Management of Authentications and Authorizations
Management of Authentications and Authorizations
Peace-Work-Fatherland
COMPILED BY
GROUP MEMBERS
1. Authentication of connection
There are two different authentication methods for connecting to SQL Server: Windows and
SQL Server.
Windows authentication requires a user to first authenticate to Windows with their login and
password. Once a user has been authenticated to Windows, they can then connect to SQL
Server using Windows authentication.
1|Page
When installing SQL Server, you have the choice to support only Windows authentication or both
authentication methods, which is known as mixed mode. During the installation process, you
decide whether or not to use mixed mode when defining the database engine configuration, as
shown in Figure 1.
Figure 2 shows that my instance supports mixed mode authentication because the radio button next
to the red arrow is enabled.
2|Page
Another method to check which authentication modes are set up is to use TSQL code. The code in
Listing 1 displays the Authentication mode setup.
There are times when you might want to change the authentication settings for a SQL Server
instance. This might occur if you used the default settings during installation to support Windows
authentication only and later acquired some software that can only connect using SQL Server
authentication. Or possibly you want to make your instance more secure by removing support for
SQL Server authentication. The authentication options can be easily changed using the properties
page in SSMS shown in Figure 2.
If I wanted to change my instances to support only Windows authentication, all I would need to
do is click on the “Windows authentication mode” button in Figure 2, and then click on the “OK”
button to apply that change. After making this property change, I would need to restart my instance
for this change to take effect.
3|Page
Figure 3: Authorization using SSMS. Login
➢ Select the specific database you want to authorize access for.
➢ Navigate to security and users’ folders.
4|Page
Figure 5: Choosing permissions
➢ In the user mapping section, tick the checkboxes for the desired permissions
(e.g. SELECT, INSERT, UPDATE, DELETE etc.) for the user.
➢ Click on Ok to apply the changes.
Figure 6: Validating
b. Using Transact SQL
You can you the keyword “grant” to grant permissions directly. Follow the syntax
below:
GRANT <permission> TO <user> [with grant option] [AS <user>]
✓ <permission>: SELECT, UPDATE, DELETE etc.
5|Page
✓ <user>: User to which permission is granted.
✓ [with grant option]: Indicates that the user can also grant permissions to other
users.
✓ [AS <user>]: Specifies the user from which the executing role derives its right
to grant permissions.
In case you want to revoke permissions from a user:
Practical Example:
6|Page
One can equally revoke a user from accessing a particular database, to do that, you need to first
use the database in question and the write the command:
REVOKE CONNECT FROM username;
Example:
b. Database-Level Permissions:
Database-level permissions apply to the entire database and are useful for managing high-level
access control. These permissions allow users or roles to perform actions across the entire database,
such as creating tables, views, stored procedures, or managing security settings.
7|Page
Roles provide a convenient way to manage permissions for multiple users or groups. Instead of
granting permissions individually to each user, you can assign permissions to roles and then add
users to those roles. This simplifies permission management and allows for easier role-based
access control.
d. Practical Examples:
Let's explore practical examples to illustrate the process of authorization in Microsoft SQL Server:
• Granting permissions:
USE SampleDB;
GRANT SELECT, INSERT, UPDATE ON Employees TO User1;
8|Page
EXEC sp_addrolemember 'SalesTeam', 'User4';
EXEC sp_addrolemember 'SalesTeam', 'User5';
ILLUSTRATION:
9|Page
Figure 11 Part 2 of authorization of users to access objects
Different methods and technologies available for managing authorization between servers
in SQL server environments
Managing authorization between SQL Server servers involves controlling access and
permissions for various entities.
10 | P a g e
• The syntax for ALTER AUTHORIZATION syntax varies based on the entity type
and context( SQL Server, SQL Database, Azure Synapse Analytics, or Parallel Data
Warehouse).
So down is the command used to change the ownership of a database in the SQL
server, so this is the syntax in the SQL server;
use master;
-- created the login at the server level
CREATE LOGIN NewLogin1 with password = N'passw0rd' must_change, check_expiration = on,
check_policy=off;
use SE3;
-- creating the user at the database level
USE master;
11 | P a g e
WHERE name = 'NewLogin';
12 | P a g e
Figure 12: Changing ownership of Database
13 | P a g e
Figure 14: Authorization between servers
NB: to change the ownership of the database use the login instead of a user to be able to change
the ownership
14 | P a g e
User permissions, part of the overall user management process, are access granted to users to
specific resources such as files, applications, networks, or devices. A user permission can also
specify the type of access—for example, a user might be allowed to read data without modifying
it (read only) or be allowed to read and write data, specific functions a user can access—for
example, most systems have an administrator role that allows users to change configuration or
assign permissions to other users.
User permission is tightly related to two concepts that are Authentication and Authorization. User
authentication involves verifying a user’s identity before allowing them to access a system or
application. Authentication requires the user to prove their identity using one or more
authentication factors. These factors can include things the user has (for example, a digital
signature, ID, security token), information the user knows (such as a password or PIN) and the
user’s biological characteristics (such as fingerprint, voice, or retina scan).
User authorization is the process of determining which resources users are allowed to access. For
example, users in a website content management system (CMS) can be assigned permissions to
comment on articles (guest), author and edit articles (contributor), and change website look and
feel and configuration (administrator). Authorization can also segment content in an application
and allow each user to access content that is relevant to them.
Steps to follow in other to grants permissions to users
*Step 1: Connect to SQL Server
Open SQL Server Management Studio (SSMS) and connect to your SQL Server instance.
*Step 2: Create a Code Object
For illustration purposes, let's create a stored procedure as a code object. Execute the following
SQL script to create a sample stored procedure:
sql
USE YourDatabaseName; (Replace with your database name)
CREATE PROCEDURE dbo.GetCustomer
AS
BEGIN
SELECT * FROM Customers;
END
This script creates a stored procedure named GetCustomer in the dbo schema.
*Step 3: Create a User
15 | P a g e
Next, you need to create a user who will be granted permission to access the code object. Execute
the following SQL script to create a user:
sql
USE YourDatabaseName; (Replace with your database name)
CREATE USER YourUserName ; (Replace with your desired username)
FOR LOGIN YourLoginName; (Replace with your Windows login or SQL Server login name)
Ensure that you replace YourDatabaseName, YourUserName, and YourLoginName with your own
values.
*Step 4: Grant Permissions
Now, you can grant permissions to the user for accessing the code object. Use the GRANT
EXECUTE statement to grant execute permission on the stored procedure. Execute the following
script:
sql
USE YourDatabaseName; -- Replace with your database name
GRANT EXECUTE ON dbo.GetCustomer TO YourUserName; (Replace with your username)
This script grants the EXECUTE permission on the dbo.GetCustomer stored procedure to the user
YourUserName.
*Step 5: Test the Permissions
To verify that the user has been granted permission to access the code object, you can test it by
executing the stored procedure using the user's login. Execute the following script:
sql
USE YourDatabaseName; -- Replace with your database name
EXECUTE AS LOGIN = 'YourLoginName'; (Replace with your Windows login or SQL Server
login name)
EXEC dbo.GetCustomer; (Execute the stored procedure)
REVERT; (Revert back to the original login context)
Replace YourDatabaseName and YourLoginName with your own values.
If the user has been granted the necessary permissions, the stored procedure will execute
successfully.
That's it You have successfully granted permissions to a user for accessing a code object in SQL
Server. You can follow similar steps to grant permissions for other code objects like functions,
views, and triggers.
16 | P a g e
1. Permission Types:
- EXECUTE: Grants permission to execute a stored procedure, function, or trigger.
- VIEW DEFINITION: Grants permission to view the definition of a code object (e.g., stored
procedure, function, view).
2. Granting Permissions to Roles:
- Instead of granting permissions individually to each user, you can assign users to roles and
grant permissions to those roles. Then, add or remove users from the roles as needed. Example:
sql
USE YourDatabaseName;
CREATE ROLE YourRoleName;
GRANT EXECUTE ON dbo.GetCustomer TO YourRoleName;
EXEC sp_addrolemember 'YourRoleName', 'YourUserName';
3. Revoking Permissions:
- If you need to revoke previously granted permissions, you can use the REVOKE statement.
Example:
sql
USE YourDatabaseName;
REVOKE EXECUTE ON dbo.GetCustomer TO YourUserName;
4. Server-Level Permissions:
- In addition to database-level permissions, SQL Server has server-level permissions that apply
across all databases on the server.
- Examples include CREATE PROCEDURE, ALTER ANY PROCEDURE, VIEW ANY
DEFINITION, etc.
- Server-level permissions are managed separately from database-level permissions.
Remember to adjust the script examples to match your specific database, code objects, usernames,
and role names.
ILLUSTRATIONS
17 | P a g e
Figure 16: Grant permission
18 | P a g e
Figure 18: Execution
19 | P a g e
Figure 20Execution 2
20 | P a g e
NOTE: Authentication checks whether a user has the permission to login while authorization
specifies what actions they can perform once connected.
21 | P a g e