Tag Archives: idera

8 steps to moving database users from SQL 2005 to SQL 2008

Have you ever had to complete an upgrade where you had to uninstall SQL Server 2005 and install SQL Server 2008 on the same box? If so, how do you make sure the new install had the same security objects?  For me, the answer was lets be safe instead of being sorry.  I would script out all the existing server and database security objects so they could be verified and implemented if needed.

Not only is this a good practice for migrating your servers but the following post could be useful for a security audit.   I also want to mention if you are allowed to install tools on the box you can download SQLPermissions its a free tool provided by Idera to generate a script to move security objects during a migration.
[Update 1/28/2012 – USER_NAME() was replaced with SCHEMA_NAME() in the Explicit Permissions section]
** Run scripts at your own risk. I don’t assume any responsibility for these scripts on being ran in your environment. As always, I recommend testing in development before running in production 🙂 **

Logins

The very first step to connecting to an instant of SQL Server is to connect or login. In order to connect you must have a login. Therefore, our first step will be to actually copy the logins. I know, you might already be wondering how do I get the passwords moved over for SQL authenticated logins? Microsoft has a KB article (918922) that walks you through this process. Make sure you checkout the remarks section before running the code on a production box.

Server Level Security

Logins are nice but actually useless unless they have access to connect. Therefore, we might want to allow these logins to connect. You might also want to make sure a subset of the accounts  have access to view the DMV’s. This and other server level permissions can be scripted out with the following code below.


SELECT	sp.state_desc,
	sp.permission_name,
	principal_name = QUOTENAME(spl.name),
spl.type_desc,
	sp.state_desc + N' ' + sp.permission_name + N' TO ' + cast(QUOTENAME(spl.name COLLATE DATABASE_DEFAULT) as nvarchar(256)) AS "T-SQL Script"
FROM sys.server_permissions sp
inner join sys.server_principals spl on (sp.grantee_principal_id = spl.principal_id)
where spl.name not like '##%' -- skip PBM accounts
and spl.name not in ('dbo', 'sa', 'public')
order by sp.permission_name, spl.name

Server Level Roles

Now that we can login we might want to take this to the next step. We may actually like to perform some actions. Well, if your instance includes third party application databases there could be a good chance that it depends on its login having sysadmin access. Yes, in case you were wondering this is poor security design but the point is your logins may depend on server level roles to have access to the database objects.  Here is a script you can use to script out server level roles.

SELECT  DISTINCT
QUOTENAME(sp.name) AS "ServerRoleName",
sp.type_desc AS "RoleDescription",
QUOTENAME(m.name) AS "PrincipalName",
m.type_desc AS "LoginDescription",
'EXEC master..sp_addsrvrolemember @loginame = N''' + m.name + ''', @rolename = N''' + sp.name + '''' AS "T-SQL Script"
FROM sys.server_role_members AS srm
inner join sys.server_principals sp on (srm.role_principal_id = sp.principal_id)
inner join sys.server_principals m on (srm.member_principal_id = m.principal_id)
where sp.is_disabled = 0
and m.is_disabled = 0
and m.name not in ('dbo', 'sa', 'public')
and m.name <> 'NT AUTHORITY\SYSTEM'

Database Level Security

Now that your logins can connect you need to make sure that they can connect to the databases you migrated over.  Remember those third party apps that skipped the process of doing a  security design?  They will use sysadmin access so database level security will be included.  Hopefully, your applications are not one of those. Just like server level security you can also have database level security. Make sure you run the script below and save your results.

SELECT  dp.state_desc,
dp.permission_name,
QUOTENAME(dpl.name)  AS 'principal_name',
 dpl.type_desc,
 dp.state_desc + N' ' + dp.permission_name + N' TO ' + cast(QUOTENAME(dpl.name COLLATE DATABASE_DEFAULT) as nvarchar(500))  AS "T-SQL Script"
FROM sys.database_permissions AS dp
INNER JOIN sys.database_principals AS dpl ON (dp.grantee_principal_id = dpl.principal_id)
WHERE dp.major_id = 0
and dpl.name not like '##%' -- excluds PBM accounts
and dpl.name not in ('dbo', 'sa', 'public')
ORDER BY dp.permission_name ASC, dp.state_desc ASC

Database Level Roles

Just like the SQL Server instance your database also has roles.  Many times I will see applications that don’t require sysadmin on the instance but do require db_owner access in the database.   This is also a bad security design practice as db_owner can do anything against that database. Hopefully, your application has object level explicit permissions as needed. Once again, I would recommend pulling this information in case its needed after your migration.

SELECT DISTINCT
QUOTENAME(drole.name) as "DatabaseRoleName",
drole.type_desc,
QUOTENAME(dp.name) as "PrincipalName",
dp.type_desc,
'EXEC sp_addrolemember @membername = N''' + dp.name COLLATE DATABASE_DEFAULT + ''', @rolename = N''' + drole.name + '''' AS "T-SQL Script"
FROM sys.database_role_members AS drm
inner join sys.database_principals drole on (drm.role_principal_id = drole.principal_id)
inner join sys.database_principals dp on (drm.member_principal_id = dp.principal_id)
where dp.name not in ('dbo', 'sa', 'public')

Database Level Explicit Permissions

Finally, we will get to the area of security where I hope to see many entries. If someone, tasked me with designing their the security model for their application I would make sure stored procedures controlled the data access and that application users could only execute the stored procedures. This way there would be very minimal risk of data loss as the users wouldn’t have direct access to the tables. They would only access data needed by the business logic provided in the database objects. You can pull this information from the code below.

SELECT    dp.state_desc AS "StateDescription" ,
dp.permission_name AS "PermissionName" ,
SCHEMA_NAME(obj.schema_id) AS [Schema Name],
obj.NAME AS [Object Name],
QUOTENAME(SCHEMA_NAME(obj.schema_id)) + '.' + QUOTENAME(obj.name)    + CASE WHEN col.column_id IS NULL THEN SPACE(0)           ELSE '(' + QUOTENAME(col.name COLLATE DATABASE_DEFAULT) + ')'      END AS "ObjectName" ,
QUOTENAME(dpl.name COLLATE database_default) AS "UserName" ,
dpl.type_Desc AS "UserRoleType" ,
obj.type_desc AS "ObjectType" ,
dp.state_desc + N' ' + dp.permission_name + N' ON '    + QUOTENAME(SCHEMA_NAME(obj.schema_id)) + '.' + QUOTENAME(obj.name)    + N' TO ' + QUOTENAME(dpl.name COLLATE database_default) AS "T-SQL Script"
FROM    sys.database_permissions AS dp
INNER JOIN sys.objects AS obj ON ( dp.major_id = obj.[object_id] )
INNER JOIN sys.database_principals AS dpl ON ( dp.grantee_principal_id = dpl.principal_id )
LEFT JOIN sys.columns AS col ON ( col.column_id = dp.minor_id  AND col.[object_id] = dp.major_id)
WHERE    obj.name NOT LIKE 'dt%'
AND obj.is_ms_shipped = 0
AND dpl.name NOT IN ( 'dbo', 'sa', 'public' )
ORDER BY    dp.permission_name ASC ,    dp.state_desc ASC

Orphaned users

If logins are not brought over correctly you may notice that they are not mapped correctly with the user account that exists in the database security (Logins section above should catch this).  The following is an explination that comes from BOL.

A database user for which the corresponding SQL Server login is undefined or is incorrectly defined on a server instance cannot log in to the instance. Such a user is said to be anorphaned user of the database on that server instance.

You can find and fix orphaned users by following the instructions provided here.

Validate User Accounts

Finally, yes when possible lets make sure the user accounts work.  I know this might be common sense but you don’t want to cut something over with out testing and verifying connectivity.

SQL PASS Summit 2010 on a Budget

The following is some information I would like to share with the community about how I plan to travel to Seattle for the SQL Server Pass Summit.  Please take my information with a grain of salt because this is the first time I am attending.  Everything below comes from research and tweets. If you are a regular please leave comments so others can see your travel tips.

Summit 2010

PASS%20Summit%20Banner%20300x300
Can we fast forward to November?

The SQL PASS Summit 2010 is the best opportunity for SQL Server DBA’s to connect, share and learn. Your first obstacle towards getting into the Summit is to well pay for general admission to the summit. You basically have two options here, either you pay the general admission fee (this is what I am doing this year) or you can get someone to sponsor you. A great option here would be your employer. Your employer also isn’t your only option for sponsorship. Speaking of getting someone else to sponsor you MSSQLTIPS and Idera is currently looking to send someone to PASS.  Give it a shot it could be you!

If you are paying for yourself you will want to pay ASAP because PASS has a sliding scale.  Just like many other conferences there is a price before sessions are announced and different prices as you get closer to the event.  You want to avoid paying at the door because the price is usually a lot more.

The following are some links that will help you save some money on attending the 2010 Summit.

How do I get there?

How you get to the PASS Summit will depend on your location and its distance to Seattle.  I  live in Wheeling, WV which is an easy hour drive to Pittsburgh so I will be flying.  If you are also flying you might want to checkout bing.com and setup email alerts to track the change in flight prices.  At this time I see that there are round-trip flights under $300 from Pittsburgh.

In order to travel through the Seattle Metro area check out the public transportation system.  It looks like they have bus, and a monorail.  The Seattle Center Monorail can take you from the airport to downtown for $5.00 round-trip.

Where Should I stay?

The PASS website recommends the following two hotels.

Looking at bing.com and  traveladvisor.com I found a few hotels within a miles of the convention center under $100 per night.  If you are trying to stretch your money I would recommend checking them out.

Do you have any friends that are attending PASS? If so, you might want to recommend sharing a room. This is a great way for you to split the costs of a hotel room.

Where should I eat?

If you are attending the Summit there is good news. Breakfast and Lunch is included daily. This means you will only have to worry about dinner.   There will also be some evening events where you might be able to snag a bite to eat.  On Monday night you can attend the PASS Summit 2010 Welcome Reception.  On Tuesday night you can also attend the Exhibitor Reception.

Another thought towards saving some $$ on dinner is to talk it up with the vendors.  They are there to get to know you and see if their products can solve your problems.  If your team has a budget for SQL tools (I really hope your team does) I bet you could convince a vendor to take you out to dinner.  Even if you don’t have a budget for SQL Tools I bet you could convince some vendors to take you out to dinner.  Remember most people in sales try to build relationships before they sell you on a product or idea.

Can you buy me a drink?

I never really was a big fan of beer and alcohol until I started my career in Information Technology (we will leave the company name out of this story). There were several internal functions to attend for networking and they all had beer.  I quickly noticed that all the bigwigs always had a beer in their hands. Being fresh out of college I followed suite and soon fell in love with beer (a trip with the wife to tour Samuel Adams in Boston also helped).

Anyways back to saving money. If you like to grab a drink (I defiantly fall into this category) it looks like its cheaper to go away from the convention center.

According to @SQLDBA its cheaper to go to the Tap House across the street from the convention center. If you also like to sample local beer the Rock Bottom Brewery is another  recommended place within walking distance from downtown.

What are your travel plans?

PASS Summit vets what am I missing? How else can people save some $$ on their quest to their first Summit conference? Let us know we are all looking forward to your recommendations.