facility9

Since it’s the new year, and I feel like being a lemming and going along with everyone else in the blogosphere, here are my goals for 2009:

• Learn the SQL Server BI stack. At first read this is a lofty goal. However, I don’t plan to learn and master the entire BI stack in SQL Server, but I do plan on giving it my best shot. SSRS, SSIS, SSAS, data warehousing, these are all tools that I don’t know well enough to make use of on a daily basis, yet.
• Update my Microsoft certifications. I currently hold an MCITP Database Developer certification in SQL Server 2005. I am going to update this to 2008 and expand into the other two MCITP arenas: Database Administrator and Business Intelligence Developer.
• Reacquaint myself with Ruby. A year ago I built a pretty nifty piece of software using Ruby on Rails (although it was mostly Ruby) to create a bridge between a unified data repository and multiple Lotus Notes databases. It was during this project that I really fell in love with Ruby’s expressive syntax and I really want to get back to using it, even if I’m only using it at home, for fun.
• Keep up on my blogging/writing. There have been a few weeks where I haven’t posted the amount or quality of content that I would like to be posting. While I can’t hit the nail on the head every time with content, I can certainly try. Part of that is going to be sticking to a more rigorous schedule with writing. I remember from getting my BA in English that a great deal of quality writing comes from regularly writing and reviewing what you’ve written, and that is part of my grand plan.
• Relax. Those who know me have probably heard me joke that I haven’t taken an actual vacation since I started working back in 2000. Sadly, this is true. I hope to make 2009 the first year that I take an actual vacation and do something that has nothing to do with work for more than one day. I work a lot and I really like what I do, but in a way it’s a curse because I tend to spend a lot of time working and I forget to relax and enjoy things outside of work.

Database roles (also referred to as database-level roles) are security roles that exist on a database level, as opposed to the server level. If you are familiar with any aspect of system administration, database roles are similar to groups in the world of Windows system administration. Just like a Windows group, when a user is added to a role they inherit all the rights and permissions of the role.

There are two kinds of database roles in SQL Server: fixed roles and flexible roles.

Fixed Roles

Before getting into the fixed roles that are available, it’s important to know what fixed roles actually are. Fixed roles are roles that automatically exist in each database. Adding a user to one of these roles will not change that user’s permissions in any other database.

Any user or role can be added to a database role. Once a user has been added to a role, they can add other users or roles to that role.

A Word of Warning: Be exceptionally carefully when adding flexible roles to a fixed role. You could very easily elevate privileges for a large number of users in one simple step.

With that warning out of the way, let’s take a look at the fixed roles available in SQL Server.

• db_owner
• db_securityadmin
• db_accessadmin
• db_backupoperator
• db_ddladmin
• db_datawriter
• db_datareader
• db_denydatawriter
• db_denydatareader
• Public

db_owner

Users in the db_owner role have it all, within a single database. They can grant and revoke access, create tables, stored procedures, views, run backups, schedule jobs. Heck, a user who is db_owner can even drop the database.

However, just because you have the keys to the kingdom doesn’t mean that you can do everything. Users who have been granted db_owner will still need specific permissions to run traces and view many of the dynamic management views. Why is that? Those are managed at the server level and will require that server level permissions or roles are granted to your login.

Why use db_owner? You would want to add a user to the db_owner role if you have a user who needs to make extensive modifications to all aspects of a database - creating users, adding them to roles, creating tables/views, creating stored procedures, and adding security settings for the tables, views, and stored procedures. One example of this would be a developer who is creating a database for a new application (or creating extensive modifications to an existing application) but you don’t want to add that user to the sysadmin group.

  -- Create our sample database and switch to it
  CREATE DATABASE TestFixedRoles;
  GO
  USE TestFixedRoles;
  GO

  -- Set up our test users
  CREATE USER user_dbo WITHOUT LOGIN;
  CREATE USER user_security WITHOUT LOGIN;
  CREATE USER user_reader WITHOUT LOGIN;
  CREATE USER user_writer WITHOUT LOGIN;
  CREATE USER user_backup WITHOUT LOGIN;
  GO

  -- Grant db_owner to user_dbo
  EXEC sp_addrolemember N'db_owner', N'user_dbo';
  EXEC sp_addrolemember N'db_securityadmin', N'user_security';

  -- Create an orders table as dbo
  CREATE TABLE orders (
    id            INT       NOT NULL   IDENTITY(1,1),
    orderdate     DATETIME  NOT NULL,
    employee_id   INT       NOT NULL,
    customer_id   INT       NOT NULL,
    quantity      INT       NOT NULL,
    CONSTRAINT PK_Orders PRIMARY KEY (id)
  );
  GO

  -- temporarily switch to the context of user_dbo
  EXECUTE AS USER = 'user_dbo';
  SELECT USER_NAME(); -- This should return user_dbo

  -- This will return 1 row for our orders table
  SELECT t.[name]
    FROM sys.tables AS t
   WHERE t.[name] NOT LIKE 'sys%'

  DROP TABLE orders;

  -- revert back to our regular user
  REVERT;
  GO

db_securityadmin

Users in the db_securityadmin role can modify role permissions and manage permissions. Users in this role have, in theory, almost as much power members of db_owner. The only thing that a member of db_securityadmin can’t do is add users to the db_owner role. Members of db_securityadmin also cannot add users to fixed database roles (this requires membership in the db_owner role).

Why use db_securityadmin? You might want to use db_securityadmin when you need to grant privileges to a trusted user and allow them to manage privileges across an application. Take care when granting db_securityadmin to make sure that you trust the user to not give themselves additional permissions. This risk can be alleviated by adding auditing to the database to log when privileges are granted or revoked.

  EXECUTE AS USER = 'user_security';

  -- this will generate three errors since user_security isn't a member of db_owner.
  EXEC sp_addrolemember N'db_datareader', N'user_reader';
  EXEC sp_addrolemember N'db_datawriter', N'user_writer';
  EXEC sp_addrolemember N'db_backupoperator', N'user_backup';

  REVERT;
  GO

  -- this will now succeed since you are a member of db_owner, after all
  EXEC sp_addrolemember N'db_datareader', N'user_reader';
  EXEC sp_addrolemember N'db_datawriter', N'user_writer';
  EXEC sp_addrolemember N'db_backupoperator', N'user_backup';

db_accessadmin

Members of the db_accessadmin role have the ability to change database access. They can grant and revoke access to Windows logins, Windows groups, and SQL Server logins. The users that they grant access to will be members of the Public role and will have all the privileges associated with that role.

Why use db_accessadmin? This role would be used when you have a user who is responsible for maintaining access to a specific database. When combined with db_securityadmin you have a user who is capable of granting and revoking general access to a database as well as controlling the security permissions for almost any user. This combination is quite powerful and should be granted carefully. With auditing in place, you can mitigate any risk of granting both roles to a single user.

db_backupoperator

Members of this role can create database backups. It’s important to note that they cannot, by default, restore the backups that they create. The only users that can restore a backup are members of the sysadmin and dbcreator server roles and the owner of the database (dbo).

Why use db_backupoperator? If you have an automated process that connects to the database and creates a backup it would be a good idea to have all backup operations connect to the database using a user/login that only has db_backupoperator access to prevent any unauthorized data access due to a user being compromised.

db_datareader/db_denydatareader

Members of the db_datareader role are able to read all data from all user tables. That’s right, everything. Even the super secret secrets.UserPayHistoryAndSocialSecurityNumbers table can be read by members of db_datareader.

Conversely, members of db_denydatareader are explicitly denied the ability to write to any user created tables. They live in the dark about the contents of the database.

Why use db_datareader? Let’s say the accounting department has a separate database. Everyone in accounting is able to create and run ad hoc reports directly against this database, but they shouldn’t be able to do anything else apart from see the contents of the database. Clearly granting db_owner access is out of the question. Your junior DBA is out sick today, so you can’t make him grant SELECT permissions to every table in the database while you go out to Chipotle for lunch. Instead, you can simply grant db_datareader access to the accounting department’s Windows group.

Why use db_denydatareader In addition to the accounting department’s requirement to be able to create ad hoc reports as needed, HR needs to be able to run the canned reports available to them through your carefully crafted stored procedures but they should not be able to run ad hoc reports. However, it turns out that they are also able to create and run ad hoc reports (thankfully your junior DBA emailed you about this yesterday before he got sick). By granting db_denydatareader permissions to the HR Windows group you can prevent members of the HR group from running the ad hoc reports (assuming Windows Forms authentication is being used) and get in touch with the application developers to have them hide ad hoc reports from the HR group in the application front end.

db_datawriter/db_denydatawriter

Much like db_datareader and db_denydatareader, the name of this role is largely self-explanatory: members of the db_datawriter role can INSERT, UPDATE, and DELETE data from any user created table. Likewise, members of the db_denydatawriter role are explicitly denied the ability to perform INSERT, UPDATE, and DELETE operations on any user created tables.

Why use db_datawriter? db_datawriter would be a good choice for a user or login that runs an automated ETL process on a regular basis. This ensures that access to all tables is maintained even when new tables are added and reduces maintenance overhead.

Why use db_denydatawriter If you want to limit write access for a login or user it is easy to add them to the db_denydatawriter role and allow specific access to a subset of tables. This might be desirable when users may need to make adjustments to certain tables - such as a bill, order, or account balance - but they do not need the ability to modify all data in the database.

db_ddladmin

Members of the db_ddladmin role are able to execute DDL commands (CREATE, ALTER, DROP) within the current database. It’s pretty self-explanatory - a member of db_ddladmin can run any CREATE, ALTER, or DROP command within the current database. They cannot create new databases, nor can they alter or drop the current database.

Why use db_ddladmin? Your company has brought on several consultants to help develop a new application. Their work will require that they are able to create, or change, new tables, views, indexes, and stored procedures. However, they don’t need the ability to create users or manage security. In this case, your best solution would be to add the consultants to the db_ddladmin role.

Public

The Public role is a bit different from all of the other roles. Every database user is a member of the Public role. If a user does not have any explicit permissions on a database object, they will inherit the permissions of the Public role.

Why use the public role? Going back to our example of the Accounting and HR departments, let’s say that there are now two databases: Accounting and HR. For the purposes of this example, only Accounting personnel should have access to the Accounting database and only HR personnel should have access to the HR database. What’s the best way to accomplish this?

The first step is to create a user for each department in their respective database. This user needs to be mapped to the appropriate Windows group. Once you have created the user and mapped it to the appropriate group, you can then add the user to the Public role.

Using this method it’s easy to add additional users and groups to the Public role without having to manage separate security settings for each one individually.

  /*****************************************************************************
   * PUBLIC ROLE DEMONSTRATION
   ****************************************************************************/
  CREATE DATABASE Accounting;
  GO
  USE Accounting;
  GO
  -- This is going to fail unless you have a LOGIN called group_Accounting
  CREATE USER user_Accounting FOR LOGIN group_Accounting;
  GO
  EXEC sp_addrolemember N'Public', N'user_Accounting';
  GO

  CREATE DATABASE HumanResources;
  GO
  USE HumanResources;
  GO
  -- This is going to fail unless you have a LOGIN called group_HumanResources
  CREATE USER user_HumanResources FOR LOGIN group_HumanResources;
  GO
  EXEC sp_addrolemember N'Public', N'user_HumanResources';
  GO

SQL Server

Best practices for taking on the DBA role as a developer - Armando Prato covers the basics of what it takes to go from developer to DBA. This is a good article and one that’s very near and dear to my heart since I’m pulling myself away from the development world and into the DBA world (I’m almost there!).

Auto generated SQL Server keys - uniqueidentifier or IDENTITY - Armando Prato (who gets a double dose of link love) wrote a pretty well-balanced article about a subject that is often a source of contention between DBAs and developers - primary key types. I have a very strong bias towards using IDENTITY columns, but this article presents both sides of the argument.

Graphical Exeuction Plans for Simple SQL Queries - Grant Fritchey has had an excerpt from his book, Dissecting SQL Server Execution Plans published on simple-talk.com. It’s a great read, especially if you, like me, have often wondered how to read an execution plan. I can’t claim to be an expert after reading this article, but I can claim to have a much better understanding.

Development

Composite Architecture - The Open Close Principle as applied to system architecture - Ayende Rahien weighs in with his opinions on unit testing and talks about how it’s possible to architect and build a system that doesn’t really need to be unit tested, well not nearly as much as a standard system.

Early Christmas Present from PowerShell Team: Community Technology Preview-3 (CTP3) of Windows PowerShell V2 It’s just what it says: PowerShell 2 CTP3 is out. Get it while it’s hot!

General

Your idea sucks, now go do it anyway - Jason Cohen talks about starting a company. Many companies start out with a completely different idea than the finished product. Oddly enough, he mentions a game that I used to play online - Game Neverending - which eventually became flickr.

Nuclear Urbanism - Geoff Manaugh highlights a cool Google Maps mash up that lets you see what an atomic weapon would do to your home city. This really brings the scary power of these things to light. Just some food for thought.

Web Persona and Your Career - Tom LaRock makes some great points about how to present yourself on the web. Ultimately it comes down to being yourself. As I’ve started writing more for this blog I’m finding more of my voice as an author and I’m getting comfortable enough to start trying different things. Time will tell, but the important part is to just be yourself.

A brief note: Due to the holidays and work there will be no real blog post this week. I’m working on several post ideas and should be fleshing them out over the 5 day weekend and returning with more content in the new year.

SQL Server

Cloud Computing and me - TJay Belt delivers the best look at cloud computing that I’ve read yet.

Some interesting affects of Table Partitioning - Kent Tegels discusses some interest side effects of partitioning tables and indexes.

The N pillars of a well built database? - Louis Davidson is in the process of re-working his book and is thinking out loud about what makes for good database design.

Development

Iron Python 2.0 has been released - Denis Gobo sums up the newest release of the Iron Python language. This is a big thing - dynamic languages have finally arrived on the scene in the .NET Framework.

Disable WiFi with PowerShell - Rob Farley demonstrates PowerShell’s amazing abilities by giving a quick demo of how to disable WiFi through PowerShell.

General

Fractal - Jason Santa Maria is a Graphic Designer with Happy Cog Studios and is an avid photographer. He showcases his work on his blog in the daily photo feature. He always has a fresh take on what is sometimes a very mundane subject.

Breaking the Rules - Jason Cohen gives several examples of people and companies who have broken all of the rules in grand ways and succeeded. His post can be summed up with this gem of a sentence: ‘There’s no rule that can’t be broken, so long as it’s broken with purpose.’

I stole this from TJay Belt. It seemed like a nice change of pace from the SQL shenanigans to

1. Who was your FIRST prom date?
Didn’t go to prom (they don’t have them in Scotland), but I went to my high school dance with a girl named Ashley.

2. Do you still talk to your FIRST love?
Sometimes, but it’s only via the internet.

3. What was your FIRST alcoholic drink?
Something horrendous, Cactus Juice, I think.

4. What was your FIRST job?
I mowed lawns when I was a kid.

5. What was your FIRST car?
1980 Ford Tempo All Wheel Drive

6. Who was the FIRST person to text you today?
Andy.

7. Who is the FIRST person you thought of this morning?
Apart from me, I think I wondered if my friend Dave was feeling better, he was sick yesterday.

8. Who was your FIRST grade teacher?
I can’t remember.

9. Where did you go on your FIRST ride on an airplane ride?
It was probably to Texas, but I don’t remember that either. I’ve been on a lot of airplanes.

10. Who was your FIRST best friend and are you still friends with him/her?
Matt Bartmes is the earliest best friend I can remember. Sadly we’ve lost touch.

11. What will be your FIRST thought when you wake up tomorrow morning?
Is it Friday? Seriously? That’s amazing.

12. Where was your FIRST sleep over?
I think it was at my house.

13. Who was the FIRST person you talked to today?
My co-worker Dave, not the Dave that was sick, but a different Dave.

14. Whose wedding were you in the FIRST time?
That would be my wedding.

15. What was the FIRST thing you did this morning?
At 3AM I stared at the ceiling for about 20 minutes. A few hours later I hit snooze a lot.

16. What was the FIRST concert you ever went to?
I can remember going to a Dire Straits show when I was pretty young.

17. FIRST tattoo or piercing?
I have a tattoo of a koi fish on my right leg.

18. Who was your FIRST kiss from?
Wow, umm… I don’t remember, that was a REALLY long time ago.

19. Who was your FIRST boss?
My first actual boss? Her name was Priscilla. That was when I worked at Subway.

20. When was your FIRST detention?
Probably in the fourth grade.

21. What was the FIRST state you lived in?
Illinois

22. Who was the FIRST person to really break your heart?
I can’t remember (I’m sensing a lack of a good memory as a theme). The earliest one I can remember is Lauren Hayes.

23. Who was your FIRST roommate?
Matt Fron at Ohio Wesleyan University