Database Administration and Security

Questions and Answers

What must be done to allow a login to access database objects?

• The login must be mapped to a database user. (correct)
• The login must not be connected to a SQL Server instance.
• The login must have SQL Server Management Studio installed.
• The login must have a direct privilege assigned.

Which command is used to provide privileges to users on database objects?

• REVOKE
• ALTER
• EXECUTE
• GRANT (correct)

What is the purpose of the REVOKE command in database security?

• To add new privileges to an existing user.
• To create a new user in the database.
• To log in to the SQL Server instance.
• To remove privileges from a specific user. (correct)

If a user is not mapped to any database user, what can they do?

Connect to SQL Server but cannot access objects. (C)

What type of database objects can access privileges be assigned to?

All database objects. (C)

What must be done for a user to modify data in a database?

They must be granted appropriate rights in the database. (A)

Which statement about database users and owners is correct?

Every object has a single owner. (C)

Which of the following is a requirement for a user to access objects in a database?

They must have a mapped login to a database user. (C)

What is the primary responsibility of a Database Administrator (DBA)?

Facilitating the development and use of the database (D)

Which of the following is NOT a typical privilege granted to users in a database?

RENAME (A)

What does the term 'roles' refer to in the context of a database?

A named collection of database access privileges (C)

In organizations without a Data Administrator (DA), which responsibilities are often taken over by the DBA?

A mix of administrative and technical skills (D)

What is the first step in setting up security for a database?

Authentication and Authorization (A)

Which of these options best describes the role of the Data Administrator (DA)?

Oversees business and technical data needs (A)

Which database object is commonly manipulated using SQL privileges?

Views (B)

How do Database Administrators (DBA) generally support end-users?

Monitoring distribution and use of data (A)

What is the primary role of a Data Administrator (DA)?

Control overall corporate data resources (D)

Which activity is NOT typically the responsibility of a Database Administrator (DBA)?

Establishing corporate data policies (C)

What is essential for the protection of the database according to the roles discussed?

Implementing effective security measures (D)

Which of the following concepts is NOT part of SQL security?

Data retrieval methods (A)

What is the main purpose of security measures from a DBA's perspective?

To prevent unauthorized access and data loss (B)

What is a consequence of not implementing security measures in a database management system?

Loss, corruption, or mishandling of data (B)

Who builds the logical model of the database before it is implemented by the DBA?

The Data Administrator (DA) (D)

Which role is concerned with maintaining a successful database environment?

Database Administrator (DBA) (B)

What command is used to create a new user under the myDB database?

CREATE USER user1 FOR LOGIN newlogin_name (C)

What happens when attempting to execute 'ALTER LOGIN newlogin_name WITH PASSWORD = Newpassword'?

It displays an error due to incorrect credentials. (A)

Which statement correctly describes the purpose of roles in database management?

Roles help manage sets of privileges efficiently. (D)

How can you remove the updating privilege from user1?

REVOKE UPDATE ON [Names] FROM user1 (C)

What is the first step in checking the newly created login in SQL Server?

Open the Object Explorer and expand the security folder. (D)

After creating a new login, which command is necessary to update its name?

ALTER LOGIN login_name_test WITH NAME = newlogin_name (C)

Why might databases use roles rather than grant privileges to individual users?

It simplifies user management during updates. (B)

What is the effect of the command 'GRANT SELECT ON [Names] TO user1'?

It grants user1 permission to view records in the Names table. (D)

What is the primary function of the db_securityadmin fixed database role?

Manage role membership for custom roles (C)

Which fixed database role allows members to read all data from user tables?

db_datareader (C)

Which of the following roles would allow a user to add or remove access to the database for logins?

db_accessadmin (B)

What is a notable restriction of the db_denydatawriter fixed database role?

Members cannot add or modify data in user tables (D)

Which role is responsible for backing up the database?

db_backupoperator (B)

Which fixed database role has the ability to run any Data Definition Language (DDL) commands in a database?

db_ddladmin (B)

If a user belongs to the db_datawriter role, what actions can they perform?

Add, delete, or modify data in user tables (D)

Which fixed database role can potentially elevate their privileges?

db_securityadmin (D)

What is the primary function of the db_owner fixed-database role?

To perform configuration and maintenance activities (D)

Which role should a user be assigned if they should not read any data in the user tables?

db_denydatareader (B)

How can you assign a user the db_owner role in a SQL Server database?

USE myDB; ALTER ROLE db_owner ADD MEMBER user1 (D)

What are user-defined database roles?

Roles created based on user preferences (C)

Which of the following is NOT a fixed-database role?

custom_role (A)

What does the db_securityadmin role primarily allow users to do?

View and update the data in tables (B)

Which fixed-database role allows a user to drop the database?

db_owner (D)

What is the consequence of granting the db_denydatareader role to a user?

The user cannot read any data (A)

Flashcards

Data Administrator (DA)

A management role responsible for controlling corporate data resources (both computerized and manual).

Database Administrator (DBA)

A role responsible for maintaining a successful database environment, including design, implementation, maintenance, and security.

Database Security

DBMS features and measures to protect organization's data and system against threats.

SQL Security Model

Provides a syntax for specifying security restrictions within a database system.

Users (in Database)

People or programs interacting with and performing actions on database objects.

DA's role in database design

To define the logical boundaries and contents of the database.

DBA's role in database design

To design, implement, maintain, and manage the physical structure (databases).

Security Implementation Importance

Protects against data loss, corruption, mishandling, & service degradation, protecting data privacy and business integrity.

Data Administrator (DA) vs. DBA

DA focuses on business needs (logical database design) and policies; DBA focuses on technical aspects (physical database management and maintenance).

DBA's Managerial Tasks

Supporting end-users, defining/enforcing database policies, providing backup and recovery, and monitoring data.

Database Objects

Elements like rows, columns, tables, indexes, and views that users can manipulate within a database.

Database Privileges

Rights granted to users to perform actions (select, insert, delete, update) on database objects.

Database Roles

Named collections of privileges that authorize users to access and use specific database resources.

Authentication/Authorization

First steps to secure access to the SQL server instance (and database); verifying user identity and controlling their permissions.

User Access Levels

Logins (server level) and users/roles (database level) grant access to the SQL server.

Overlapping Roles

DA and DBA roles can sometimes overlap, especially when an organization doesn't have a DA, with DBA handling some of DA's duties.

Database Logins

Connections to SQL Server services, requiring mapped database users for object access.

Database User Permissions

Authorizations given to database users to control access to database objects.

GRANT Command

SQL command to provide access privileges on database objects to users.

REVOKE Command

SQL command to remove user privileges on database objects.

Login Mapping

Connecting server-level logins to database users for access.

SQL Server Instance

A particular SQL Server service.

Database Objects

Elements in a database that users modify (tables, data etc.).

User Access

The privileges granted to a user to modify a database or its contents.

CREATE LOGIN

SQL command to create a login account for accessing the SQL Server.

GRANT SELECT, UPDATE

SQL command to grant select and update permissions on a specific table to a user.

REVOKE UPDATE

SQL command used to remove update permissions from a user on a specific table.

ALTER LOGIN

SQL command to modify a login account's details like Name or Password.

CREATE USER

SQL command to create a user within a specific database using a login.

Database Role

A named collection of privileges for accessing the database resources.

Login Account

A server-level account used to authenticate users for database access.

SQL security

Security mechanisms in SQL Server for controlling access to database objects.

Database-level roles

Predefined or custom roles in a database that assign privileges to users.

db_owner role

A fixed database role allowing complete database management, including configuration, maintenance and dropping the database.

db_denydatareader role

A fixed database role that prevents users from reading data in user tables.

User-defined database roles

Roles created by the user based on their needs, offering specific permissions to users.

Adding a user to a role

The process of assigning a user to a database role granting the associated privileges.

SQL syntax for adding a user to the db_owner role

The specific SQL command to add a user to the db_owner role.

Fixed-database role capabilities

The specific actions allowed by the predefined database role.

User table data access for db_denydatareader

Members of the db_denydatareader role cannot access data in user tables.

db_securityadmin role

This fixed database role allows modifying role memberships for custom roles and managing permissions.

db_accessadmin role

This fixed database role manages database access for Windows logins, Windows groups, and SQL Server logins.

db_backupoperator role

This fixed database role allows backing up the database.

db_ddladmin role

This fixed database role executes Data Definition Language (DDL) commands.

db_datawriter role

This fixed database role permits adding, deleting, or changing data in user tables.

db_datareader role

This fixed database role allows reading data from user tables.

db_denydatawriter role

This fixed database role prohibits adding, modifying, or deleting data in user tables.

Database Role

A named set of privileges that control user access to database resources.

Study Notes

Database Administration and Security

• Database security involves measures to protect databases from unauthorized access, service interruptions, and data loss.
• Data Administrator (DA) manages overall corporate data resources (manual and computerized).
• Database Administrator (DBA) maintains database environment, ensuring security, design, implementation, and maintenance.
• DA determines database contents and boundaries; DBA manages physical structures.
• DBA's tasks include designing, implementing, maintaining, and securing database structures.
• DA and DBA roles can overlap; if no DA, DBA handles both functions.
• DBA supports end-users, enforces policies, handles data backup/recovery, and monitors data usage.

SQL Security Model

• SQL security model specifies security restrictions enforced by the DBMS.
• Users are people or processes with database access and unique IDs.
• DBMS grants privileges for specific actions (e.g., SELECT, INSERT, DELETE, UPDATE) on database objects.
• Objects are database entities like tables, rows, columns, indexes.
• Privileges define user access rights to objects.
• Roles are named collections of privileges authorizing database access.

Database Users

• Security setup involves authentication and authorization.
• Users, groups, or processes access SQL server at either server or database levels.
• Server-level includes logins and server roles; database-level includes users and database roles.

Creating and Managing Logins

• Login establishes connection to SQL Server.
• Login must be mapped to a database user for database object access.
• CREATE LOGIN command creates a new login with specific password.
• ALTER LOGIN modifies login name or password.
• Database object access requires proper login mappings and user privileges.

Database Privileges

• Authorization controls access to database objects.
• Each object has an owner; privileges control modifications by other users.
• GRANT command provides database object access privileges to users or roles.
• REVOKE command removes database object access privileges from users or roles.

Database Roles

• Roles group privileges for efficient user management.
• Roles streamline privilege assignment to multiple users.
• Database-level roles are predefined and can be customized.
• Predefined roles (e.g., db_owner, db_securityadmin) come with specific permissions.
• Assign predefined or customized user roles for effective database access management.