DallasDBAs.com

SQL Server Database Consulting

SQL

SQL 101: The SQL Server Security Model

by 5 Comments

The SQL Server Security model has a lot of moving parts to it.  Some friends of mine are so expert in it that it is their primary function on the DBA team they work for.  My friend (and recently minted Data Platform MVP) Kenneth Fisher (b|t) regularly presents on it.

Fear not!  There are a couple of key concepts that you have to get down early in order to not drown in all the other stuff.

As with most of my other 101 posts, this occurred to me while riding my bike.  Road bike…the only thing that occurs to me when mountain biking is “don’t hit that tree.”

Imagine if you will, that you own a house.

Because you are the owner, you have a key to the house.   You can do anything you want in any room of the house.  You decide who else gets keys, and what they can do inside.  We’ll assume your significant other also has a key and equal rights to all rooms.

Now just for kicks, lets assume you have 2 kids.  Suzie and Little Bobby Tables (Bobby for short).  Since mom and dad work, Suzie and Bobby also both have keys so they can get inside after school.   However, they are not allowed into each other’s rooms, nor are they allowed to change the locks, paint the walls or use the stove.  Because reasons.

So, 4 people can enter the house.   2 can do whatever they want, 2 have some restrictions.   Simple enough?

In the SQL Server security model the above translates as follows:

  • House – an instance of SQL Server
  • Keys to the house – Logins
  • Mom and Dad – Logins with sysadmin role (God rights…)
  • Suzie and Bobby – Logins without sysadmin
  • Rooms – databases

You have to have a key/Login, to even open the door/connect to the instance.

You need specific permissions to access a database/room.   Bobby is not allowed in Suzie’s room and vice-versa.  Neither kid is allowed in dad’s man-cave, but mom is.

Suzie and Bobby need to be granted access to use a database/room, so they are created as USERS in the database.   Mom and Dad do not explicitly need to be granted as USERS in any database, because they own the place and can do whatever they want at the server/house or database/room level.

If Uncle Joe is coming for a visit, he would also get a key/LOGIN and access to the rooms/databases he will be using.   When he leaves, he gives his key back (USER/LOGIN removed).

If you want, imagine Bobby has a brother and they share a room.  In their room there are two beds.  They don’t share and they don’t switch.  In this example the beds are database objects such as tables.  You can grant or deny access down to that level as well.

So, LOGIN is created first (can’t go into a room until you get in the house). USER access for non sysadmins is created next at the database level.  Inside the database, you GRANT or DENY permissions to objects in the room (if you choose).   You can get very, very granular if your application/employer requires it.

This is high level overview, with a lot of specifics left out.  Such as, give LOGINs to Groups (preferred, instead of individuals), server and database roles, etc.   Just knowing the difference between LOGIN and USER puts you ahead of non-DBAs who use the terms interchangeably.  Login can be either Windows based or created within SQL Server depending on how the instance is configured and your security teams requirements.

Hope this makes your life easier!  Comments are welcomed.

Update:   My Apprentice astutely made the observation that a physical or virtual server with more than one SQL Server Instance installed would be a “neighborhood” in this example.   Would that make a Failover Cluster a duplex? 🙂   Would a multi-tenant database be an apartment building?

Thanks for reading,

Kevin3NF

 

 

The Apprentice: Intro to Troubleshooting

by Leave a Comment

Just for kicks (and because I hadn’t prepared my intro to Indexes…), I broke The Apprentice’s database (dbname MoreCake if you are following along) when he wasn’t looking.

I had told him I was going to break something, just to watch him try to sort it out, so he knew it was coming.

Before we got started, I changed the name of the data file from MoreCake.mdf to MoreCake .mdf.

His steps:

  • Start SQL Services…notice it come up fine
  • Notice MoreCake came up “Recovery Pending”
  • Verify Restore is an option
  • Take offline
  • Try to bring online
  • Read error message after online failure (OS error 2, file not found)
  • Look in Windows Explorer, squint, remove space
  • Refresh database and smirk at me.

Elapsed time from start services to smirk?  3 minutes.

Me: Jaw on ground.

If you add it all together and are generous, he has maybe 4 days of training including videos.

I know some DBAs that would never have noticed the extra space.

3 minutes.

We went on to look at ERRORLOGs, talk about what is contained in the master database, and a little bit of creating a database with a bunch of records to start off Index training in our next session.

And then I deleted MoreCake along with all Backup and Restore history when he went to grab a soda.  Still GUI, and with no backup history to populate it he figured out to go to devices and browse for the most recent .bak file.

3 minutes.   Smart dude.

Thanks,

Kevin3NF

 

PowerShell for DBAs – why I changed my mind.

by 3 Comments

Quick post today…

I have been saying for several years that I don’t really need PowerShell to be an effective DBA.  In most places that is true, but becoming less so.

I’ve resisted writing complex PS scripts for administration, as most Junior and Mid-level DBAs don’t know it, so I don’t want to leave a client in the lurch with code their staff cannot understand.

I’ve only once in an interview been asked if I know PS.  “No” was a perfectly acceptable answer.

Things change.

2 very solid reasons (there are others) that every DBA should be learning and using PowerShell:

1 – Its very useful for admin at the O/S level.

At my current client I am team lead of System and SQL Admins, along with doing any of the work that comes our way.  This means we need to be able to manage the modest server farm we have.  Its big enough that we can’t log onto every server every day, but small enough nobody wants to buy a proper monitoring toolset.  So…PS to the rescue!

One of our tasks is to manage the Event Logs and deal with Warnings and Errors that come up.  I wrote this script to dump the last 7 days to a file we can work with.  This has since been updated many times, and now uses a different CmdLet.   One of my DBAs wrote a script that checks drive space on all servers and sends a color-coded email daily.   Much of this came from Googling, which is perfectly fine.

2 – Its on the 2016 certification exam now (probably).

Course 20764B: Administering a SQL Database Infrastructure has Powershell as an objective:

  • Managing SQL Server using PowerShell

While the Exam 764 “Skills Measured” section doesn’t specifically call PS out, its very likely to be there.

For those new to SQL or getting certified to help your career grow, just go ahead and add PS to your toolkit.  You are going to need to at least be able to read a script, and will probably be expected to know the SQL Server Module’s CmdLets, if not more.   Just do it.

Thanks,

Kevin3NF

The Apprentice: Self-teaching mode, on…

by Leave a Comment

My last lesson with The Apprentice was basically pointing him to a very good DB Fundamentals MVA.   I told him a few sections to skip and what to focus on and asked him to make a list of the things that needed clarification.  DB Design was off the list, since we are still navigating SSMS, working through Recovery Models, etc.

When I checked in with him Sunday, he had independently gone through the previously mentioned MORECAKE database of his music collection, added every song from his favorite band (manually), added an album table to the design, and created a view on a view.

When we created this DB, it just had artist and song tables.   He has already picked up the idea of logical groupings of related records, and joining the tables by ID columns.  One small fix to the Song table, and showing him a view can have more than 2 tables and his logic worked perfectly.  He even spent quite a bit of time on his own Googling for the best way to get his view to work before bringing me into it.

Gotta say, I’m thoroughly impressed with the initiative!  I left him with: “Figure out why the SQL Agent isn’t working in SSMS” so we can start learning to automate the backups.

He’s got the potential to go quite far with this…

Kevin3NF

 

The Apprentice: SQL Server edition

by Leave a Comment

Not sure if this will be a series, but it could be.  Or not.  Names may or may not be changed to protect the innocent.  Stories may be edited or embellished as I see fit, and for your amusement…

A young person (minor) that is not really sure what he wants to do for a career came to me asking about what I do.   He’s an enthusiastic gamer and self-declared introvert (with a few very extrovert qualities).  Not particularly fond of school, but does well due to a high intellect. Like off the charts IQ high…

After explaining what I do as a DBA (automate everything so I can nap…), we decided to enter into an apprenticeship arrangement, wherein he learns and I exploit him for profit and untold riches.

What I didn’t realize is how much training material I would be creating along the way.  I am hoping this can be re-used for others that have seen the DBA light and want to enter the fold.

I have a rough outline of the path I intend to take him down, with the goal of him being able to get a Uber-Junior DBA position when he hits 18-ish. Part-time if he starts college classes, full-time if not.  I will probably deviate from this quite a bit to keep it fun and fresh.

Lesson one:  we started with “Database Fundamentals for n00bs”…definititions, history, basics.   There’s a PowerPoint, but its not published yet…I may use it for presentations someday.

Lesson 2: Super basic installing SQL Server Dev edition video.  This went smoothly on my laptop (see video), but not on his…we installed and uninstalled a dozen times, including backing up to SQL 2014 Dev.   Eventually we got a clean install (5 days later).

Lesson tres: “A guided tour of SQL Server Management Studio, but only the stuff you will use the most frequently.”  Long title, short class.

Lesson IV: “Hey, lets create a database, back it up, mess it up, and restore it!”  We probably had way more fun making and breaking this than we should have.  Hint: database name was MORECAKE.  Clearly, it stored music information with Artist and Song tables.

Lesson 6 minus 1: I sent him a link to a MVA Database Fundamentals video, with instructions to make notes on anything he didn’t understand.

That’s all so far…keep coming back for more as I remember to write them.

Kevin3NF

T-SQL Tuesday: Connect item – Last Log Backup Time

by 1 Comment

T-SQL Tuesday is a blog party started by Adam Machanic (b/t) over five years ago. The first Tuesday of each month a blogger hosts the party and suggests a topic. Then anyone who is interested blogs on that topic on the second Tuesday. It can be a lot of fun and quite a challenge to blog on a topic you didn’t pick.

This month’s topic is presented by Brent Ozar (b/t), who has challenged us to find our favorite Bug report or feature request on MS Connect and write about it.

I don’t have a lot of experience with Connect, other than landing there from Google a few times while researching stuff.   I’m pretty sure I’ve never filed a report or request.  So, I just went looking through the latest requests and found one concerning “Check the time for the latest log backup” from none other than Ola Hallengren (w).

Ola’s feature request is:

I would like to ask for a way to check when the last log backup was performed.

His reasoning for the request:

This enables you to have a backup strategy with more frequent transaction log backups when there is a lot of activity in the database.

And his proposed solution:

Add a new column to sys.dm_db_log_space_usage or sys.database_recovery_status called LastLogBackupTime.

I LOVE this idea…back up the T-log more frequently during busy times, less often during off hours.  At my current client, there is almost nothing happening outside of a 12 hour workday window, so this would be perfect here.

Now, I am possibly misunderstanding Ola’s request or the intent…and that’s ok.  This query from the msdb..backupset table already contains this info via a relatively short amount of code:

Use MSDB
go

Select
    [Database_Name] as [Database Name],
    DB_id([database_name]) as [DB ID],
    Max(backup_Start_date) as [Last log backup]
From
    msdb..backupset bs
Where 1=1
    and db_id([database_name]) is not null
    and type = 'L'
Group by 
    [database_name]
Order By 
    Max(backup_start_date)

This returns a result set of:

So…the info requested can already be gathered.  There may very well be other ways to do this, or querying this table may be deprecated.  It seems that Ola is looking for a cleaner solution by adding to an existing System View in MSDB in order to more easily tie it to log size.

I do know and respect Ola’s maintenance scripts, so I have posted a comment on the Connect item asking for some clarification. And, I have voted it up.  I encourage YOU to do the same….as this simple request is probably going to wind up in his scripts 🙂

Thanks for reading!

Kevin3NF

Home Blog About Privacy Policy