SQL SERVER 6.

5
Chapter-12/1
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
OBJECTIVE
Overview of administration
SCOPE
Security concepts
Types of security
Types of login IDs
Permissions
Backing up and restoring
Using removable media for the databases
SQL SERVER 6.5
Chapter-12/2
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
SECURITY CONCEPTS
SQL Server security protects the server and the data stored on that server.
SQL Server security determines who can logon to the server; the administrative tasks
each user is allowed to perform; which databases, database objects and data each user can
access.
Types of security
SQL Server security can be implemented in three ways:
Standard security
Integrated security
Mixed security
Standard security
SQL Server is wholly responsible for managing and maintaining accounts on the
server.
SQL Server is responsible for authenticating a user and for enforcing password/login
restrictions.
To log into a SQL Server, each user must provide a valid login ID and password.
Integrated security
Because SQL Server runs only on Windows NT, Microsoft could take advantage of ,
and integrate into, Windows NTs excellent security system.
This allows a network user to log in to a SQL Server without supplying a separate
login ID or password.
Users can maintain one login ID and password for both Windows NT and SQL
Server.
A login to the Windows NT server is either granted or denied connection to the SQL
Server based on attributes of the users login account to the NT server.
Login security integration operates over network protocols that support authenticated
connections between clients and servers. Such connections are referred to as trusted
connections.
Once the login process is complete, all other SQL Server security checks are handled
as usual. Access to individual SQL Server tables, for example, is managed through
the permissions granted within a SQL Server database.
SQL SERVER 6.5
Chapter-12/3
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
Mixed security
It is a combination of both standard and integrated security.
It means that users can log into the server in either way.
When a user connects to SQL Server in mixed security mode, the server validates the
login by first checking whether the login name has already established a trusted
connection to the NT server.
If no connection is found, SQL Server then performs its own validation of the login
name and password supplied.
If the requested login is not a known SQL Server login, access is denied.
SQL Server login IDs
By creating a login ID a user is enabled to attach to the SQL Server.
A login ID is a name by which a user is known to the SQL Server.
Login IDs are administered and created from the Manage Logins dialog box of the SQL
Enterprise Manager.
Only a System Administrator (SA) can manage login IDs.
When SQL Server is installed, two login IDs are automatically created; sa and probe.
When a server is configured to participate in replication, one or both these IDs are
automatically created: repl_publisher and rep_subscriber.
The sa login ID
Responsible for administrative tasks.
Anyone who knows the SA password can log in using the sa login ID and act in the
role of system administrator.
The system administrator is responsible for setting up and maintaining SQL Server.
The tasks include:
a) Installing SQL Server
b) Creating devices and databases
c) Managing disk space, memory and connections.
d) Authorizing SQL Server users and granting permissions to them.
e) Transferring data in and out of SQL Server databases.
f) Backing up and restoring databases.
g) Configuring the server for replication
h) Diagnosing system problems and fine tuning SQL Server to achieve best
performance.
SQL SERVER 6.5
Chapter-12/4
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
The probe login ID
A special login ID that is installed by the setup program.
Used as the security context within which administrative applications (for example,
SQL Performance Monitor ) connect to a SQL Server that is configured for standard
security.
User should not log in using this login ID.
The repl_publisher ID
Created automatically when a server is set as a subscription server.
It allows replication processes on the distributor / publisher server to connect to a
subscription server and replicate table schema and data to destination databases.
The login ID should not be modified and users should not users this to log in.
The repl_subscriber ID
Created automatically when a server is set as a publication server.
It allows replication processes on a subscription server to connect to a publication
server.
This login ID should not be modified and should not be used for logging into SQL
Server.
Database users
A user is allowed to access a database by assigning a database username to the users
login ID.
The username can be :
One created specifically for that login ID
Someone elses username in the database (alias)
When a user is added to the database, the group to which a user belong can be specified.
A group is a collection of users and is a convenient way to provide common permissions
to those users.
There is a built-in group called public, that users belong to by default.
SQL SERVER 6.5
Chapter-12/5
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
Usernames
A database username is a name known to a database, and assigned to a login ID for
the purpose of allowing a user to have access to a database.
A database username is simply called as user.
The abilities a user has within a database depends on the permissions granted to the
username, and the permissions granted to any groups the username is a member of.
Since usernames are separate from login Ids, user preferences can be accommodated.
For example, if there are three users called John, all the three will be having different
login Ids. However, if they are using different databases, each John might prefer to be
known simply as John inside a particular database.
Aliases
An alias is a database username that is shared by several login Ids.
It allows to treat more than one person as the same user inside a database, giving all
of them same permissions.
Allows several users to assume the role of database owner.
Groups
A group is a collection of database users.
The users receive database permissions granted to the group.
Using group simplifies management of a large number of database users who share
common requirements.
Owners
Within each database SQL Server recognizes two types of owners:
Database owners
Database object owners
Database Owner
The database owner (DBO) is the creator of the database.
The authority to create a database is granted to users by the SA.
The DBO has full privileges inside a database that he owns.
The DBO can do the following:
a) Allow user access to the database.
b) Grants users permissions to create objects and execute commands within the
database.
c) Setup groups.
SQL SERVER 6.5
Chapter-12/6
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
In his own database, the user is recognized as DBO,in other databases he is known by
his database username.
When SQL server is installed, the SA is the DBO of the master database and also for
the databases he uses.
Only one login ID can be DBO, others login IDs can be aliased to DBO.
Database Object Owner
The user who creates a database object (tables, indexes,views, defaults, triggers,
rules, and procedures) is the database object owner.
The DBO first grants to the user, permission to create a particular object.
The creator of a database object is automatically granted all permissions on that
object.
A database object owner must explicitly grant permissions to other users before they
can access the object.
Even the DBO cannot use an object unless the object owner has granted the
appropriate permission.
Permissions
Permissions are used to enforce the data security.
SQL Server permissions specify which users are authorized to use which Transact-SQL
statements, views, stored procedures.
The ability to assign permissions depend on each users status. (As SA, DBO or database
object owner.)
Permissions are set on database users or groups, not on login Ids.
SQL Server has two categories of permissions:
Object permission
Statement permission.
Some statement permissions are handled as object permissions because these statements
apply to the database objects. (For example, SELECT, UPDATE, DELETE, INSERT and
EXECUTE)
SQL SERVER 6.5
Chapter-12/7
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
Object permissions
Regulate the use of certain statements on certain database objects.
They are granted or revoked by the owner of the object.
Object permissions apply to the following statements and objects:
Statement Object
SELECT Table, views, columns
UPDATE Table, views, columns
DELETE Table, views
INSERT Table, views
REFERENCE Table
EXECUTE Stored procedure
To grant or revoke object permissions, either SQL Enterprise Manager is used or
GRANT and REVOKE statements are used.
Statement permissions
These are not object-specific .
They can be granted only by the SA or the DBO.
These permissions apply to the following statements:
a) CREATE DATABASE (can be granted only by the SA and only to users of the
master database.)
b) CREATE DEFAULT
c) CREATE RULE
d) CREATE PROCEDURE
e) CREATE TABLE
f) CREATE VIEW
g) DUMP statements
Being granted permission to use a certain statement in one database has no effect in
other databases i.e. each database has its own independent permission system.
To grant or revoke statement permissions, either SQL Enterprise Manager is used or
GRANT and REVOKE statements are used.
SQL SERVER 6.5
Chapter-12/8
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
GRANT and REVOKE statements
GRANT statement
Assigns permissions to users.
Syntax:
Statement permissions:
GRANT { ALL | statement_list}
TO { PUBLIC | name_list}
Object permissions:
GRANT { ALL | permission_list}
ON { table_name [(col_lit)] | view_name [(ciol_list)] | stored_proc }
TO { PUBLIC | name_list }
EXAMPLE
Statement permission
Example 1
GRANT CREATE DATABASE,CREATE TABLE
TO mary, john
OUTPUT:
Permissions for creating database and table is granted to multiple users.
Object permission
Example 2
GRANT SELECT ON authors
TO PUBLIC
OUTPUT:
Grants SELECT permission to the group PUBLIC on authors table.
SQL SERVER 6.5
Chapter-12/9
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
REVOKE statement
Revokes permissions from users.
Syntax:
Statement permissions:
REVOKE { ALL | statement_list}
FROM { PUBLIC | name_list}
Object permissions:
REVOKE { ALL | permission_list}
ON { table_name [(col_lit)] | view_name [(ciol_list)] | stored_proc }
FROM { PUBLIC | name_list }
EXAMPLE
Statement permission
Example 1
REVOKE CREATE DATABASE,CREATE TABLE
FROM mary, john
OUTPUT:
Permissions for creating database and table is revoked from the users mary and john.
Object permission
Example 2
GRANT SELECT ON authors
FROM PUBLIC
OUTPUT:
Revokes SELECT permission from the group PUBLIC on authors table.
SQL SERVER 6.5
Chapter-12/10
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
Permissions of SA
There are no restrictions on what SA can do within SQL Server.
Permissions of Database Owners
Has full permission to do anything inside his database.
DBO must grant permissions to other users explicitly.
Permissions on certain statements are automatically granted to the DBO and cannot
be transferred to other users like DROP DATABASE, GRANT and REVOKE,
DBCC.
On other statements DBO can grant permission to other users like CREATE
DEFAULT, CREATE RULE, CREATE TABLE, CREATE VIEW, CREATE PROC,
DUMP statements.
Permissions of database object owners
A user who creates a database object is its owner and is automatically granted all
object permissions on it.
Other users, even the DBO are automatically denied all permissions on that object
unless explicitly allowed by the database object owner.
On certain statements permission cannot be transferred to other users:
ALTER TABLE
CREATE and DROP INDEX
CREATE and DROP TRIGGER
DROP and TRUNCATE TABLE
UPDATE STATISTICS
SQL SERVER 6.5
Chapter-12/11
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
BACKING UP AND RESTORING
Backing up a database
Backing up is creating a copy of the database or transaction log on a dump device which
is accomplished by either using Enterprise Manager or the DUMP statement.
Backing up a database backs up both the database as well as transaction log.
In large databases, the data portion and the transaction log are usually stored on different
devices, so that transaction logs can be backed up separately. Dumping only the
transaction log uses less storage and takes less time than dumping the database, which
backs up both the transaction log and the database.
Regular backups of all the databases should be maintained to ensure smooth recovery in
case of database or media failure.
Immediate and scheduled backups
SQL Enterprise Manager (Backup and restore ...option) allows to set and maintain a
schedule of automatic backups. Manual backup can also be taken any time.
Backup can be performed immediately in two ways:
As a foreground task that occupies SQL Enterprise Manager until the backup
completes.
As a background task that allows SQL Enterprise Manager to remain available to you.
Scheduled backups can be set to occur one time or on a recurring basis. Recurring
backups can be set to occur hourly, daily, weekly or monthly.
Backup task options
Scheduling a backup creates a backup task. While scheduling the backups task option can
be set that will:
Send an e-mail to an operator when the backup fails or succeed.
Write an entry in Windows NT Application log when the backup fails or succeed.
Specify the number of retry attempts when a backup fails and also the delay between
each retry.
SQL SERVER 6.5
Chapter-12/12
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
Monitoring, modifying or canceling a scheduled backup
By using the option Backup and restore of the Enterprise Manager the scheduled
backups cannot be monitored, modified or canceled.
The Task Scheduling window is used for the purpose. But, this window displays all the
tasks defined on the server; not just the backup tasks.
For a selected task, the task history can be viewed which provides information about the
last run date of the task, time and duration of last run, status of that run, whether an e-
mail was sent.
A scheduled backup task can be edited. The task name, the database the task is run
against, the command that is run, task schedule and task options can be changed.
A scheduled backup task can be suspended without canceling the task and it can be re-
enabled.
Restoring a database
Restoring is to load a database from the backup of that database and of its transaction
log.
If the device that a database reside on fails and the database is damaged, the database can
be restored by reloading the most recent database backup.
A database backup can be reloaded over the old database, if it is found that there is some
corrupt data on the database.
A load overwrites the information in the database with the backed up information.
Restore is accomplished by using Enterprise Manager or the LOAD statement.
When a database is restored from a backup, the database must not be in use.
Loading a transaction log results in reexecution of the changes it contains and in rolling
back any transactions that were uncommitted when the transaction log was backed up.
Automatic recovery
Automatic recovery occurs every time SQL Server is restarted. This protects the database
in the event of system failures.
When SQL Server is restarted recovery is performed automatically on each database.
This does the following:
SQL SERVER 6.5
Chapter-12/13
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
Rolls back uncommitted transactions- those transactions that were ongoing when the
SQL Server was shut down.
Checks the transactions that had been committed between the last checkpoint and the
failure, and rolls them forward.
In each database, the automatic recovery looks at the transaction log. If the log has
committed transactions not yet written to the database, it performs those transactions
again. This is called rolling forward.
Importing and exporting data
Two SQL Server utilities can be used to transfer data. The Bulk Copy Program which has
already been discussed and the other is the transfer management interface in SQL
Enterprise Manager (Database/ Object Transfer .... option).
The transfer management interface is used to transfer all or some objects from one
database to another. In addition to transferring objects from one SQL Server to another,
transferring objects from following server applications to SQL Server 6.5 is supported:
SQL Server 4.x
SQL Server 6.0
Sybase system 10
Transferring objects from server other than SQL Server 6.5 requires that a script be run
first.
Scripts for other applications are available on SQL Server 6.5 CD.
SQL Server 4.x - SQLOLE42.SQL
SQL Server 6.0 - SQLOLE65.SQL
Sybase system 10 - SYSSYS.SQL
SQL SERVER 6.5
Chapter-12/14
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
DATABASES ON REMOVABLE MEDIA
Using Removable Media for databases

This feature enables databases to be placed on removable media, such as CD-ROMs,
magneto opticals, floppy disks, etc.

It is possible to read and write from databases on floppy disks, optical drives but CD-
ROM based database is truly read-only, which aid in securing data integrity.

Creating a removable database

The stored procedure sp_create_removable is used to create the databases on the
removable media.
The removable database has to be created in such a way that three devices are use;
one for system catalog tables, one for the transaction log, and one or more for the data
tables.

Syntax:
sp_create_removable database_name, syslogical, sysphysical, syssize,
loglogical, logphysical, logsize,
datalogical1, dataphysical1, datasize1
[..., datalogical16,dataphysical16, datasize16]
sp_create_removable parameters

Parameter Description

database_name Name of the database that will be created for use on removable media.
syslogical Logical name of the device that will contain he system catalog tables
and the transaction log
sysphysical Physical name including a fully qualified path of the device holding the
system catalog and transaction log
syssize size in MB of the above device
loglogical Logical name of the device that will contain the transaction log
logphysical Physical name including a fully qualified path of the device holding the
transaction log
logsize size in MB of the above device
datalogical Logical name of the device that will contain data tables
dataphysical Physical name including a fully qualified path of the device holding the
data tables
datasize size in MB of the above device

SQL SERVER 6.5
Chapter-12/15
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.


EXAMPLE

sp_create_removable inventory ,invsys, C:\MSSQL\DATA\invsys.dat, 2,

invlog, C:\MSSQL\DATA\invlog.dat, 4,

invdata , C:\MSSQL\DATA\invdata.dat, 10

OUTPUT:

The database called inventory is created as a removable database.
It creates a 2MB system catalog database device, 4MB Transaction Log database device and 10 MB of
data device.



Using the removable database

After the database development is complete, the system stored procedure
sp_certify_removable is used to prepare the database for distribution on removable
media.

Syntax:

sp_certify_removable database_name [, AUTO]

database_name - the name of the database to be certified.

AUTO - If specified, any problems encountered are corrected automatically.

EXAMPLE
sp_certify_removable inventory, AUTO

OUTPUT:
Inventory database is certified and brought offline.


All the devices that have been created for use in the removable database are taken offline
by this system stored procedure.
SQL SERVER 6.5
Chapter-12/16
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.


Installing the Removable database


Use sp_dbinstall to install a removable media database.

The removable media installation process copies a database device containing the system
catalog tables and transaction log onto the servers disk.

This allows to create or administer users, permissions, views and stored procedures for
the database, while keeping the data on read-only removable media.

Databases are installed as offline (unavailable). The newly installed database is placed
online by using sp_dboption.
To install a database and place it online
Place the removable media into the drive.
Run sp_dbinstall system stored procedure:

Syntax:

sp_dbinstall database_name,device_name, physical_device, size, device_type [,
location]

Options Description
database_name Name of the database to be installed.
device_name Name of the database device to be installed.
physical_device path information for device on removable media
size size of the device being created
device_type type of the device being created on target SQL Server [SYSTEM /
DATA]
location Location to use on the local drive for the device being installed.
EXAMPLE
sp_dbinstall inventory, invsys, e:\invsys.dat, 2, SYSTEM,
c:\MSQL\DATA\invsys.dat
sp_dbinstall is run again to install the data device.

SQL SERVER 6.5
Chapter-12/17
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
LAB EXERCISES
1. Create a database in which create the tables designed for the library system given id
session 1 with all the required constraints, rules, defaults etc.
SQL SERVER 6.5
Chapter-12/18
Copyright Tata Infotech Ltd. : Copying of this document in part or full is not permitted without express authority.
SUMMARY
SQL Server security can be implemented in three ways:
Standard security
Integrated security
Mixed security
When SQL Server is installed, two login IDs are automatically created;
sa and probe.
When a server is configured to participate in replication, one or both these IDs are
automatically created: repl_publisher and rep_subscriber.
A user is allowed to access a database by assigning a database username to the users
login ID.
The username can be :
One created specifically for that login ID
Someone elses username in the database (alias)
A group is a collection of users and is a convenient way to provide common permissions
to those users.
Within each database SQL Server recognizes two types of owners:
Database owners
Database object owners
SQL Server has two categories of permissions:
Object permission
Statement permission
Backing up is creating a copy of the database or transaction log on a dump device .
Restoring is to load a database from the backup of that database and of its transaction
log.
Two SQL Server utilities can be used to transfer data.
Bulk Copy Program
Database/ Object Transfer .... option.
Using removable media for databases enables databases to be placed on removable
media, such as CD-ROMs, magneto opticals, floppy disks, etc.