Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 45 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
45
Dung lượng
1,57 MB
Nội dung
110 CHAPTER 4 ■ SECURITY AND COMPLIANCE 4. Select Properties to bring up the Database Properties dialog box shown in Figure 4-20. On the General tab, you will see an item named Owner. This is the fully qualified Vista/XP/Win2K account preceded by the domain or local machine name. Figure 4-20. Database Properties 5. Click Cancel to close this dialog box. Ownership of tables and other database objects is just as important. If you create a table using the same login ID as that which you created the database with, or use a logon ID that is a member of the sysadmin role that is also implicitly mapped to the dbo user in the database, the table will have a default schema of dbo. However, if you logged in with a different user ID, the table would have that user’s default schema as the prefix to the table name, replacing the dbo prefix. Now that we know who the database owner is, it is up to that user, or another user who has system administration rights (in other words, a login that has the sysadmin server role or has the db_owner database role), to allow any other specified user the ability to create tables within the data- base. We have a user called JThakur who is not a system administrator, but a developer. Recall we created this user in Chapter 1, and that this user could not log in to SQL Server. Dewson_958-7C04.fm Page 110 Tuesday, July 1, 2008 9:26 AM CHAPTER 4 ■ SECURITY AND COMPLIANCE 111 The next section will go through a scenario where, as a developer, JThakur has no rights to create any new items. However, we will rectify this situation in the next section, where we will alter JThakur so that he can connect to SQL Server and create a table. Try It Out: Allowing a User to Create a Table 1. Log on to SQL Server as a sysadmin if required. (However, you are probably already logged in as a sysadmin.) Create a new login by right-clicking the Logins node on the Server Security node and selecting New Login. This brings up the new login screen, which we can populate with the login name of the user by typing in the details of the login, as shown in Figure 4-21. We are also going to allow this user to connect to ApressFinancial by default when he or she logs in. Figure 4-21. New login 2. We are not going to assign this user any server roles, but we are going to assign this user to the db_owner role, as you see in Figure 4-22. This will allow the user to create tables as well as create and work with other objects and data. We could have selected db_ddladmin, but this would only have allowed the user to create objects and not create data. Dewson_958-7C04.fm Page 111 Tuesday, July 1, 2008 9:26 AM 112 CHAPTER 4 ■ SECURITY AND COMPLIANCE Figure 4-22. New login with database access 3. We now click OK, which will create not only a server login, but also a database user in ApressFinancial for JThakur, as shown in Figure 4-23. Figure 4-23. User login accounts JThakur is now in a position to log in to SQL Server and create tables in the ApressFinancial database. Dewson_958-7C04.fm Page 112 Tuesday, July 1, 2008 9:26 AM CHAPTER 4 ■ SECURITY AND COMPLIANCE 113 Declarative Management Framework The security of a database does not just involve ensuring that only the correct people can log in to the system and see only the data that they are authorized to see. Security also involves knowing that the basis of the data has met certain defined compliance criteria. This comes under the header of Declarative Management Framework (DMF). SQL Server 2008’s DMF allows policies to be defined to ensure that SQL Server objects follow a defined set of rules. These rules are not compulsory, but rather generate warnings showing that you are not in compliance. The DMF also includes tools to rectify such problem situations. The logic behind DMF is for administrators to determine how an installation should be defined with its setup and to then have the ability to enforce the DMF defined if any created installation does not meet the criteria. There are three aspects to DMF, and you must understand all three before you can make DMF work for you: Facets: A facet is a grouping that exists to place conditions in to. Facets are prebuilt within SQL Server and expose conditions that can be tested within a policy. Each facet group contains logi- cally combined conditions. One example would be the Login facet, which contains conditions to test whether a login is locked, the default database, the last time the password was altered, whether password expiration is enabled, and so on. Policies: A policy defines one or more conditions to be applied to a server. Database administra- tors or even auditors define policies to ensure that specified conditions are met. Historically, one of the largest areas of contention with installations of SQL Server has been that it required the database administrators to write their own stored procedures and schedule them to ensure that every database complied to company policy. Now it is a simple method of defining a condi- tion and letting Service Broker execute and report on the condition. The result is a greater degree of standardization, as well as ease of programming. Conditions: A condition within DMF is very similar to any other condition. It tests an attribute to make sure that it meets a certain criteria. A number of conditions for your installations will be built up over time, and it is even good practice to set up conditions to test the value of attributes that should be set by default. Such conditions could surround the checking of the ANSI NULL default, for example. Such a condition would then trap any database where, even by accident, the tested value was altered as part of the set up. Conditions need to be part of a policy. Try It Out: Building a Condition and a Policy 1. Ensure that SQL Server Management Studio is open. There are two ways to progress with this example. It is possible to create a condition and then the policy, or you can create the condition while building the policy. There is no right or wrong way. For this example, you will be building a condition from inside a policy. From within Object Explorer, expand the Management node, followed by the Policy Management node, and then the Policies node. Right-click and select New Policy, as demonstrated in Figure 4-24. Dewson_958-7C04.fm Page 113 Tuesday, July 1, 2008 9:26 AM 114 CHAPTER 4 ■ SECURITY AND COMPLIANCE Figure 4-24. Create a new policy. 2. You are now presented with an empty Create New Policy screen. Enter a description of Database ANSI NULL Default in the name. Below this, you will see the Check Condition combo box, which holds the condition the policy is testing (see Figure 4-25). When you click the down arrow, select New Condition. Figure 4-25. Create a new condition. 3. Clicking the New button takes you to the Create New Condition screen. It is then necessary to enter a name and select the type of facet you wish to create. As we are creating a database condition, select Database under the Facet option, which exposes the facets that are available. We will be testing that the database has been set up with AnsiNullDefault set to False, so in the Expression section, select AnsiNullDefault from the list of expressions (see Figure 4-26). Then in the Value column, select False from the list of available options. Once complete, click OK. Dewson_958-7C04.fm Page 114 Tuesday, July 1, 2008 9:26 AM CHAPTER 4 ■ SECURITY AND COMPLIANCE 115 Figure 4-26. The New Condition screen with the description and test expression 4. Clicking OK returns you back to the New Policy screen, which should like the one shown in Figure 4-27. Ensure the Enabled box is selected. The Check Condition combo box should be populated, and in the Against Targets list, the condition should check Every Database as the database server. You could also refine this condition to only databases that are over a certain size or to online databases. At this point, you should see an Exception at the top of the screen. This is a SQL Server exception detailing that this policy has to have an Execution mode that is not On Demand, as you have enabled the policy. If you want to run the condition on demand, then you don’t need to have it enabled. While the policy is disabled, an Execution Mode of None is valid. Figure 4-27. New Policy screen that sets the Condition 5. Once you click OK, you should notice both the policy and the condition listed, as shown in Figure 4-28. At this point, nothing has been tested and no policy or condition has been checked against any database. Dewson_958-7C04.fm Page 115 Tuesday, July 1, 2008 9:26 AM 116 CHAPTER 4 ■ SECURITY AND COMPLIANCE Figure 4-28. New policy in Object Browser 6. Find the ApressFinancial database, and select Properties, as shown in Figure 4-29. You are going to alter the AnsiNullDefault option on the database to break the policy. Figure 4-29. Open the database properties. 7. In the Properties screen of the database, scroll down to the Miscellaneous section and switch ANSI NULL Default to True, as shown in Figure 4-30. Click OK. Figure 4-30. Alter the database property to break the condition. 8. Now that the database is no longer compliant, you need to run the policy and test it. Running the policy normally would be a task scheduled at periodic times, with the results sent to the relevant person. You can schedule the running of a policy by using a job to build the script. You will learn about the use of jobs in Chapter 6 when you see how to back up and restore a database. For the moment, as demonstrated in Figure 4-31, highlight the policy, right-click, and select Test Policy from the pop-up menu. Figure 4-31. Find the policy and test it. Dewson_958-7C04.fm Page 116 Tuesday, July 1, 2008 9:26 AM CHAPTER 4 ■ SECURITY AND COMPLIANCE 117 9. You are now presented with a Run Now screen, similar to the one shown in Figure 4-32. When you are ready, click the Check button. You should see similar results to those shown in the figure, which demonstrate that your database is out of policy. Figure 4-32.The results of the test in the Run Now window 10. It is not necessary to close this dialog and step through and find all the times that have failed any policy tests you have. To clean up your database of all policies that you have set up, even if there is just one, as you have built in this example, click the Configure button as seen toward the right in Figure 4-32. This configures the database and sets all the policies to the values set. 11. Run Check again, and you should see a healthy database as demonstrated by the green ticks in Figure 4-33. Figure 4-33. All is well with your database. Summary There is a great deal to cover concerning security and its different aspects. I would like to recap everything that we have seen just for one last time to ensure that you understand how everything fits together. Before you can connect to SQL Server, an administrator of the SQL Server installation must give you permission to connect. In a Windows authentication setup, the administrator would either allow your Windows account or a group that contains your Windows account to connect to SQL Server. He or she can do this by either using the GUI and creating a login via the Security node or using the CREATE LOGIN FROM WINDOWS T-SQL statement. If you are in a SQL Server authentication setup, then a user ID and password would be created within SQL Server, again either via the Security/Logins node or by using the CREATE LOGIN PASSWORD = 'password' syntax. Dewson_958-7C04.fm Page 117 Tuesday, July 1, 2008 9:26 AM 118 CHAPTER 4 ■ SECURITY AND COMPLIANCE Once a connection has been made, you can create a user login within the database using the CREATE USER syntax. This allows either the Windows account or the SQL Server login access to the database. It is then possible to place the user into a role: either a predefined role or, more likely, a custom role that you create. This role can be used to determine what can and cannot be accessed within SQL Server tables, views, stored procedures, and any other object. Therefore, a role allows groups of users in one statement to be granted or revoked access to objects within SQL Server. Without roles, as new people join and as old people leave, or as people move between departments, you would need to grant or revoke privileges as required—quite an onerous task. Finally, when creating objects, as you will see in the next few chapters, these objects are owned by schemas. This allows for groups of objects to belong to a specific schema rather than a specific user login. This also reduces the overhead of granting privileges and allows the grouping of objects that belong together, making your application easier to understand. This chapter continued our coverage of security within SQL Server 2008. At this point in the book, you now know about SQL Server authentication and Windows authentication, and you have discovered how to control access to databases. Even during the installation process, the sa login and password enforcement were discussed on that special account. Our discussions on security are by no means finished because there are still several areas that we need to explore together, which we will do as we go through the book. Security is the most important part of ensuring that your organization continues to have the ability to work. A security breach could result in lost income and will certainly mean that many people will be unable to do their work. It can also lead to unfulfilled orders, backlogs, or even fraud- ulent transactions. Regardless of whether you have the most well-designed database or the most poorly performing application ever, if you allow the wrong person into the wrong database, the result will be catastrophic. Dewson_958-7C04.fm Page 118 Tuesday, July 1, 2008 9:26 AM 119 ■ ■ ■ CHAPTER 5 Defining Tables Now that we’ve created the database, it obviously needs to have the ability to store information. After all, without this, what is the point of a database? The first area that needs to be worked on is the table definitions. To be functional, a database needs at least one table, but it can have many and, depending on the solution you are building, the number of tables can become quite large. Therefore, it is important that you as a developer know as much about tables, their structures, and their contents as possible. The aim of this chapter is to teach just that, so that you have a sound base to work from regarding tables, which you can then use for the creation of other objects associated with tables. The design of a table is crucial. Each table needs to contain the correct information for its collec- tion of columns to allow the correct relationships to be established. One of the skills of a database developer or administrator is to ensure that the final design is the correct solution, hence avoiding painful alterations once further development of the system is in progress. For example, if we designed a system where the table definitions had some major problems and required columns to be moved around, then every aspect of an application would have to be revisited. This would mean quite a large redesign. We looked at database design in Chapter 3, where we also created the database in which our tables will reside, so we know what tables we need and what data they will store. So that we can successfully create a table, this chapter will cover the following: • The definition of a table • The different types of data that can be stored • How and where a table is stored • Creating a table using SQL Server Management Studio and Query Editor • Dealing with more advanced areas of table creation including • How to make a row unique • Special data states • Dealing with pictures and large text data What Is a Table? A table is a repository for data, with items of data grouped in one or more columns. Tables contain zero or more rows of information. An Excel spreadsheet can be thought of as a table, albeit a very simple table with few or no rules governing the data. If you look at Figure 5-1, you will see that the first three columns contain data that can be assumed to be first name, last name, and date of birth, but the fourth column is free-format and varies between a hotel room number, a house number, and a flat number. There is no consistency. In fact, in Excel, all the columns could in reality contain any data. Dewson_958-7.book Page 119 Monday, June 30, 2008 3:01 PM [...]... Page 1 24 Monday, June 30, 2008 3:01 PM 1 24 CHAPTER 5 ■ DEFINING TABLE S smallmoney This data type is similar to money with the exception of the range, which lies between –2 14, 748 .3 648 and 2 14, 748 .3 647 date The new date data type has been built to only hold a date from January 1, AD 1 through to December 31, 9999 The format is YYYY-MM-DD Until this version of SQL Server, it was not possible to hold... given, informing SQL Server by how much each new ID should increase • SQL server will manage the allocation of IDs Normally, a user would not insert the value; instead, SQL Server would create it automatically However, you can enter explicit values if you use the SET IDENTITY_INSERT option to alter the database setting to ON for the specific table You would have to perform all of these tasks if SQL Server. .. customer information, then this is all it should hold Under no circumstances should you consider putting information that was not about a customer in the table It would be illogical to put, for example, details of a customer’s orders within it SQL Server Data Types You have learned a great deal about SQL Server before we even create our first table However, it is essential to know all of this information... NULL, that’s 4 million bytes (4MB) of space used up unnecessarily Also, because a NULL takes up no space, then including NULL values means it will be a lot faster to get the data from the database to where it needs to go to either in a NET program or back to your T -SQL code for further processing There will be more on NULL values in Chapter 8 Image and Large Text Storage in SQL Server Storing pictures... different from storing other kinds of information within SQL Server Pictures can take up large amounts of space The following also holds true for large amounts of text Several scenarios exist where, by holding large amounts of data, SQL Server and the SQL Server installation will end up running into problems I’ll explain why in a minute, but first of all you will see what you should do in SQL Server to handle... the customer and customer transactions tables This will be a one-tomany relationship where there is one customer record to many transaction records Keep in mind that although a customer may have several customer records—one for each product he or she has bought—the relationship is a combination of customer and product to transactions because a 143 Dewson_958-7.book Page 144 Monday, June 30, 2008 3:01... There is a range limit to the value of the numbers held: int will hold any number between the values of –2, 147 ,48 3, 648 and 2, 147 ,48 3, 647 bigint A bigint, or big integer, data type is very similar to int, except that much larger numbers can be held A range of –9,223,372,036,8 54, 775,808 through to 9,223,372,036,8 54, 775,807 can be stored Dewson_958-7.book Page 123 Monday, June 30, 2008 3:01 PM C HA PTE... not database- or server- restricted The path to where they reside is C:\Program Files\Microsoft SQL Server\ 100\Tools\Binn\VSShell\Common7\IDE\sqlworkbenchnewitems \Sql It is also possible to create a new node for templates from within the Template Explorer by rightclicking and selecting New ➤ Folder ■Note Don’t create the folder directly in the Sql folder, as this is not picked up by SQL Server Management... used within T -SQL programs We need to cover one last area before you define your first table, and this concerns the types of data that can be stored within a table in SQL Server Defining a table can be completed either in SQL Server Management Studio, Query Editor, or SQL Server s database designer tool You can also create a table through a number of other means using third-party developer tools and languages,... have to be connected to SQL Server with a login that belongs to the correct server or database role that can create tables, such as sysadmin or db_ddladmin When you create a table, it has to be owned within the database, and this is done via assigning the table to a schema Recall Chapter 4, which discusses a schema for grouping objects and as a basis for object security Some data types have fixed storage . which lies between –2 14, 748 .3 648 and 2 14, 748 .3 647 . date The new date data type has been built to only hold a date from January 1, AD 1 through to December 31, 9999. The format is YYYY-MM-DD together. Before you can connect to SQL Server, an administrator of the SQL Server installation must give you permission to connect. In a Windows authentication setup, the administrator would. Chapter 8. Image and Large Text Storage in SQL Server Storing pictures and large amounts of text is different from storing other kinds of information within SQL Server. Pictures can take up large