SQL Server Database Permissions
- 11 Jan 2022
- 3 Minutes to read
- Print
- DarkLight
This documentation version is deprecated, please click here for the latest version.
SQL Server Database Permissions
- Updated on 11 Jan 2022
- 3 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Decisions and SQL Server
Versions
Decisions can be used with SQL 2008 R2 or SQL 2012. With SQL 2012, there are increased restrictions on the default permissions for automatically setup users, so it is strongly recommended to use SQL authentication instead of SSPI.
Authentication
This doc entails the assignment of multiple Database-Level Roles when configuring the Decisions Database. For additional information regarding this subject, see Microsoft's Database-Level Roles documentation.
SSPI
See Microsoft Security Support Provider Interface documentation for further information.
SSPI, or Integrated Security, uses the Windows environment and users to identify rights and access to the SQL server system. This is commonly used in Active Directory or LDAP based enterprises to centralize control and access to systems and services.
SSPI can be used with the SQL server. Still, you must be aware of what user(s) on the server will be running the Service Host Manager service and ensure that the user is granted the appropriate permissions to run services and connect to SQL; please seek support from your IT administrator before using this configuration.
SQL Auth
For further information about SQL Auth and Authentication Types, see Choose an Authentication Mode documentation.
SQL authentication is a system of logging in users based on settings in the SQL server itself. This lacks central control but is very straightforward to configure. It is recommended to use SQL auth with SQL 2012 due to the increased security in SQL 2012.
Standard User
The Decisions installer and platform take care of most Database activities for an application. This includes many of the following:
Creating an initial Database or tablespace
Creating and altering tables
Configuration of Indexes
To perform these activities, the installer and service need to have the "db_creator" permissions on the Database.
Limiting User
There is the ability to create a limited user in the SQL server, but this requires doing some of the Database setup and configuration manually.
To configure Decisions in this manner, create a new Database in the SQL server. Once the Database is named, identify, or create a user that will use this Database. Using the tools, grant this user rights on the Database that was created.
Regarding Permissions
Due to the Flow Engine's dynamic nature, the rights to create and alter tables, and to execute stored procedures, are necessary.The following roles can be assigned as membership roles and do not need to be owned roles in SQL Server.
Note that the following three permissions are the lowest database permission levels that can be used for installing Decisions using SQL Server.
db_datawriter
db_datareader
db_ddladmin
These roles can be assigned as ‘membership roles’ and do not need to be ‘owned roles’ in SQL Server.
The Database user must also have the following explicit permissions on the Decisions Database:
ALTER ANY SCHEMA
EXECUTE
ALL (*see section below for more information)
Before installation and while Decisions is in use, the Database user must have all of the following permissions granted on the Decisions Database, either implicitly or explicitly:
Note
Configure this user’s default Database to be used in SQL Server, although this default DB does not need to be the same Database as Decisions is using.
If these permissions are not in place, Decisions will not install correctly and will not function correctly post-installation.
ALTER ANY SCHEMA
BACKUP DATABASE, BACKUP LOG
CONNECT,
CREATE DEFAULT, CREATE FUNCTION, CREATE PROCEDURE, CREATE RULE, CREATE TABLE, CREATE VIEW
EXECUTE
Enabling ALL
Note that the ALL permission has since been deprecated and can only be applied by using a query or through manual selection under Database Properties.
Via Database Properties
To enable ALL via Database Properties:
- Open and login to Microsoft SQL Server Management Studio.
- From the Object Explorer in Microsoft SQL Server Management Studio, right-click the desired Database and select Properties.
- Navigate to the Permissions page and select the desired User from the Users or roles list.
- From the Permissions for [username] list, check Grant for the following permissions, then click OK.
- Backup database, Backup log
- Connect
- Create default, Create function, Create procedure, Create rule, Create table, Create view
Via Query
To enable ALL via Database Query:
- From Microsoft SQL Server Management Studio, right-click the desired Database and select New Query.
- In the resulting Query tab, input the following text. Note on QueryRunning the following Query give the configured Account Admin permissions as well as the ALL permission. To properly set it up, set the primary database name, non-admin login name, non-admin login password, and non-admin user name values to respective values.
use <primary database name>; go CREATE LOGIN <non-admin login> WITH PASSWORD ='<non-admin login password>', DEFAULT_DATABASE = <primary database name>; go CREATE USER <non-admin user> FOR LOGIN <non-admin login> go GRANT ALTER ANY SCHEMA to <non-admin user> GRANT EXECUTE to <non-admin user> GRANT ALL to <non-admin user> EXEC sp_addrolemember N'db_datareader', N'<non-admin user>' EXEC sp_addrolemember N'db_datawriter', N'<non-admin user>' EXEC sp_addrolemember N'db_ddladmin', N'<non-admin user>' Select the Execute button from the top Action bar.
Open DecisionsServerInstaller.exe and select EDIT SETTINGS. From the Settings screen, edit the DatabaseConnectString so that the User ID and Password values match the non-admin user Account. Then, click Save.
Back on the primary Decisions Installer screen, select RESTART SERVICE then confirm with Yes.
Was this article helpful?
