
this role, this is not advisable because the permissions would be granted to every
user.
To keep to the principle of least privilege, you should avoid using fixed server roles as far as possible.
Unless a fixed server role holds exactly the permissions required for a server principal, you should create a
user-defined server role with only the permissions that the principal requires.
The exception to this is the sysadmin role. The CONTROL SERVER permission is not directly equivalent to
membership of the sysadmin role, and there are more than 150 system stored procedures and functions
that explicitly check for membership of sysadmin before executing.
Note: Unlike in some earlier versions of SQL Server, in SQL Server 2017 the
BUILTIN\administrators and Local System (NT AUTHORITY\SYSTEM) accounts are not
automatically added as members of the sysadmin role, although you can add them manually if
required. Note that this does not affect the ability of local administrators to access the database
engine when it is in single-user mode.
To view membership of server-level roles, you can query the sys.server_role_members system view:
Role Membership
SELECT spr.name AS role_name, spm.name AS member_name
FROM sys.server_role_members AS rm
JOIN sys.server_principals AS spr
ON spr.principal_id = rm.role_principal_id
JOIN sys.server_principals AS spm
ON spm.principal_id = rm.member_principal_id
ORDER BY role_name, member_name;
For more information on fixed server roles and the server-level permissions assigned to them, see Server-
Level Roles in Microsoft Docs: Server-Level Roles http://aka.ms/fxwahr
MOC 20764C | Administering a SQL Database Infrastructure | Module 02 –Assigning Server and Database Roles | 5 / 11
When you create a server role, you might optionally define an owner for the role with the
AUTHORIZATION clause. The role owner will have permission to add and remove members from the role.
If you do not explicitly define an owner for the role, the role owner is the server principal executing the
CREATE SERVER ROLE statement.
You can remove a server role with the DROP SERVER ROLE statement.
Managing Permissions
You can grant a user-defined role permission to server-level objects with Transact-SQL using the GRANT,
DENY and REVOKE commands, or through the SSMS GUI.
Granting Server Role Permissions
GRANT ALTER TRACE TO app_admin;
For more information on granting server-level permissions, see GRANT (Transact-SQL) in Microsoft Docs:
GRANT (Transact-SQL) https://aka.ms/Ke2635
Managing Membership
Adding a Login to a Server-Level Role
ALTER SERVER ROLE app_admin
ADD MEMBER [ADVENTUREWORKS\WebAdmins];
Unlike fixed server roles, by default, the members of a user-defined server role do not, have permission to
add other security principals as members of the role.
You can also create hierarchies of role membership by making a user-defined server role a member of
another server role.
Best Practice: It is not recommended that you make user-defined server roles members of
fixed server roles. Doing so will give control over membership of the fixed server role to members
of the user-defined server role, which may lead to unintended escalation of privileges.
To remove a role member, use the ALTER SERVER ROLE statement with the DROP MEMBER clause.
For more information on the ALTER SERVER ROLE statement, see ALTER SERVER ROLE (Transact-SQL) in
Microsoft Docs: ALTER SERVER ROLE (Transact-SQL) http://aka.ms/xutcov
For more information see: CREATE SERVER ROLE (Transact-SQL) http://aka.ms/tuuupj
MOC 20764C | Administering a SQL Database Infrastructure | Module 02 –Assigning Server and Database Roles | 6 / 11
You can view a complete list of database-scoped permissions using the system function
sys.fn_builtin_permissions:
sys.fn_builtin_permissions Database
SELECT *
FROM sys.fn_builtin_permissions('DATABASE')
ORDER BY permission_name;
Like server permissions, database permissions are organized in a hierarchy. The hierarchy has two top- level nodes—
CONTROL, which is the parent node for all other database permissions, and CREATE DATABASE, which has no
children. Although database permissions can only be granted to database principals (users and roles), some server-
level permissions implicitly grant database permissions.
You can visualize the hierarchy of database permissions with the following query. The parent_server_permission
column shows the server-level permission which implicitly grants the database permission:
UNION ALL
db_owner Members of this role have comprehensive rights over the database,
equivalent to the owner of the database. This includes the right to fully
manage the database and also to drop the database, so you must use this
role with caution.
db_securityadmin Members of this role can grant permissions to configure database- wide
settings and role membership.
db_accessadmin Members of this role can manage access to the database by Windows logins,
Windows groups, and SQL Server logins.
db_backupoperator Members of this role can back up the database. Note that this role does
not have the right to restore the database.
db_ddladmin Members of this role can run any Database Definition Language (DDL)
Transact-SQL commands in the database. DDL is the portion of the Transact-
SQL language that deals with creating, altering, and deleting database
objects.
db_datawriter Members of this role can change (INSERT, UPDATE, and DELETE) data in the
database.
db_datareader Members of this role can read data from all database tables.
db_denydatawriter Members of this role cannot change (INSERT, UPDATE, and DELETE) data in
the database.
db_denydatareader Members of this role cannot read data from any database tables.
Public All database users belong to the public role. When a user has no explicit or
inherited permissions on a database object, the permissions granted to
public will be used.
To keep to the principle of least privilege, you should avoid using fixed database roles as far as possible. Unless a
fixed database role holds exactly the permissions needed for a group of database principals, you should create a user-
defined database role with only the permissions the principals require.
Database Role Membership
SELECT rdp.name AS role_name, rdm.name AS member_name
FROM sys.database_role_members AS rm
JOIN sys.database_principals AS rdp
ON rdp.principal_id = rm.role_principal_id
JOIN sys.database_principals AS rdm
ON rdm.principal_id = rm.member_principal_id
ORDER BY role_name, member_name;
msdb Fixed Database Roles
The msdb system database contains additional fixed database roles that relate to the administration of SSIS, Data
Collection, Mirroring, Policy-Based Management, and server groups.
master Database Roles in Azure SQL Database
Because you do not have administrative control of server-level objects in Azure SQL Database, the master database
in an Azure SQL Database instance contains two fixed database roles that you can use to grant logins the permission
to create new logins or new databases:
dbmanager. Members of this role in the master database may create, alter, and drop databases on the Azure
SQL Database instance.
loginmanager. Members of this role in the master database may create, alter, and drop logins on the Azure
SQL Database instance.
For more information on see: Database-Level Roles http://aka.ms/q4b8tn
For more information on Controlling and granting database access in the Microsoft Azure documentation:
Controlling and granting database access http://aka.ms/dq8nyh
MOC 20764C | Administering a SQL Database Infrastructure | Module 02 –Assigning Server and Database Roles | 8 / 11
Note that:
You may make a database user or a user-defined database role a member of a database role.
You may not make a fixed database role a member of another database role.
Membership of database roles is limited to database principals. Server principals cannot be made members
of database roles.
For more information on the ALTER ROLE command, see ALTER ROLE (Transact-SQL) in Microsoft Docs:
Database Owner
When discussing database ownership in SQL Server, there are
two related concepts you must understand:
The dbo user.
The db_owner role.
The dbo user has a default schema in the database, also called dbo. Database objects created by members of the
sysadmin fixed server role are added by default to the dbo schema.
Managing Permissions
You may grant user-defined role permissions to database objects with Transact-SQL using the GRANT, DENY and
REVOKE commands or through the SSMS GUI.
In the following example, the SELECT permission on the Production.Product table is granted to the
product_reader role:
For more information on commands used to manage database permissions, see GRANT(Transact-SQL) in Microsoft
Docs: GRANT (Transact-SQL) https://aka.ms/Ke2635
Managing Membership
You can add and remove logins to database-level roles by using SSMS or the ALTER ROLE Transact-SQL statement.
In the following code example, the WebApp user is added to the product_reader role:
Adding a User to a Database-Level Role
You may also create hierarchies of role membership by making a user-defined database role a member of another
database role.
To remove a role member, use the ALTER ROLE statement with the DROP MEMBER clause.
For more information on the ALTER ROLE statement, see ALTER ROLE (Transact-SQL) in Microsoft Docs:
ALTER ROLE (Transact-SQL) http://aka.ms/i5ddak
MOC 20764C | Administering a SQL Database Infrastructure | Module 02 –Assigning Server and Database Roles | 10 / 11
Note: You might consider creating a database role even when the
role will initially have only one member, because you might want to grant
the same permissions to other database principals at a later date.
Note: All the examples in this topic use a role called example_role. The code needed to create this
role is not shown.
Controlling Access to Database Objects
You might want to restrict a group of users to SELECT permissions on a table, or EXECUTE permissions on a stored
procedure. This is a common scenario for application or service accounts.
Database Role—Single Object Permissions
You might grant a role permission on a database schema; the permissions you grant at schema level automatically
apply to all the objects in the schema:
Database Role – Schema Level Permissions
GRANT SELECT ON SCHEMA::Production TO example_role;
GO
You might grant a role permission at database level; the permissions you grant at database level automatically apply
to all the objects in the database:
Database Role – Database Level Permissions
GRANT SELECT ON DATABASE::AdventureWorks TO example_role;
GO
Notes:
When a user activates an application role—using the sp_setapprole system stored procedure—the security
context of the user session is replaced by the application role.
Use a secure network to avoid leaking the application role password.
Because calls to the sp_setapprole stored procedure, sends the password in plain text. you must ensure
that the connection is encrypted—for example, using SSL or IPSec.
Exit application role by closing connection or using sp_unsetapprole (requires stored cookie).
If you don’t store application role cookies and revert to the connection security context using
sp_unsetapprole, applications using an application role must disable connection pooling.
Application roles are database principals that are not linked to a server principal. As a result, application
roles are restricted to the permissions granted to the guest user in other databases on the instance.
In databases where the guest user is disabled (the default behavior), an application role has no access to the
database at all.
sp_setapprole accepts an optional @encrypt = 'odbc' parameter, but this uses an ODBC function
that obfuscates the password rather than truly encrypting it. The ODBC encrypt function is not
supported by the SqlClient library.
Example of when to use Application Roles
You might use an application role if you want to use Windows authentication to give users access to a database, but
do not want to grant them the same permissions as the applications they use.
For example, members of a Windows group use an application that requires full access to tables in the Purchasing
schema. You want the users to be able to access these tables through the application, but do not want them to be
able to execute impromptu SELECT, INSERT and UPDATE statements. An application role provides one method of
achieving this.