SYSADMIN role and the ability to change database data - sql-server

Does the SYSADMIN role have the ability to access and change data in a database. For example can this role directly access the file and change a record from $1 to $10,000? Or could it create or escalate the permissions of a database user to then modify the amount? I am asking because I am trying to assess risk for a SOX significant system where there is a security issue with an account with that role but which only has the db_datareader role. Thank you in advance.

Does the SYSADMIN role have the ability to access and change data in a database.
A member of the sysadmin fixed server role has full control over the instance, and is exempt from all permissions checking. Also a sysadmin will always connect to user databases as dbo, who has full control over the database and is exempt from all database permissions checking.
The only way to protect data from a sysadmin is with AlwaysEncrypted which encrypts the data in one or more columns with a client-provided key.

Related

How to create snowflake security admin role and at same time restrict the permission only on one database

Environment: snowflake database.
i am trying to find a way to create a role which have security admin permission but should limit the permission only to specific database. is this doable or not? if so, anyone can help me on this? thanks so much.
Thanks, Alex
SECURITYADMIN is a role created by default in Snowflake and a lot of his permissions are not database-related (for example role and user management). Indeed most of the database-related grants belongs to SYSADMIN role.
So if you want to create a custom role having limited permissions on a specific database. You should list the permission which are database related and grant this permissions to the custom role.
For example if you want to give all privileges to a role on a specific database you can use :
GRANT ALL PRIVILEGES ON DATABASE my_db TO ROLE my_custom_role;
Roles are account-level, not db-level objects. So I am guessing you are trying actually to do the same role mgmt that SECURITYADMIN does, but at db-level. In that case:
use role SECURITYADMIN;
create role SECURITYADMIN_DB1;
grant create user, create role to SECURITYADMIN_DB1;
After that create Access Roles for your db:
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html#aligning-object-access-with-business-functions
Then assign all access roles to the custom SECURITYADMIN_DB1 role, so your role will manage that particular db only.

T-SQL grant login for attach or detach databases

I have a question about security in SQL Server.
Is it possible to create a login with only authorization to attach or detach databases?
I don't want it as sysadmin.
If you check the documentation, you will see that for attaching a database we need:
Requires CREATE DATABASE, CREATE ANY DATABASE, or ALTER ANY DATABASE
permission.
and for detaching:
Requires membership in the db_owner fixed database role.
If you check the security hierarchy and download the Chart of SQL Server Permissions, you can check what other permission a user will have if he has any of the above permissions.
For example, if he has ALTER ANY DATABASE:
Basically, these rights are on the top of the security hierarchy and if you allow a user the ability to attach database, ze will be able to do other operations overt it, too.
If you don't want to make the user member of sysadmin role, that's OK. You can make the user member of dbcreator role:

What permissions do I need on SQL Server to add a user to the db_datareader role?

I am attempting to create a user through the front end of my application and my user currently been given db_accessadmin and db_securityadmin roles on the database. However I'm getting the following error message
cannot alter the role 'db_datareader' because it does not exist or you
do not have permission
What is the minimum permission required at database level to be able to add users to this role?
To be able to assign logins to database fixed roles, one needs to be member of the db_owner fixed database role, and been member of the db_securityadmin is not enough. (from here)

How to create a read-only server role on SQL Server 2012?

I am granting the "View any database" permission when creating a new server role, but realized this permission only allows the user to view the system databases.
I am trying to create a server role that is read-only and can read any database.
Is there a way to create a user-defined server role to read user databases? Or do I have to do this through user mapping per user?
So, no is the answer, you can't assign database level permissions to server level roles, you can't even add a server role to a database role, which I find really frustrating as I've tried to do the same thing as you.
The way I ended up doing this was not by using a server role at all, I did the following:
Created an AD group for each server that I wanted read only access for
Created a login on the server for the group
Assigned the login to the db_datareader role on the model database
Assigned the login to the db_datareader role on all the pre-existing databases
Added my windows users into the AD group
This way, you can simply assign (or train your servicedesk folks to assign) users who need read only access to all databases on a server to the AD group, plus, as the role is set in the model database, they will have access to all newly created databases on the server too.

Grant user DDL permissions on specific schema

Using SQL Server (2008), is it possible to grant a specific user full control of the objects under a specific schema? This includes create/drop/alert table. Its important that this user isn't not given db_ddladmin role because that would give him access to other tables.
You can create a role in the database, assign all appropriate permissions(SELECT, UPDATE, DELETE, EXECUTE, etc.) to the role, and then assign the user to that role.

Resources