Security is not just a DBAโs job.
If you write stored procedures, manage databases, or deploy code, you are responsible for security too.
This guide explains SQL Server security clearly, practically, and production-ready.
1๏ธโฃ Understanding SQL Server Security Architecture
SQL Server security works in two levels:
๐น Server Level
- Logins
- Server Roles
๐น Database Level
- Users
- Database Roles
- Permissions
๐ Login = who can enter SQL Server
๐ User = what they can do inside a database
2๏ธโฃ Creating Logins
Windows Login
CREATE LOGIN [DOMAIN\UserName] FROM WINDOWS;
SQL Login
CREATE LOGIN AppUser
WITH PASSWORD = 'StrongPassword123';
โ Never use weak passwords in production.
3๏ธโฃ Creating Database Users
USE MyDatabase;
CREATE USER AppUser
FOR LOGIN AppUser;
๐ Login exists at server level.
User exists at database level.
4๏ธโฃ Assigning Roles (Best Practice)
Instead of giving direct permissions, use roles.
Built-in Database Roles
- db_datareader
- db_datawriter
- db_owner
ALTER ROLE db_datareader ADD MEMBER AppUser;
๐ Always prefer role-based security.
5๏ธโฃ Grant, Deny, Revoke Explained
GRANT
Gives permission.
GRANT SELECT ON Orders TO AppUser;
DENY
Explicitly blocks permission.
DENY DELETE ON Orders TO AppUser;
REVOKE
Removes granted permission.
REVOKE SELECT ON Orders FROM AppUser;
๐ DENY overrides GRANT.
6๏ธโฃ Giving Permission to Execute Stored Procedures
Best practice: allow execution, not table access.
GRANT EXECUTE ON dbo.GetUserOrders TO AppUser;
โ Application accesses only procedures
โ Tables stay protected
7๏ธโฃ Avoid Giving db_owner to Applications
โ Many beginners do this:
ALTER ROLE db_owner ADD MEMBER AppUser;
This gives full control โ very risky.
๐ Principle of Least Privilege:
Give only what is required.
8๏ธโฃ Schema-Based Security
Instead of table-by-table permissions:
GRANT SELECT ON SCHEMA::Sales TO AppUser;
Cleaner. Easier to manage.
9๏ธโฃ Protecting Sensitive Data
Use Column-Level Permission
GRANT SELECT (OrderId, Amount)
ON Orders
TO AppUser;
Or Use Views
Create a view exposing only safe columns.
๐ Understanding Ownership Chaining
If stored procedure and tables have same owner:
โ User needs EXECUTE permission only
โ No direct table permission required
๐ Very powerful security model.
1๏ธโฃ1๏ธโฃ Check Existing Permissions
SELECT *
FROM fn_my_permissions(NULL, 'DATABASE');
Or check user permissions:
EXEC sp_helprotect;
1๏ธโฃ2๏ธโฃ Auditing Security
Track who has access:
SELECT
dp.name AS UserName,
dp.type_desc,
rp.name AS RoleName
FROM sys.database_role_members drm
JOIN sys.database_principals dp
ON drm.member_principal_id = dp.principal_id
JOIN sys.database_principals rp
ON drm.role_principal_id = rp.principal_id;
1๏ธโฃ3๏ธโฃ Real Production Mistake Example
โ Issue
Application accidentally deleted production data.
๐ Root Cause
App user had:
db_owner role
โ Correct Setup
- Remove db_owner
- Grant EXECUTE only
- Restrict DELETE permission
1๏ธโฃ4๏ธโฃ Secure Stored Procedure Pattern
CREATE PROCEDURE dbo.InsertOrder
@UserId INT,
@Amount DECIMAL(10,2)
AS
BEGIN
SET NOCOUNT ON;
INSERT INTO Orders(UserId, Amount)
VALUES (@UserId, @Amount);
END
Then:
GRANT EXECUTE ON dbo.InsertOrder TO AppUser;
โ No direct table access
โ Controlled insert
1๏ธโฃ5๏ธโฃ SQL Server Security Checklist
โ Use strong passwords
โ Avoid db_owner for apps
โ Use roles, not direct permissions
โ Grant EXECUTE instead of table access
โ Audit permissions regularly
โ Follow least privilege principle
โ๏ธ Conclusion
Security is not optional.
A single wrong permission can destroy production data.
As a SQL Server developer with serious experience, mastering security makes you:
โ More trusted
โ Production-ready
โ Architect-level professional