Download eBook (PDF) - Red Gate Software

2 – Data Classification and Roles-- These users have been determined to have access to highlysensitive dataEXEC sp_addrolemember 'Sensitive_high', 'REAGANCX';GOEXEC sp_addrolemember 'Sensitive_high', 'WOLFBA';GOListing 2-5: Assigning members to the database roles.Assigning Permissions to RolesPermissions are used to define who can access specific objects within thedatabase, and the data they contain. Without permissions to a database object,such as a table, view or stored procedure, an end user will not know that theobject exists. Permissions can also define how a user interacts with thedatabase object.There are many defined permissions that allow the security administrator toexert fine-grained control over the objects that a given user or role can access,modify, or execute, and the data that they present. Broadly, we could split theseinto the following categories:• Permissions to allow access to an object and the data it contains.This is also called DML (Data Manipulation Language). For example,granting permissions to execute a stored procedure or user definedfunction, select data from a table or view, and insert, update and deletedata in a table.• Permissions to allow management and control of an object and itsproperties. This is also called DDL (Data Definition Language). Forexample, granting permission to create a new object, modify it, ormanage permissions of other users or roles to access the object.While controlling the permissions to all database objects is important for theoverall security of the database, our focus is in the protection of sensitive dataand so we will be presenting specifically the ANSI-92 permissions that allowcontrol over access to database objects and the data therein.The ANSI 92 PermissionsThe following is a list of permissions that are commonly referred to as ANSI-92 permissions:47