Security-FIXED Server or instance roles:

Role: A role is nothing but permissions

Principles: A principle is nothing but either login or user
Secuarbles: Is nothing but what you are going to secure like instance, database
and tables.
1. DB CReator: Login can get permissions to CREATE, ALTER & DROP databases if me
mber of this role.
Ex:
CREAtE DATABASE [DBNAME]
Alter database [dbname] set offline\online
Drop database [DBNAME]
2. Security admin: Any login is a member of security admin role then login can p
erform " CREATE LOGIN , PASSWORD RESET , ABLE TO SEE ALL LOGINS AND READ ERROR l
ogs"
3. Server Admin:
1. Login can perform "Restart of sql server services, changing the instance prop
erty like authentication chnage, memory changes, processor change, noo of db con
nection..etc"
4.Process admin: Can see the list of processes whcich are running in sql server
including system and user defined SPID
1-50 : SYSTEM process
51- to : User defined process
> User can also see activity monitor
> Can kill the process.
Note:
> User can kill only user process by using KILL SPID
> User can not kill his own process
>User can not kill system defined process[1-50 SPID]
5. Setup admin:
If any login is a member of setup admin then can get permissions to perform DATA
BASE MAIL and Linked server configuration.
6.Bulk admin:
If any login given bulk admin permission then login can able to perform BULK INS
ERT \UPDATE \DELETE in sql server tables.
http://blog.sqlauthority.com/2008/02/06/sql-server-import-csv-file-into-sql-serv
er-using-bulk-insert-load-comma-delimited-file-into-sql-server/

Example:

1.Create TestTable
USE TestData
GO
CREATE TABLE CSVTest
(ID INT,
FirstName VARCHAR(40),
LastName VARCHAR(40),
BirthDate SMALLDATETIME)
GO
2.Create CSV file in drive C: with name sweetest. text with the following conten
t. The location of the file is C:\csvtest.txt
1,James,Smith,19750101
2,Meggie,Smith,19790122
3,Robert,Smith,20071101
4,Alex,Smith,20040202

3.Now run following script to load all the data from CSV to database table. If t
here is any error in any row it will be not inserted but other rows will be inse
rted.
BULK
INSERT CSVTest
FROM 'c:\csvtest.txt'
WITH
(
FIELDTERMINATOR = ',',
ROWTERMINATOR = '\n'
)
GO

7. Disk admin:[MDF,NDF,LDF]
Any login can manage the disk file when login given permissions of "DISK ADMIN"
Ex: Moving the files from one drive to another drive
8. Sysadmin:
Any login given sysadmin permissions nothing but ADMINISTRATOR at SQL Server Lev
el.Login can perform any activity with in a SQL Server without any limitations.
Note: Always sysadmin permissions should be with DBA's and never grant sysadmin
role to any other teams.

Note: If any other team need sysadmin then Ask justification and approval from h
is management.
Note: Upto SQL 2008 R2 WE HAVE FIXED SERVER ROLES BUt from SQL 2012 onwords we h
ave new feature called " Can create customized or user defined server roles"
9.Public:
This is the default rols given to any login .Main purpose login get basic connec
tivity permissions to instance. we can not remove this role to any login.
===========================================
LEVEL:2 DATABASE ROLES:
1. DB_DATAREADER: User can only perform data read from the tables and also can s
ee list of tables.
2.DB_DATAWRITER:User can only perform data write operations into tables.
3. DB_DENYDATAREADER: USER never able to perform data read operation
4. DB_DENYDATAWRiter: USER never able to perform data write operation
Note:
When login given sysadmin and deny permission ; SYSADMIN IS THE FIRST PREFERENCE
AND DENY PERMISSION NOT WORKS
WHEN LOGIN GIVEN dbowner and deny permission ; deny IS THE FIRST PREFERENCE AND
DBOWNER PERMISSION NOT WORKS.
5. DB_OWNER: User can all permissions at database level..i.e he is the owner of
the database.
6. BACKUP operator: User can only able to perform backup of the database and tri
gger check point operation.
7. DDL Admin: User can perform only CREATE TABLE, ALTER TABLE and Drop table ope
rations with in database.
8. Access admin:Can able to perform only USER CREATION and User account deletion
.
9. Security admin:
User can able to perform GRANT , WITH GRANT and Deny permissions.
With grant: can always same set of roles to other user accounts.
================================