11.7 Use aFixedServerRole Managing aserver database engine such as SQL Server can be a time-consuming process. Administrative tasks include backing up the data, adding new users, modifying tables and views, and so on. Most SQL Server administrators find it useful from time to time to permit other people to perform these tasks. Assigning other people tasks such as backing up the databases or administering security allows the system administrators to devote more time to other responsibilities. As a system administrator, I am overwhelmed by the administrative tasks that are required to keep several databases operating efficiently. There's too much to do between database administration, adding new users, performing backups, and other tasks. I'd like to be able to allow an assistant to assume some of these responsibilities so that I won't have to be personally involved in performing these tasks. However, I'm not looking forward to assigning various permissions to all of my administrative assistants. For instance, some people are to be designated as security administrators whereas others will be responsible for updating table designs. Technique SQL Server supports the notion of fixedserver roles that define certain administrative profiles. Each fixedserverrole is accompanied by the appropriate permissions to perform the administrative tasks that are associated with the role. Enterprise Manager provides all the dialog boxes that are necessary to assign user accounts to the fixedserver roles that SQL Server recognizes. It is important to note that each fixedserverrole is global within SQL Server. This means, for instance, that the dbcreator fixedserverrole is able not only to create new databases, but also to make changes to existing databases in SQL Server. SQL Server recognizes eight fixedserver roles: • sysadmin. This is the most powerful fixedserver role. Members of this role are able to perform all the tasks included with the other roles. • serveradmin. The serveradmin role adjusts the serverwide settings in SQL Server, such as memory usage, authentication mode, and home directories. • setupadmin. This role administers linked servers. A SQL Server installation is able to share SQL Server databases that are located on other computers. The setupadmin group is responsible for creating links to SQL Server installations on other computers. • securityadmin. Members of the securityadmin role add new user and group logins, assign passwords, and perform other security-oriented tasks. • processadmin. This role manages processes that are spawned by SQL Server. • dbcreator. Members of this role are responsible for creating and altering databases. • diskadmin. The diskadmin role adjusts the disk space that is available for databases, sets the database growth increment (as a percent or in megabytes), and specifies the parameters for the SQL Server log file. • bulkadmin. SQL Server 2000 includes a number of statements intended to perform bulk inserts to data. Because the BULK INSERT statement can involve considerable amounts of processing time, SQL Server does not allow anyone other than members of the sysadmin and bulkadmin roles to perform this statement. Steps Often, you'll want individual users or groups of users to have database administrative responsibilities. For instance, you might want the accounting group to manage its own login names and passwords. In this case, you'll want to join the users in the accounting group to certain fixedserver roles, which are predefined special security groups. Each fixedserverrole defines a category of administrative tasks, and each member of a fixedserverrole is able to perform those administrative tasks. SQL Server recognizes members of fixedserver roles as people who are authorized to perform these administrative tasks. Each role is accompanied by the appropriate SQL Server permissions that are necessary to perform those tasks. 1. Open Enterprise Manager and expand the Security icon. 2. Click on the Server Roles icon to show the eight fixedserver roles in the right pane (see Figure 11.12). Figure 11.12. The Server Roles icon reveals the eight SQL Server fixedserver roles. 3. Right-click on any of the fixedserverrole entries and select Properties from the pop-up menu. Alternatively, select one of the fixedserver roles and use the Properties command under the Action menu to open the ServerRole Properties dialog box, as shown in Figure 11.13. Figure 11.13. The ServerRole Properties dialog box shows you the logins that are added to the selected role. 4. Use the Add button to open the Add Members dialog box (see Figure 11.14). The Add Members dialog box shows only those logins that have not already been added to the role. In Figure 11.14, only TonyS, the Marketing group, and members of the BUILTIN/Administrators group are not members of the securityadmin fixedserver role. Figure 11.14. The Add Members dialog box shows you only those logins that have not been added to the selected role. 5. Select the login to add to the selected fixedserverrole and click the OK button. Comments Membership in a fixedserverrole does not grant access to a database or data within the databases. Fixedserver roles are intended for administrators and assistant administrators and do not automatically grant access to any of the data that SQL Server manages. Database object permissions (discussed later in this chapter in How-To 11.10) are required to gain access to data and database objects. The special sysadmin role should be reserved for trusted and trained system administrators. Members of this role are able to perform all SQL Server administrative tasks, and those tasks are applicable to all databases that SQL Server manages. Obviously, this can lead to serious problems in the wrong hands. Finally, when you add people to fixedserver roles, make sure these people understand the consequences of their actions as system administrators. Because fixedserver roles are global within SQL Server, the actions that fixedserverrole members perform could affect all the databases that SQL Server manages. Incorrectly configuring SQL Server or failing to carefully implement security can have a dramatic negative impact on every database that SQL Server manages. Members of the SQL Server BUILTIN/Administrators group are automatically added to the sysadmin fixedserver role. . a fixed server role does not grant access to a database or data within the databases. Fixed server roles are intended for administrators and assistant administrators. Members of this role are able to perform all SQL Server administrative tasks, and those tasks are applicable to all databases that SQL Server manages. Obviously,