Having flown a fair amount lately, I was thinking about the various levels of security within an airport. Part of that comes from seeing signs like the following all over the place.
These signs are placed in various places for very good reason. But seeing a sign such as this made me wonder about the various access levels in an airport and how they might relate to the database world.
Let’s start with some of the zones that might be recognizable in an airport. First there is the ticketing counter. This is a general access area open to the public. Anybody can approach a ticketing counter whether they are intending to purchase a ticket or not. Another area similar to this is frequently the baggage claim area. These are common areas and generally less secure than other areas.
Next, you might encounter the concourses. Only ticketed passengers and authorized airport personnel may enter these areas after some degree of screening. From these areas you have greater access to the airplanes. You have been explicitly granted permission to enter an aircraft and are required to have a separate pass for each craft you desire to board. If I were to correlate this to security in SQL server, this would most closely match the db_datareader database role – for which explicit permission has to be granted for the user in order to access each additional database.
From this same area you may witness that there are several aircraft crews. Each member filling a specific role. There is a pilot, copilot, flight attendants and ground crew. Each role may have different access throughout the airport. And in the case of the flight crew, they have to be given access to each plane they will board. A United Airlines flight crew cannot go and pilot a British Airways craft for instance – they are responsible for specific flights belonging to UA.
Another potential role is that of the control tower. The personnel manning the tower have access to quite a bit more than a pilot or passenger. They have access to communications between all flights and the ground within their airspace. They are coordinating efforts and trying to make the whole thing go smoothly. These guys are much more like the specialized server roles in SQL Server. They can be passengers and have public access. They can also assist in the piloting of a craft (if you believe what you see in the movies) while giving instruction for flight path, landing and takeoff.
The point is, there is highly segregated roles in an Airport and in the air when an aircraft is involved. The same should be true in a database environment. There are special server roles that include public, sysadmin, securityadmin, and diskadmin (amongst others). Then there are specific database roles that come prepackaged as well as the ability to create any number of specific roles that you need to run your environment.
Now let’s step back out again to the airport example and the public access areas. These are the least secure areas. Also, there is a group of people that we should call public. I am a part of this particular group. Every person that enters an airport is a member of this group. The crew piloting a craft is a member of this public group, but they are also members of other more restricted groups.
Being a member of just the public group does not get me permission to enter the pilots cabin. It does not grant me permission to enter the flight control tower. It does not even grant me permission to stand behind the ticket counter. You wouldn’t want just any old Joe Schmoe entering those particular areas – so they become more secure. And the public group is denied access.
Back to the public server role in SQL Server. This role is granted VIEW Any Database as well as Connect, but by default is limited to just those permissions. Can that be changed? Sure – just like I could walk behind the ticket counter or walk into a pilots cabin (the flight staff may occasionally allow you to take a peek – typically children though).
Just because it can be changed – doesn’t mean it should be done. In the example of me taking a peek into the Pilots cabin, that is a one person permission being granted. If I granted that permission to the public role in SQL Server, now everybody can do that same thing. So think about it for a minute, do you really want everybody being able to change the schema in your database if you decide to grant alter any to public? I really doubt it.
A good rule of thumb with the public role is to leave it be. Do not add permissions to this role. Add permissions on a per database and per group of users basis. Create roles within the database and grant permissions to that role – in each database. And remember the rule of least privilege – don’t grant more permissions to a user/role than necessary to perform the job function. Just the same as in an airport – everybody has their role and it is strictly defined. If the user need not have access – then don’t grant the permissions.
I want to re-iterate that point. To help prevent unauthorized access, keep permissions in the public role to a minimum and create roles within the database to manage the different job functions as necessary/possible.
