惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
罗磊的独立博客
T
The Blog of Author Tim Ferriss
人人都是产品经理
人人都是产品经理
博客园 - 叶小钗
Last Week in AI
Last Week in AI
美团技术团队
Google Online Security Blog
Google Online Security Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
D
Docker
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
酷 壳 – CoolShell
酷 壳 – CoolShell
小众软件
小众软件
月光博客
月光博客
L
LINUX DO - 最新话题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
W
WeLiveSecurity
H
Heimdal Security Blog
Vercel News
Vercel News
SecWiki News
SecWiki News
Forbes - Security
Forbes - Security
Blog — PlanetScale
Blog — PlanetScale
Google DeepMind News
Google DeepMind News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
TaoSecurity Blog
TaoSecurity Blog
T
Troy Hunt's Blog
A
About on SuperTechFans
C
Check Point Blog
S
Security Affairs
Hacker News - Newest:
Hacker News - Newest: "LLM"
AI
AI
WordPress大学
WordPress大学
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
博客园_首页
The Last Watchdog
The Last Watchdog
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Engineering at Meta
Engineering at Meta
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
I
Intezer
K
Kaspersky official blog
M
MIT News - Artificial intelligence
J
Java Code Geeks
G
GRAHAM CLULEY
P
Palo Alto Networks Blog

博客园 - 天蝎

两岸三地在线编程学习网站 WebinoImageThumb - ZendFramework 2中操作图片的API PHP依赖管理器- Composer Local Temporary Tables and Table Variables Logging with SQL Server SQL Server Database Partitioning Myths and Truths 转载:什么是SHELL 转载:Plan freezing and other plan guide enhancements in SQL Server 2008 - 天蝎 转载:Breaking ownership chaining within a schema in SQL Server 转载:如何正确理解自动化测试技术 存储过程 SOA的设计理念 转载: The DBA as Detective: Troubleshooting Locking and Blocking 转载:锁的概述 Why BCP connects to SQL Server instance which start with account of Network Service fail? Execution plans, estimated vs actual Finding the causes of poor performance in SQL Server Enabling Dedicated Administrator Connection Feature in SQL Server 2008 .net中应用程序域的概念
转载: Microsoft SQL Server roles
天蝎 · 2009-08-20 · via 博客园 - 天蝎

Original link: http://www.mssqlcity.com/Articles/Adm/SQL70Roles.htm


Introduction

Roles are the new SQL Server 7.0 feature, which was not available in the previous versions. SQL Server roles act like Windows NT local groups.

Microsoft SQL Server supports several different types of roles. There are:

  • server roles
  • database roles
  • application roles

    In this article, I want to tell you about each kind of roles, about how you can add new role, how you can drop existing role, how you can return information about the roles, and so on.

    Server Roles

    Server roles are defined at the server level and exist outside of users databases. There are only fixed server roles, so you cannot add, delete or modify server role. You can only add users as a member of the server roles.

    There are seven fixed server roles:

  • sysadmin
  • serveradmin
  • setupadmin
  • securityadmin
  • processadmin
  • dbcreator
  • diskadmin

    The members of sysadmin server role can perform any activity in SQL Server and have completes control over all database functions.

    The members of serveradmin server role can change server configuration parameters and shut down the server.

    The members of setupadmin server role can manage linked servers (add or remove linked servers), manage replication, manage extended stored procedures, and execute some system stored procedures, such as sp_serveroption.

    The members of securityadmin server role can create and manage server logins and auditing, and read error logs.

    The members of processadmin server role can manage the processes running in SQL Server.

    The members of dbcreator server role can create, alter, and resize databases.

    The members of diskadmin server role can manage disk files.

    Note. To add a login as a member of a fixed server role, you can use the sp_addsrvrolemember system stored procedure.

    This is the syntax:

    sp_addsrvrolemember [@loginame =] 'login', [@rolename =] 'role'

    where

    @loginame - is a SQL Server login or a Windows NT user account.
    @rolename - is the name of the fixed server role.

    See this link for more information: sp_addsrvrolemember (T-SQL)

    Note. To remove a SQL Server login or a Windows NT user or group from a fixed server role, you can use the sp_dropsrvrolemember system stored procedure.

    This is the syntax:

    sp_dropsrvrolemember [@loginame =] 'login', [@rolename =] 'role'

    where

    @loginame - is the name of a login to remove.
    @rolename - is the name of the fixed server role.

    See this link for more information: sp_dropsrvrolemember (T-SQL)

    Note. To return a list of the SQL Server fixed server roles, you can use the sp_helpsrvrole system stored procedure.

    This is the syntax:

    sp_helpsrvrole [[@srvrolename =] 'role']

    where

    @srvrolename - is the name of the fixed server role.

    See this link for more information: sp_helpsrvrole (T-SQL)

    Database Roles

    In SQL Server 6.5 you can use database groups to simplify management of a large number of database users. For example, you can use database groups to grant and revoke permissions to more than one user at the same time.
    But database groups are no longer supported in SQL Server 7.0. SQL Server database roles act like SQL Server 6.5 database groups, but roles have some improvements: in SQL Server 6.5 each user can be a member of only one group (in addition to public group), but in SQL Server 7.0 each user can belong to many roles and the result users permissions are combined for all roles they're members of.

    There are three kinds of the database roles:

  • Fixed Database Roles
  • Public Role
  • User-Defined Database Roles

    Fixed Database Roles

    Fixed database roles are defined at the database level and exist in each database. You cannot add, delete or modify fixed database roles. You can only add users as a member of a fixed database role.

    There are nine fixed database roles:

  • db_owner
  • db_accessadmin
  • db_datareader
  • db_datawriter
  • db_ddladmin
  • db_securityadmin
  • db_backupoperator
  • db_denydatareader
  • db_denydatawriter

    The members of db_owner database role can perform any activity in the database.

    The members of db_accessadmin database role can add or remove Windows NT groups, users or SQL Server users in the database.

    The members of db_datareader database role can see any data from all user tables in the database.

    The members of db_datawriter database role can add, change, or delete data from all user tables in the database.

    The members of db_ddladmin database role can make any data definition language commands in the database.

    The members of db_securityadmin database role can manage statement and object permissions in the database.

    The members of db_backupoperator database role can back up the database.

    The members of db_denydatareader database role can deny permission to select data in the database.

    The members of db_denydatawriter database role can deny permission to change data in the database.

    Note. To add a security account as a member of an existing SQL Server database role in the current database, you can use the sp_addrolemember system stored procedure.

    This is the syntax:

    sp_addrolemember [@rolename =] 'role',
        [@membername =] 'security_account'
    
    where

    @rolename - is the name of the database role.
    @membername - is the name of the security account.

    Any member of a fixed database role can add other users to this role.
    See this link for more information: sp_addrolemember (T-SQL)

    Note. To remove a security account from a SQL Server role in the current database, you can use the sp_droprolemember system stored procedure.

    This is the syntax:

    sp_droprolemember [@rolename =] 'role',
        [@membername =] 'security_account'
    
    where

    @rolename - is the name of the role.
    @membername - is the name of the security account.

    See this link for more information: sp_droprolemember (T-SQL)

    Note. To return information about the members of a role in the current database, you can use the sp_helprolemember system stored procedure.

    This is the syntax:

    sp_helprolemember [[@rolename =] 'role']

    where

    @rolename - is the name of a role in the current database.

    See this link for more information: sp_helprolemember (T-SQL)

    Public Role

    The public role is a special database role to which every database user belongs. The public role contains default access permissions for any user who can access the database. This database role cannot be dropped.

    User-Defined Database Roles

    Although the built-in database roles handle permissions for common database management tasks, it's likely that you will want to group users who have access to perform specific database functions.

    Note. To create a new SQL Server role in the current database, you can use the sp_addrole system stored procedure.

    This is the syntax:

    sp_addrole [@rolename =] 'role' [,[@ownername =] 'owner']

    where

    @rolename - is the name of the database role.
    @ownername - is the owner of the new role.

    See this link for more information: sp_addrole (T-SQL)

    Note. To remove a SQL Server role from the current database, you can use the sp_droprole system stored procedure.

    This is the syntax:

    sp_droprole [@rolename =] 'role'

    where

    @rolename - is the name of the role.

    See this link for more information: sp_droprole (T-SQL)

    Application Roles

    Application roles are the SQL Server roles created to support the security needs of an application. Often database applications enforce their own security based on the application logic. For example, you can use application role with its own password to allow the particular user to obtain and modify any data only during specific hours. So, you can realize more complex security management within the application logic.

    Note.To add a special type of role in the current database, which is used for application security, you can use the sp_addapprole system stored procedure.

    This is the syntax:

    sp_addapprole [@rolename =] 'role', [@password =] 'password'

    where

    @rolename - is the name of the application role.
    @password - is the password for the new application role.

    See this link for more information: sp_addapprole (T-SQL)

    Note. To remove an application role from the current database, you can use the sp_dropapprole system stored procedure.

    This is the syntax:

    sp_dropapprole [@rolename =] 'role'

    where

    @rolename - is the name of the application role.

    See this link for more information: sp_dropapprole (T-SQL)

    Note. To change the password of an application role in the current database, you can use the sp_approlepassword system stored procedure.

    This is the syntax:

    sp_approlepassword [@rolename =] 'role', [@newpwd =] 'password'

    where

    @rolename - is the name of the application role.
    @newpwd - is the new password for the application role.

    See this link for more information: sp_approlepassword (T-SQL)