FMS President Luke Chung wrote a new paper on improving Microsoft SQL Server security by using database users rather than server logins:
Microsoft SQL Server Database Users and Permissions Instead of Server Logins.
Here’s an overview:
Microsoft SQL Server Security Logins Introduction
To connect to a Microsoft SQL Server database, it requires a login which includes a user name and password. Each database server has a login with administrator permissions that allows the creation and deletion of databases.
Often, this login is distributed which creates a security problem. Developers and end-users shouldn’t have administrator permissions to perform their tasks. Their permissions should be managed for each database.
Database User Permissions
Microsoft SQL Server makes it easy to create and manage database permissions. The permissions you grant are called roles and users are able to have multiple roles. Here are some examples of the permissions you are able to assign to users.
Full Database Permissions (Owner)
This allows the database developer full rights to make modifications to the database objects.
Editing Permissions (Writer)
End-users who need to add, delete and change data in user tables.
Read Only Permissions (Reader)
Only allows the end-user to view data in the user tables.
Read our Microsoft SQL Server Users and Permissions paper for more information on how to do this and some pitfalls to avoid. It applies to SQL Server whether it’s installed on premise or in the Azure cloud.