using t he OPENROWSET funct ion because t he linked server sy nt ax is m or e st raight forward, and you no longer have t o perform the first t wo st eps. Creat e a link ed server for a rem ot e or het erogeneous data source w it h t he sp_addlinkedserv er sy st em st ored procedure. This procedure can take as m any as seven argum ent s, but you can use as few as t wo argum ent s for cr eat ing a reference t o a rem ot e SQL Server source and as few as four argum ent s for a linked server point ing t o an Access data source. Aft er correctly init ializing t he linked server reference wit h t he sp_addlink edserver sy st em st ored procedure, invoke sp_addlink edsrv login for m apping logins on t he curr ent SQL Ser ver 2000 inst ance t o logins for t he rem ot e or het erogeneous dat a source. When a user runs a query on t he local server against t he link ed ser ver, t he local server logs in t o the linked server w it h the credent ials specified w hen t he sp_addlink edsrv login syst em st ored procedure was last run for t he link ed server. You can invok e t he sp_linkedservers syst em st ored pr ocedur e t o it em ize in a result set t he linked servers defined on a local server . Secur it y for Vir t ua l Direct ories Virt ual direct ories ar e necessary for Web dat a access t o SQL Serv er dat a sources via XML. Each dat abase t hat requires Web access via XML m ust have a virtual dir ect ory point ing t o it . As described in t he “Virt ual Direct ory Managem ent ” sect ion of Chapt er 6 , y ou m ust designat e a login for t he virt ual direct ory. All access t o t he dat abase is m apped through t he login t hat you specify on t he Security tab of t he Propert ies dialog for a direct ory. Figure 7-1 sh ows the Propert ies dialog box used for t he MyNwind v irt ual direct ory that ser ved as t he source for m ost of t he sam ples in Chapt er 6. Not ice that t he Security tab specifies I USR_CCS1 in t he User Nam e t ext box. The User Nam e t ext box cont ains t he login nam e for t he v irt ual dir ect ory. Select ing Windows as t he Account Type aut om at ically inst alls I USR_servernam e as t he login. Windows 2000 Ser ver aut om at ically inst alls t he I USR_ser vernam e user account . I I S aut om at ically uses t his Windows user account for anonym ous login. Since t he sam ples for Chapt er 6 ran fr om a server nam ed ccs1, t he dialog replaced servernam e w it h CCS1. Figu re 7 - 1 . Use th e Secur it y t ab for a vir t ual dire ct ory t o specify t he login by w hich u ser s of th e v irt ua l dire ct or y w ill gain access t o a SQL Se rve r. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. I f you decide t o allow access t o your dat abase t hrough t he I USR_servernam e Windows account , you m ust m anually creat e a login for t he Windows user on your SQL Server inst ance. Then you m ust creat e a user secu rity account in t he dat abase t o which t he v irt ual direct ory point s. Finally y ou m ust assign perm issions t o t he I USR_serv ernam e securit y account appropriat e t o t he needs of your applicat ion. For exam ple, if you w ant to enable browsers t o r ead from any row source in t he dat abase, y ou can assign t he I USR_servernam e user account t o the db_dat areader fix ed dat abase role. I f you have m ore rest rict ive requirem ent s, use t he T- SQL GRANT st at em ent t o specify m ore granular perm issions, such as the abilit y t o view j ust one t able or view. Make sure t he dat abase has perm issions for t he public role t hat don’t allow the I USR_ser vernam e account t o access the dat abase w it h a differ ent set of perm issions than t he one you specify explicit ly for the virt ual dir ect or y user account . When you decide t o per m it updat es, inserts, and delet es t o a database t hr ough a virt ual ser ver, t he user securit y account for t he virt ual direct ory’s login m ust enable t hese act ions. My advice is t o carefully rest rict t he row sources t hat you m ake available for updat ing over t he Web. Av oid assigning t he I USR_ser vernam e account t o the db_dataw rit er fixed dat abase role. I nst ead, assign I NSERT, UPDATE, or DELETE perm issions wit h t he T- SQL GRANT st at em ent for whichever dat abase obj ect s require m odificat ion over t he Web. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Sam ples for Logins and Users Login and user securit y accounts com plem ent one anot her. Recall t hat a login aut horizes access to a server, but a user account grant s access t o a database on a serv er. The users of your applicat ions t ypically need both t ypes of securit y account s t o access a dat abase on a SQL Server inst ance. I n addit ion, ther e are two dist inct t ypes of logins. The sam ples in t his sect ion explore t he different kinds of logins for SQL Server and how t hey relat e t o user secur ity account s. All t he script s in this sect ion are in the LoginAndDropUsers.sq l sam ple file. Add a SQL Server Login a nd Use r Recall t hat a login get s a user int o a server but not necessarily int o any databases on t he serv er. This is because a login t ypically requires a m at ching securit y account for each dat abase t o which a user is t o have access. How ever, t her e are two w ays in w hich a user can access a dat abase w it hout a user account for t he dat abase. First , t he dat abase can have a guest account . The user w ill t hen enj oy any perm issions assigned explicit ly t o t he guest account or indirect ly t o t he guest account t hrough perm issions for a dat abase’s public role. Second, if a login is a m em ber of t he sysadm in fixed server role, it can access any dat abase on a server wit hout any rest rict ions on it s funct ionalit y. For t his reason, you want to lim it t he num ber of logins w it h m em bership in t he sysadm in role. I f y ou need t o carefully specify how t he user of a login can int eract wit h a dat abase, you m ust creat e a user securit y account for t he login in t he dat abase. I nvoke t he sp_addlogin sy st em st ored procedure to cr eat e a new SQL Server login. Wit h t he sp_addlogin syst em stored procedur e, you can create a login t hat SQL Server m anages. When users at t em pt t o gain access to a SQL Serv er inst ance wit h t his login, t hey m ust explicit ly designat e bot h t he login nam e and it s associated password. To cr eat e a SQL Server login, y ou m ust be a m em ber of either the sysadm in or securit yadm in fixed server role. An y user can ch ange her own passw ord w it h t he sp_password syst em st ored procedure. Only m em bers of the sysadm in and securityadm in fixed serv er roles can invoke sp_password t o change t he password for a login different fr om t heir own. N ot e While a SQL Server login enables a user to connect to a SQL Server inst ance by specifying a login nam e and password, it is the SI D ( securit y ident ifier) that SQL Server uses t o identify and track t he user. SQL Server internally generat es a GUI D t o r epresent t he SI D for SQL Server logins. I nvoke t he sp_grant dbaccess syst em stored procedure t o cr eate a user securit y account in a dat abase for a login. Only m em bers of t he sy sadm in fixed server role as well as the db_owner and db_accessadm in fixed dat abase roles can run sp_grant dbaccess. Before running sp_grant dbaccess, m ake su re t he database cont ext is set t o t he dat abase in which you want to create a user security account . For exam ple, inv oke t he USE st atem ent for a dat abase nam e before running sp _grant dbaccess. The following T- SQL scr ipt uses sp_addlogin t o cr eat e a new SQL Server login. I t is m andat or y to specify t he @loginam e and @passw d argum ent s for t he sp_addlogin syst em st ored procedure. You can opt ionally specify sever al ot her argum ent s t o change the default set t ings deriv ed from your SQL Server configurat ion. For exam ple, t he script dem onst rat es t he syntax for designat ing a default database of Chapt er07, t he sam ple dat abase for t his chapt er. I f t he script didn’t m ake t his assignm ent for t he @defdb argum ent , t he default dat abase Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. would have been t he m aster database. The m ast er dat abase is one of t he built - in dat abases t hat SQL Ser ver uses t o adm inist er it self. While all users require access to t his database, you probably don’t want to m ake it t he default database for typical users. Not ice t hat t he scr ipt explicit ly refer ences t he m ast er dat abase before invok ing sp_addlogin. This reference isn’t st rict ly necessary since you can cr eat e a login securit y account from any database on a server. How ever, t he sam ple script invokes t he USE st at em ent t wo m ore t im es, and t hese t wo r eferences are necessary. You m ust invok e t he USE st atem ent before running t he sp_grant dbaccess syst em st ored pr ocedur e. Recall t hat t his syst em st ored procedure cr eat es a user secu rit y account . Set t ing t he database cont ext before invoking sp_grantdbaccess det erm ines the dat abase for w hich t he system st ored procedure cr eat es a user secu rit y account . --LoginAndDropUsers --Create a SQL Server login with access --to the Chapter07 and Northwind databases. USE master EXEC sp_addlogin @loginame = ’vbdotnet1’, @passwd= ’passvbdotnet1’, @defdb = ’Chapter07’ USE Chapter07 EXEC sp_grantdbaccess ’vbdotnet1’ USE Northwind EXEC sp_grantdbaccess ’vbdotnet1’ The vbdot net 1 login doesn’t st rict ly requir e a user securit y account for t he Nort hwind dat abase because t his sam ple dat abase has a guest account , and t he public role for t he database grant s perm issions t o all dat abase obj ect s in t he init ial version of t he database. However, cr eat ing a user account for t he vbdotnet 1 login allows y ou t o rem ove t he guest account for the database and st ill m aintain dat a access privileges. I n addit ion, a user account for t he vbdot net 1 login enables a database designer t o fine- t une t he perm issions available t o t he login relat iv e t o ot her dat abase users. Rem ove a SQL Se r ver Login and User I n t he norm al course of database m anagem ent , it becom es necessary t o rem ove as well as add dat abase users. Since a SQL Server dat abase user has t wo different secu rit y account t ypes, you m ust rem ove bot h t o flush a user com plet ely from a dat abase serv er. To prev ent orphaned user account s, SQL Ser ver doesn’t allow you t o delet e t he login for a user w it hout delet ing the user account s associat ed wit h t hat login. Rem oving t he user account s without elim inat ing t heir login st ill allows a user t o access a database server, and t he login can access any dat abases wit h a guest account . N ot e I n addition to being unable to rem ove a login wit h one or m ore associat ed user accounts, y ou cannot rem ove a login that is current ly in use, owns a database, or owns a job in the m sdb database. A job is a sequence of st eps for aut om at ing a task that is defined in t he m sdb database, one of t he built - in databases t hat SQL Server uses to m anage it self. As m ent ioned prev iously, you can nev er rem ove t he sa Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. login from a SQL Server inst ance. Before you at t em pt t o rem ove a login, it ’s useful t o survey any associat ed user securit y accounts associat ed wit h the login. Th is perm it s y ou to m ak e sur e t hat you can rem ove all of the user security account s associat ed wit h a login before at t em pt ing to rem ove t he login. I nvoke t he sp_helplogins syst em st ored procedure wit h t he nam e of t he login for which you’re seeking inform at ion, as show n in t he follow ing code. The syst em st or ed procedure ret urns a r esult set com prising t wo recordsets. The first recordset cont ains a single row for t he login that y ou specify. The second recordset cont ains a row for each user account associat ed wit h t he login nam ed as t he argum ent for t he sp_helplogins sy st em st ored procedure. I f you don’t specify a login nam e as an argum ent w hen you invoke sp_helplogins, t he sy st em st ored procedure still r eturns t wo recordset s. However, t hese recordsets ret urn inform at ion for all t he logins on t he current SQL Ser ver inst ance. --Return info about a login, including --its database user accounts. EXEC sp_helplogins @LoginNamePattern=‘vbdotnet1’ Figure 7-2 sh ows the tw o recordset s t hat resu lt from running sp _helplogins vbdotnet 1 aft er first inv oking t he scr ipt in t he preceding sect ion. The first recordset st art s wit h t he login nam e followed by a part ial display of t he login’s SI D. The next t wo colum ns indicat e t he default dat abase and language for t he login. The next -t o-last colum n, AUser, is yes when t he login has at least one corresp onding user account . The last colum n, ARem ot e, indicat es whet her t he login specifies a r em ot e login for a linked server. The second recordset provides inform at ion about each user account for t he login. The first and third colum ns denot e, respect ively, t he login nam e and t he user nam e. By default , t hese are t he sam e, but you can override t his convent ion. The second colum n designat es the dat abase t o which t he user account belongs. The last colum n specifies whet her the user account is for an individual user or a role. Figu re 7 - 2 . Use t h e sp_ h elplogin s syst em store d pr oced ur e t o le arn about a log in on a da t aba se ser ver . Arm ed w it h t he inform at ion in Figure 7- 2, you can const ruct a T- SQL script like the follow ing to rem ove t he vbdotnet 1 security account s from t he serv er. St art by invoking t he sp_revokedbaccess syst em st ored procedure in each dat abase wit h a user account for the vbdot net 1 login. Specify t he user account nam e as t he argum ent for t he sp_revokedbaccess syst em st or ed procedure. Notice t hat t he script inv okes sp_revokedbaccess twice— once in each dat abase for which t he vbdotnet 1 login has a user account . The scr ipt closes by r unning t he sp_droplogin syst em st ored procedure. This syst em st ored procedure requires j ust one argum ent specifying t he nam e of t he login t o r em ove. The perm issions for rem oving user accounts and logins m at ch t hose for adding t hem : a login at t em pt ing to rem ove a login m ust be a m em ber of t he sy sadm in or securit yadm in fix ed server role t o run sp_droplogin. --Drop a SQL Server login, --first revoking its user accounts. USE Northwind Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. EXEC sp_revokedbaccess ’vbdotnet1’ USE Chapter07 EXEC sp_revokedbaccess ’vbdotnet1’ EXEC sp_droplogin @loginame = ’vbdotnet1’ Adding and Rem oving Logins for a W indow s User Managing a login based on a Windows user account for Windows NT, Windows 2000, or Windows XP is sim ilar t o m anaging a SQL Server login. By a Windows user account , I m ean t he account by w hich Windows validat es a user. From a user perspect ive, t he m ain difference is t hat a login based on a Windows user account doesn’t hav e t o specify a login and passw ord when connect ing to a SQL Ser ver inst ance. For a dat abase user wit h a login based on a Windows user account , all a user has t o do is select the Windows Aut hent icat ion opt ion in t he Connect To SQL Server dialog box of Qu ery Analyzer. I f t he t arget SQL Server inst ance has a login for t he Window s user account , t he connect ion at tem pt succeeds. Howev er, a m em ber of t he sy sadm in group m ust first creat e a login for the Windows account in order for t he att em pt to succeed. The process for cr eat ing login and user secur it y account s based on a Windows user account is sim ilar t o that for m anaging SQL Server logins. When cr eat ing a login for a Windows user account , invoke t he sp_grant login syst em st ored procedure t o cr eat e a login for t he Windows user. When you designat e a login nam e for a Windows user account , t he nam e m ust hav e t wo parts delim it ed by a backslash ( \ ) . The part before t he backslash is the nam e of t he Windows server. The part aft er t he backslash is t he nam e of t he Windows user. The sp_grant login syst em st ored procedur e is analogous t o t he sp_addlogin syst em st ored procedure. Bot h of t hese sy st em st ored procedures cr eat e a new login. SQL Server saves bot h of t he logins in t he sy slogins t able. SQL Ser ver also reports bot h t ypes of logins in t he sam e colum n of t he resu lt set from the sp_helplogins syst em st ored procedure. How ever, t he login creat ed w it h sp_grant login is aut hent icat ed by a Windows 2000 or Windows NT server. When a Windows user at tem pt s t o connect , SQL Server stores t he Windows secur it y ident ifier for t he Windows user . The Windows secu rit y ident ifier is analogous t o the SQL Server SI D. However, t he Windows securit y ident ifier is m anaged by t he Windows server, and t he Windows securit y ident ifier is longer than t he SQL Ser ver SI D ( 85 byt es for Window s and 16 byt es for SQL Ser ver) . Aft er you cr eat e a login for a Windows user account , t he login cannot connect t o any dat abase wit hout a user secur ity account unless t he dat abase has a guest account . You can cr eat e a user securit y account for a login based on a Window s user account wit h t he ident ical procedure for a SQL Server login. First set t he dat abase cont ext for t he user securit y account . For exam ple, invoke t he USE st atem ent t o specify t he nam e of t he dat abase for which you want t o creat e a user account . Second run sp_grant dbaccess w it h t he nam e of the login as it s argum ent . The following sh ort script dem onst rates t he synt ax for cr eat ing a login based on a Windows user account . The Windows user account resides on a Windows 2000 Ser ver nam ed CCS1. The nam e of t he account on t he Window s serv er is winvbdot net 1. The last t wo lines of t he script cr eat e a user secur it y account in t he Chapt er07 dat abase based on t he login cr eat ed w it h sp_grant login. --Create a Windows login with --access to Chapter07 database. EXEC sp_grantlogin ’CCS1\winvbdotnet1’ USE Chapter07 EXEC sp_grantdbaccess ’CCS1\winvbdotnet1’ Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. N ot e I f t he Windows user account is for a Window s serv er that isn’t a dom ain server but m erely an applicat ion server , you m ust cr eate a local account on a Windows NT Workst at ion or Windows 2000 Professional client com puter wit h t he sam e nam e and password as on t he Windows server. Rem oving t he login is a t wo-st ep process because t he login has a single user securit y account associated wit h it . First rem ove t he user account for t he Chapt er07 dat abase. The syst em st ored procedur e for elim inat ing a user securit y account based on a login for a Windows user account is t he sam e as for delet ing a user account based on a SQL Server login. Second revok e t he login. When dropping a login, you use a different sy st em st ored procedure for one based on a Windows user account t han for one creat ed by SQL Server. Here is t he T- SQL code for im plem ent ing t he st eps. --Drop a Windows login with sp_revokelogin, --but first revoke its user accounts. USE Chapter07 EXEC sp_revokedbaccess ’CCS1\winvbdotnet1’ EXEC sp_revokelogin ’CCS1\winvbdotnet1’ W ho’s Using Your Application? By now, you should feel com fort able wit h t he idea t hat there are act ually t wo reasonable answer s t o t his quest ion. The first answ er is t he login nam e. This nam e ident ifies a user as she ent ers a SQL Serv er inst ance. The second answ er is t he nam e of t he user securit y account. This ident ifies a user wit hin a dat abase. I f a login doesn’t have a user security account assigned explicit ly t o it for a database and the dat abase has a guest account, t he login can enter t he dat abase with t he guest user account. SQL Server 2000 offers two built- in funct ions for telling you the login nam e and user account nam e of the user perform ing a task in your dat abase. The SYSTEM_USER funct ion ret urns the login nam e. The CURRENT_USER funct ion ret urns t he user account nam e. Before discussing a list ing t o clarify the operat ion of t hese funct ions, I want t o m ent ion t he DB_NAME funct ion. When you enter DB_NAME() in a SELECT st at em ent , it returns the nam e of the current dat abase. The following short script invokes the SYSTEM_USER and CURRENT_USER funct ions in t hree different databases— m ast er, Nor t hwind, and Chapt er07. I f you run t his script aft er connect ing t o a SQL Server inst ance wit h the CCS1\ winvbdot net1 login, you obt ain an ident ical result set from each SELECT st at em ent. However, two differ ent values are displayed for t he CURRENT_USER funct ion. I n the m aster and Northw ind dat abases, t he CURRENT_USER funct ion Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. ret urns guest . I n the Chapt er07 database, the CURRENT_USER funct ion returns CCS1\ winvbdot net 1. This is because the login has a user account nam ed aft er it in t he Chapt er07 database. -- Demonstrate functions telling who’s using a database. USE master SELECT DB_NAME(), SYSTEM_USER, CURRENT_USER USE Northwind SELECT DB_NAME(), SYSTEM_USER, CURRENT_USER USE Chapter07 SELECT DB_NAME(), SYSTEM_USER, CURRENT_USER Proce ssing Logins Based on W in dow s Gr oups I n addit ion t o basing a login on an indiv idual Windows user account , you can also creat e a login for a Window s group account . The latt er t y pe of Windows account provides a single nam e for referencing m ore t han one individual Windows account . When you cr eat e a login based on a Window s group, all the individual m em bers of t he group inher it t he login assigned t o t he gr oup. I n addit ion, you can creat e separat e logins for a subset of t he indiv idual m em bers of a Windows group. These logins for individual Windows account s com plem ent t he login based on t he Window s group account by providing an alt er nat ive rout e int o a SQL Ser ver inst ance and t he dat abases on it . The sam ple for t his sect ion works w it h a Windows group nam ed w invbdot net. The group cont ains t wo individual Windows user account s nam ed winvbdot net 1 and winvbdot net 2. All t he account s reside on a CCS1 Windows 2000 server. The following T- SQL scr ipt shows t he code for creat ing dist inct logins for t he Windows group and t he indiv idual Window s account s t hat belong t o t he Windows group. Aft er t he ex ecut ion of t he scr ipt , both t he w invbdot net 1 and w invbdot net 2 users connect t o t he SQL Serv er inst ance w ith t heir own logins as well as t he login for the Windows group. I n addition, bot h individual Windows user account s hav e their own user accounts in t he Chapt er07 database, and t he Windows user account s m ap t o the Chapt er07 user account for t he Window s group. --Create login for winvbdotnet Windows group. EXEC sp_grantlogin ’CCS1\winvbdotnet’ USE Chapter07 EXEC sp_grantdbaccess ’CCS1\winvbdotnet’ --Also create logins for group members individually. EXEC sp_grantlogin ’CCS1\winvbdotnet1’ EXEC sp_grantdbaccess ’CCS1\winvbdotnet1’ EXEC sp_grantlogin ’CCS1\winvbdotnet2’ EXEC sp_grantdbaccess ’CCS1\winvbdotnet2’ GO Ther e are act ually t wo ways to m ak e a login unavailable for use. First , you can run t he sp_revokelogin syst em st ored procedur e as dem onst rated in t he preceding sect ion. This approach rem oves t he login for t he Window s user from the database server. Wit h t his approach in t he current cont ext , rev oking t he CCS1\ w invbdot net 1 Windows user login st ill perm it s the winvbdot net 1 Windows m em ber of t he w invbdotnet group to connect t o the dat abase serv er. Th is capabilit y is possible because the Windows user can access the dat abase serv er thr ough t he login for t he w invbdot net Windows group. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The following script shows the sy nt ax for a second appr oach. I t denies login perm ission t o an exist ing login— in t his case, t he one for t he w invbdot net1 Windows user. This approach st ill perm its t he winvbdot net2 Windows user t o access t he dat abase ser ver. However, by denying t he login perm ission for the CCS1\ w invbdot net 1 login, t he scr ipt overrides t he abilit y of t he w invbdot net 1 Windows user t o access t he dat abase server t hr ough t he CCS1\ w invbdot net login. --This does not affect winvbdotnet2, --which is a member in winvbdotnet group. EXEC sp_denylogin ’CCS1\winvbdotnet1’ GO The following one- line scr ipt blocks the winvbdot net2 Windows user from accessing t he dat abase server. The logins for t he winvbdot net 1 and w invbdot net 2 Windows users are still on t he dat abase server. I n addit ion, t he CCS1\ w invbdot net login st ill aut hor izes its m em bers to log in t o the server. A deny set t ing (inst it ut ed by the sp_denylogin syst em st ored procedure) for t he individual Window s accounts over rides t he access grant ed by t he sp_grant login syst em st ored procedure for t he CCS1\ winvbdot net Windows group account . This general rule is t rue for all perm issions. A deny sett ing overr ides a grant set t ing. --This does affect winvbdotnet2, --which is a member in winvbdotnet group. EXEC sp_denylogin ’CCS1\winvbdotnet2’ GO To rem ov e t he logins for t he individual Window s users and t he Window s group to which t he users belong, you sh ould revoke t he dat abase access t o t he user securit y accounts cor responding t o logins. Then you can r evok e t he specific logins for t he Windows users and Window s group. The follow ing scr ipt shows t he sy nt ax for accom plish ing t hese t asks. While t he sp_denylogin syst em st ored procedure disables a login from accessing a server , t his sy st em st ored procedure doesn’t rem ove t he login from a SQL Server inst ance— instead, you need t he sp_revokelogin sy st em st ored procedure t o accom plish t he t ask. --Cleanup account settings. USE Chapter07 EXEC sp_revokedbaccess ’CCS1\winvbdotnet’ EXEC sp_revokedbaccess ’CCS1\winvbdotnet1’ EXEC sp_revokedbaccess ’CCS1\winvbdotnet2’ EXEC sp_revokelogin ’CCS1\winvbdotnet’ EXEC sp_revokelogin ’CCS1\winvbdotnet1’ EXEC sp_revokelogin ’CCS1\winvbdotnet2’ GO Sam ples for Assigning Perm issions This sect ion dem onst rat es t he essent ial T- SQL st atem ent s for organizing perm issions w it hin a dat abase. Specific t echniques exist for obj ect and st at em ent perm issions. I n addit ion, the final t opic in t he section rev eals how to m anage perm issions w hen a user account can possess a perm ission direct ly as well as indirectly t hrough it s m em bership in one or m ore Windows account s or SQL Ser ver roles. The sam ples in t his sect ion rely on a v ersion of t he Em ailCont act s table. The “Script ing Tables” section of Chapt er 2 init ially present ed the T- SQL code for t his table. For t he purposes of t his ch apt er, you can re-cr eat e this table in t he Chapt er07 dat abase sim ply by changing the references t o t he Chapt er02 dat abase in Chapt er 2 t o t he Chapt er07 dat abase. A copy of t he m odified code Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. exist s in t he sam ple file Creat eEm ailCont act sTable.sql for your easy r eference. This sect ion also r elies on t he ex ist ence of t he four logins wit h their m at ching user securit y accounts creat ed so far in t his chapter. Recall that one login is a SQL Server login ( vbdot net 1), anot her t wo are Windows user logins (CCS1\ winvbdot net 1 and CCS1 \ winvbdot net 2), and a fourth login is a Window s group login ( CCS1\ w invbdot net) com prising each of t he tw o Windows user account s. This sect ion presents t he T- SQL code for assigning perm issions t o t he user account s for t he logins. The perm issions relat e t o t he Em ailContacts t able. Ther efore, cr eat e t he Em ailCont act s table wit h a m em ber of the sysadm in fixed server role, such as t he Windows Adm inist rat or user account or t he SQL Server sa login. Sele ct , I nse r t , a nd Delet e Perm issions for a Ta ble To evaluat e the effect of perm ission assignm ent s, you w ill need t w o concurrent act ive connect ions t o your dat abase server. Connect once as a m em ber of t he sysadm in fixed serv er role, and connect a second t im e with a SQL Ser ver login— nam ely, vbdot net 1. Not e t hat if you ran t he code sh ow n ear lier t o drop t he vbdotnet 1 login account , you’ll need t o rerun t he code that creat es t he account . To confirm t hat the user account for t he vbdot net1 login has no perm issions in the Chapt er07 dat abase, at t em pt t o r un t he following script wit h t he user account for t he login. Not ice t hat t he at t em pt ret urns an error m essage say ing, in effect , that SELECT perm ission is denied on t he Em ailCont act s obj ect in t he Chapt er07 dat abase. --SelectInsertDeletePermission --The SELECT succeeds if the user has --SELECT permission. USE Chapter07 SELECT * FROM EmailContacts To rem edy t he er ror condit ion, you need t o assign SELECT perm ission for t he Em ailCont acts t able to t he vbdot net1 user account . Fr om your session init iat ed by a sysadm in m em ber, run t he following line of T- SQL. You m ust invoke t his line of code from y our session for t he sy sadm in role m em ber. You can also alw ays assign perm issions from a session w it h any m em ber of t he db_owner fixed dat abase roles. Sessions for select ed other user account s w ill w ork in sp ecial circum st ances; see t he “GRANT” t opic in Books Online for det ails. Recall also that m em bers of t he sy sadm in role have perm ission t o perform all t asks on a dat abase serv er. --Assign SELECT permission for the EmailContacts --table to the vbdotnet1 user account. GRANT SELECT ON EmailContacts TO vbdotnet1 Not ice t hat you can assign a SELECT perm ission wit h t he GRANT T- SQL st atem ent. The sam ple in t he preceding T- SQL st at em ent uses the SELECT keyword. This k eyword denotes t he perm ission t o r un a SELECT st atem ent , such as t he sam ple t o select all colum ns for all rows from the Em ailCont act s t able. You can opt ionally assign I NSERT, UPDATE, DELETE, and REFERENCES per m issions for a t able. When concurrent ly assigning m ore t han one perm ission, delim it t he it em s in your list of perm issions with com m as. Aft er t he perm issions, use t he keyword ON and t hen specify the row source, which is the Em ailCont act s t able in this dem onst rat ion. Conclude t he GRANT st atem ent w it h the TO keyword followed by t he account t o w hich you are grant ing perm ission. The preceding GRANT st atem ent designat es t he user security account for t he vbdot net 1 login. You can alternat ively sp ecify a SQL Server role for one or m ore user account s or t he user securit y accounts for a Windows user or a Windows gr oup account . Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... y of languages, but pur e Visual Basic isn’t one of t hem The closest y ou can get is VBScr ipt Furt herm ore, t he Visual Basic developm ent env ironm ent isn’t suit able for creat ing ASP Web pages Som e Visual Basic dev elopers adopt ed Visual Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark I nt erDev, and t hese dev elopers could use t he Visual I nt erDev developm... im e ASP.NET is an int egr al part of I I S 4, j ust as I I S 3 host s t he ASP obj ect m odel I n addit ion, ASP.NET can int eract wit h SQL Ser ver t hr ough t he NET Fram ew ork dat a prov iders ( See Chapt er 11.) Figur e 8- 1 shows a sim plified schem at ic of t he pat h from source code in Visual Basic NET ( or anot her r unt im e- com pliant language) t hrough t o int eract ions w it h SQL Ser... iders for SQL Ser ver and OLE DB dat a sour ces The SQL Serv er provider offers subst ant ial per for m ance advant ages because of it s opt im izat ion for SQL Ser ver 7 and SQL Serv er 2000 I n addit ion, ASP.NET is a part of t he NET Fram ew ork t hat I I S host s ASP.NET is t he next generat ion of dev elopm ent t echniques for t hose creat ing solut ions w it h ASP now I n order for ASP.NET pages... anding of it s basic wor k ings Chapt ers 2 t hrough 7 provide a foundat ion in SQL Serv er t hat will serv e you especially well for dat a access and m anipulat ion t asks, as w ell as r elat ed dat a definit ion t asks Chapt er 1 int roduces you t o beginning Visual Basic NET and ADO.NET t echniques so t hat y ou hav e som e cont ext for underst anding how t o apply t he SQL Serv er 2000 t opics present... Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Cha pt e r 8 Ove r vie w of t he N ET Fr a m e w or k This book is aim ed at pr ofessional developers w ho have an int er est in program m ing SQL Serv er 2000 w it h Visual Basic NET Up t o t his point , t he book ’s focus was pr im ar ily on SQL Ser ver I believ e t hat y ou cannot opt im ally program SQL Ser ver in any language... cont rols you use on Web Form s N ot e Visual Basic dev elopers m igrat ing t o ASP.NET from ASP m ay not ice t hat a couple of fam iliar t ools are gone First , y ou no longer code solut ions in VBScr ipt — as indicat ed above, y ou can creat e bot h Window s and Web solut ions wit h Visual Basic NET Second, Visual I nt erDev is gone t oo Now y ou can use t he sam e Visual St udio NET developm ent env... fine- t une t he code for opt im al perform ance Each fine- t uning adj ust m ent requir es a new com pilat ion I n spit e of all t he differences bet ween ASP and ASP.NET, t here ar e m any sim ilar it ies You can r un ASP and ASP.NET pages side by side on t he sam e Web serv er Your ASP Web pages hav e an asp ext ension Your ASP.NET pages will t ypically hav e an aspx ext ension This side- by - side... 1DPHVSDFHV IRU 'DWDEDVH 'HYHORSHUV Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 1DPH Syst em Dat a 6XPPDU\ Represent s m ost ly elem ent s in t he ADO.NET archit ect ure Syst em Dat a.SqlClient Represent s elem ent s in t he SQL Serv er NET dat a prov ider Syst em Dat a.SqlTypes Represent s elem ent s for SQL Serv er nat iv e dat a t ypes Syst em Dat a.OleDb Represent... adv ant age of Visual Basic NET for cr eat ing SQL Ser ver solut ions, y ou need t his backgr ound Chapt er 1 st art s t o conv ey t his background, and t his chapt er finishes t he t ask so you are ready t o dig int o t he NET Fram ework code sam ples t hr oughout t he rest of t he book Visual Basic NET is one of t he core pr ogram m ing languages for t he NET Fram ew ork, which Microsoft defines... in t he pr eceding paragr aph • • • ASP.NET separat es page design and pr ogram logic int o t w o separat e but relat ed files This ends t he need t o m ingle HTML layout code and pr ogr am logic code in t he sam e file You can cr eat e ASP.NET Web solut ions w it h Visual Basic No longer do you hav e t o develop in anot her language t hat is alm ost lik e Visual Basic nam ely, VBScr ipt I n addit . -- LoginAndDropUsers -- Create a SQL Server login with access -- to the Chapter07 and Northwind databases. USE master EXEC sp_addlogin @loginame = ’vbdotnet1’,. for one creat ed by SQL Server. Here is t he T- SQL code for im plem ent ing t he st eps. -- Drop a Windows login with sp_revokelogin, -- but first revoke