Operations in any business is a coordinated system of people, equipment, furniture, facilities, and activities. While providing functional necessities that allow employees to do their jobs, the system has controls to ensure that only individuals with the proper authority and expertise perform some activities. For example, salary increases and bonuses are usually determined or approved only by the person responsible for the affected budget.
The same is true for company information. Some information can be shared with anyone in the company, or even with the general public. More sensitive and confidential information is kept in locked file cabinets or underground vaults. A person must have the proper credentials to access this information.
Although the term security is commonly used in the context of theft prevention, it can also save people from making costly mistakes; placing an important file folder in a locked cabinet, for example, prevents someone from mistakenly recycling it with the rest of the scrap paper in the office. Within the operations of a company, a database provides a mechanism to store, manage, and control information; the database becomes the locked cabinet.
It may be reasonable for a database developer to trust that coworkers will use the database only as it is intended to be used; that they will use only the intended applications to access data; and that those applications are properly designed and implemented to work correctly in the database. In this case, the simplest security mechanism is to give everyone full access to everything in the database.
However, a well-intentioned coworker experimenting with Microsoft® SQL Server™ may log in and accidentally delete a year’s worth of sales transactions. Users may also attempt to gain unauthorized access to sensitive personnel or customer data. Finally, miscommunication between the database developer and application developer may result in the application deleting all active customer information when the user had intended to delete inactive customer data. Unintentional mistakes and unauthorized data access can come at a high cost to a company.
It is critical that a database developer make no assumptions regarding what users will be doing in the database. In addition to controls built into applications, the database itself must have a solid security system to control what activities can be performed and what information can be seen and changed. This approach to security ensures the protection of data, regardless of how users get into the database or what they do while there.
This section describes the security tools built into SQL Server version 7.0, and includes information about: