Principals

Principals are the Active Directory identities. They are associated with a SID which is the Security Identifier. In the case where mixed authentication is defined on MSSSQL, it is possible to authenticate either with local users or also with domain users.

Scope of principals depends on the definition:

• Windows Users (Mapped to Logins)
• SQL Server Logins (Used to connect to an instance)
• Database Users (Used to determine permissions within a database)

At the abstract level we have Windows Server, then there is the SQL Server instance and then we have a database. In addition there are SQL Server logins that are at the instance level and are mapped to the database users.

When the labuser connects as a Windows account to the Windows server, they access the SQL Server login that runs on the instance that is also mapped to a database user.

<aside> ⚠️ SQL Login is for Authentication and SQL Server User is for Authorization.

Authentication can decide if we have permissions to access the server or not. Authorization decides what are different operations we can do in a database

</aside>

We can have multiple users from a different database connected to a single login to a server:

Roles and Privileges

On MSSQL Server there are 9 fixed server roles (permission cannot be changed except for public) and also can be defined other roles by user.

Each member of a fixed server role can add other logins to that same role:

• sysadmin (as NT authority system--it can do everything in the SQL instance!) SQL service account is always a sysadmin on database!
• securityadmin (grant access and configure user permission)
• public - everyone (connect and view any definition)