Search results matching tags 'T-SQL' and 'SQL Server 2008 R2'

Server level permissions for developers–why you should read books

rodak.p@gmail.com — Mon, 02 Jan 2012 03:05:00 GMT

It is quite difficult recently for me to find some time to write a new post, so I don’t seem to be leading the rankings of the most frequent bloggers. I rarely recently have opportunity to lay my hands on the code too, so natural sources of ‘inspiration’ are less often. Hopefully this will change in 2012 and I will have more opportunities to write something useful.

In a big enterprise the roles of server users are usually more distinguished than in smaller companies. You have DBAs, developers and business users. Each of these roles has generally different goals and different rights when it comes to connecting to the database servers. Large organizations tend to implement service oriented approach to processes, which means that various teams are responsible for executing various tasks ordered by other teams. In the case of developers and DBAs, the latter are responsible for all maintenance and management tasks on servers which are ‘owned’ by developers. Such organisation of work often results in sealing off developers from the maintenance related activities, such as creating databases or snapshots, running traces, viewing server state and troubleshooting blocks and deadlocks. This approach unfortunately, while imposes more order to the server utilization and prevents accidental failures, tends to slow down the development process, sometimes preventing any work from being done by significant number of developers for time anything from few minutes to few hours. This is a waste of time and money of course. In my case, development team wanted to have right to kill user sessions on development servers. You know, sometimes there is a process that takes a lot of time and locks, or there is an open transaction keeping schema locks all over the place and and the owner of it is gone for the day without committing it.

Problem is, that to be able to kill a session, you have to be a sysadmin, processadmin, or have ALTER ANY CONNECTION right granted to you at server level. Obviously, in certain environments these permissions are not the ones DBAs want to give to ~~random people~~ developers. If you GRANT ALTER ANY CONNECTION to a login, this login can kill some important sessions, not only the runaway ones. It may break audit, scheduled maintenance, backups, other teams ETL processes – just imagine your mailbox – it ain’t gonna look pretty. It would be much better to be able to grant login right to kill only spids belonging to certain users or working on certain databases. How can you eat the cake and have the cake?

I remembered that I had read about this idea in one of the books, namely Expert SQL Server 2005 Development by Adam Machanic, Lara Rubbelke and Hugo Kornelis. This is an excellent book, you should really read it if you haven’t yet done so. There is a chapter in the book, discussing the security features introduced in SQL Server 2005. These features allow architects to design more versatile and complex applications without jeopardizing security requirements. As you know, the security model in SQL Server 2005 has been completely revamped, for example the notion of the schema was separated from the ownership and database user. There are more features, one of most important probably is the ability to sign stored procedures with certificates and to create logins and users from the certificates. The discussion about security architecture and certificates is huge and going beyond scope of this post. One of the starting points you can check out is the MSDN article "Securing SQL Server”.

In short, if you were to grant server wide elevated rights to certain groups of users, how would you do it? Here’s a little shopping list:

Create a certificate
Create a login from the certificate
Grant ALTER ANY CONNECTION to the login
If you want to have the procedure in database other than master, you must copy the certificate to this database. You do it with backup-restore technique.
Create a user for the login
Create stored procedure that will issue KILL command
Sign the procedure with the certificate
Grant EXECUTE on the procedure to developers.

Here are some highlights of the solution. I attach the testing code at the end of the post as usual.

Sample code for creating certificate and the login is as follows.

 ---create certificate that the procedure will be signed with
create certificate kill_session_certificate
    encryption by password = '1410SomeReallyStrongPassword2011!'
    with subject = 'Enable KILL through procedure'
go
---create login that will be granted right to kill sessions
create login kill_login from certificate kill_session_certificate
go
 
--licence to kill
grant ALTER ANY CONNECTION to kill_login
 

This is the stored procedure developers can call to kill sessions.

 create procedure killsession(@sessionid int)
as
begin
    /* Piotr Rodak: procedure calls KILL command. Must be signed by certificate to work.*/
    print 'killsession: executing as ' + suser_name()
    declare @command varchar(300)
    set @command = 'kill ' + convert(varchar, @sessionid)
    print @command
    ---you can filter only sessions running on certain databases here.. 
    
    exec(@command)
    
    ---you can add logging here.. 
    print 'killed session ' + convert(varchar, @sessionid)
end
 

You can create the procedure in any database, but if you choose a database different than master you have to copy the certificate from master to the target database.

And here’s code to sign the procedure:

 ---sign the procedure with the certificate
add signature to killsession by certificate kill_session_certificate
with password ='1410SomeReallyStrongPassword2011!'
 

Since you are executing the command wrapped into a stored procedure, you have potential to implement additional audit, like grab execution plan or some other performance indicators of the server at the moment when the command is issued. This can be extremely helpful for troubleshooting reasons. I think this is pretty cool.

Here’s the testing script.

Enjoy.

OUTPUT clause and windowing functions

rodak.p@gmail.com — Sun, 31 Jul 2011 20:55:00 GMT

A few days ago I was asked a question how to remove duplicates from a table. As usually in such cases, the duplicate values were related only to several columns, not all of them. So classical approach, to copy distinct data into temp table, truncate the table with duplicates and then copy the data back wouldn’t work. In such cases I find one of the windowing functions, row_number() to be the easiest to use. You just define criteria of numbering of rows and then you remove all rows are not first in their partition. Let’s have a look how it works.

First, let’s create and populate sample table:

 if object_id('tempdb..#t') is not null
        drop table #t
 
create table #t(Id char(3), randomData uniqueidentifier default(newid()))
 
insert #t(Id) 
values
('123'), ('124'),
('133'), ('133'), ('133'),
('141'), ('141'),
('121'), ('121'),
('145'), ('145'),
('152')
 
select * from #t
 

When you run the query, you should see result similar to the following illustration:

Deleting duplicates is pretty straightforward. You define partitioned row numbering and then you delete all rows that have row number bigger than 1:

 ;with dupes as 
(
    select *, row_number() over(partition by Id order by Id) as rn
    from #t
)
delete dupes
where rn > 1
 
select * from #t
 

As you see, the duplicates were removed.

The execution plan for the above statement is pretty straightforward:

The most interesting operator in this plan is the Sequence Project operator. It adds the calculated row number to the output, based on the criteria that you pass to the row_number() OVER clause. Here we partitioned the input by column Id which causes the row number to be restarted from 1 whenever new Id is encountered in the input. The row number is returned as result of internal function row_number, which you can see in the following picture:

On the left to the Sequence Project operator you can see Filter operator. This operator filters the input based on the certain predicate. You can see in the picture below, that Filter operator allows to pass though only rows that have Expr1004 > 1.

You can check that in this particular case only five rows were let through and subsequently deleted. Two with Id 133, one 141, one 121 and one 145.

What if you want to look at the rows that are deleted? Let’s repopulate the table and run the delete statement, this time with the OUTPUT clause:

 truncate table #t
 
insert #t(Id) 
values
('123'), ('124'),
('133'), ('133'), ('133'),
('141'), ('141'),
('121'), ('121'),
('145'), ('145'),
('152')
 
 
;with dupes as 
(
    select *, row_number() over(partition by Id order by Id) as rn
    from #t
)
delete dupes
output deleted.*
where rn > 1
 

The OUTPUT clause allows you to return rows from pseudo-tables inserted and deleted, the same that you have access to in triggers. You can return these rows to the client or to a temporary table or table variable for further processing, or audit. Let’s have a look at the execution plan.

What’s this?! The Sort, Segment and Sequence Project operators where added second time to the plan! When you look at their details you will see that they have exactly the same predicates and conditions as the set on the right-hand side of the Filter operator. The difference is that they are applied to the data stream returned by the output clause. You can verify this looking at the results returned by the statement:

Have you noticed something? the rn column contains values 1 and 2, while it should contain only values 2 and 3, because this is what the Filter operator allowed to flow through. This is the evidence that the new operators work on the output data stream. You can see that they work on 5 rows, the ones that were deleted:

It is obvious that if you use output clause on queries that otherwise perform very well, you may run into problems. When you have many rows, the Sort operator can become a bottleneck when it is executed twice. The example also shows that the row number identifier of the row is not reliable within boundaries of single query. This may become an issue for you, if you want to identify rows based on the output from an update or delete statement.

From purely performance point of view, what can you do to avoid these additional operators? The answer is simple – don’t return the row_number() column in the OUTPUT clause.

 truncate table #t
 
insert #t(Id) 
values
('123'), ('124'),
('133'), ('133'), ('133'),
('141'), ('141'),
('121'), ('121'),
('145'), ('145'),
('152')
 
 
;with dupes as 
(
    select *, row_number() over(partition by Id order by Id) as rn
    from #t
)
delete dupes
output deleted.Id, deleted.randomData
where rn > 1
 

As you see in the snippet above, I explicitly return columns from the deleted table and I don’t return the rn column. The optimizer realized that the column is not needed and removed the additional operators from the plan, so looks exactly the same as the first plan we saw in this post.

Well, if someone asked me what I think about this behavior, I would say it is a bug in the SQL Server engine. The windowing functions shouldn’t be applied to the results of the OUTPUT clause because they affect performance and potentially affect the logic of the application.

This is the link to the test script, so you can run your own investigations.

Security – how to assign rights to database objects

rodak.p@gmail.com — Sun, 10 Apr 2011 09:23:00 GMT

A few days ago my team mate asked me to check out why one of the logins doesn’t have right to execute to a few stored procedures. Allegedly it had the right before. After a few minutes of digging in the source control it turned out that these procedures were scripted with explicit EXECUTE rights to them. However, some later updates to the code did not contain the rights scripted. Developers rarely pay too much attention to the security design of the code they write. It is not common that the code is implemented with least possible access level in mind. A classic example of this is TRUNCATE TABLE. While this is very handy command and can be very useful in certain scenarios, developers don’t realize that the user account executing it has to have some elevated rights.

I have seen many databases which implement explicit rights to objects. This is to some degree a legacy issue, as in SQL Server 2000 and before security model was completely different and more difficult to manage. The common practice at the time was to script rights to objects, and to make things simple everyone who had right to connect to database could do everything in it. Even recently I saw a table with explicit rights like this:

 create table dbo.sometable
(
    column1 int,
    columnt2 char(1),
    column3 varchar(255)
)
go
 
grant select on dbo.sometable to [public]
grant delete on dbo.sometable to [public]
grant insert on dbo.sometable to [public]
grant update on dbo.sometable to [public]
 
go
 

This is definitely a bad practice.

Let’s examine slightly different scenario, the one that I mentioned at the beginning of this post. Let’s analyse what options you have when you need to give user rights to execute a stored procedure but do don’t want to give rights to public role:

Assign explicit rights for the user to the procedure.
Assign explicit rights to a role and assign user to that role
Create the procedure within a separate schema, assign user to specific role and assign rights for the schema to the role.

The above three options have their pros and cons. The first option is in most cases an aftermath of legacy design and while it is most granular, it is also hardest to manage and monitor.

Second option is also very granular, the only difference is after all that the rights are assigned to a database role. Main advantage of this solution is that you can assign more than one user to the database role and they will be automatically granted required access to the objects.

The third option requires some consideration regarding design of the database. You may need to change some code calling the procedures. You may still want to create a database role and assign rights for the schema to the role. This gives you best flexibility.

Let’s examine some of the effects each of these options brings in when implemented. I created script file that examines six scenarios you may come across in your database. This is definitely not a complete list, bear in mind.

First, let’s create test database and login that we will use to test the solutions. I will also create a sample table and stored procedure in the database.

 use master
go
create login RemoteLogin with password='Str()ngPwd', check_policy=off
go
create database testExecRights
go
use testExecRights
go
create user [RemoteUser] from login [RemoteLogin]
go
create table dbo.tTest(a int, b int)
go
create procedure dbo.pTestInsert(@a int, @b int)
as
begin
    insert dbo.tTest(a, b) values(@a, @b)
end
go
 

The first scenario shows what happens when you create an user in the database, but you don’t assign any specific rights for it.

 ---Scenario 1: user has public right to the database
execute as login='RemoteLogin'
select suser_name()
go
 
    begin try
        ---should fail
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 1: Exception occured in ' + error_procedure() + 
            N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
 

This code throws an exception, as expected:

Msg 50000, Level 16, State 1, Line 10
 Scenario 1: Exception occured in pTestInsert: The EXECUTE permission was denied on the object 'pTestInsert', database 'testExecRights', schema 'dbo'. (229)

Let’s have a look what we’ll get when we assign the right to execute the stored procedure explicitly:

 ---Scenario 2: user has explicit right to execute the procedure
---this is executed at sa/dbo level
grant execute on dbo.pTestInsert to [RemoteUser]
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should succeed
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 2: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
--revoke granted right
revoke execute on dbo.pTestInsert to [RemoteUser]
go
 

In line 3 in the above snippet you see the command to grant execute right on the stored procedure to the RemoteUser. Please note that the user still has no other rights – he can’t insert rows to the tTest table directly, he even can’t select from the table. Since the above snippet is part of the bigger script, at the end of it, in line 22 you can see command 'REVOKE’ to – revoke the right granted in the line 3. So, how the above code works? Yes, it works OK. It doesn’t throw exception because the permissions are right.

As I mentioned before, there were procedures which the remote login mysteriously lost ability to call. In my case, the issue was caused by a release script, which did not re-establish appropriate rights to them. There are two ways you can modify a procedure during release. One is obviously ALTER PROCEDURE, which does not change the security configuration of the procedure, the other is a sequence of DROP and CREATE statements. Scenarios 3 and 4 are shown in the below scripts.

 ---Scenario 3: user has explicit right to execute the procedure but the stored procedure is ALTERED
--- in subsequent release
go
---this is executed at sa/dbo level
grant execute on dbo.pTestInsert to [RemoteUser]
go
go
---now ALTER the procedure
alter procedure dbo.pTestInsert (@a int, @b int)
as 
begin
    insert dbo.tTest(a, b) values (@a, @a * @b)
end
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should succeed
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 3: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
 
go
--revoke granted right
revoke execute on dbo.pTestInsert to [RemoteUser]
go
 

 ---Scenario 4: user has explicit right to execute the procedure but the stored procedure is 
---DROPPED an CREATED in subsequent release
go
---this is executed at sa/dbo level
grant execute on dbo.pTestInsert to [RemoteUser]
go
go
---now DROP and CREATE the procedure
drop procedure dbo.pTestInsert 
go
create procedure dbo.pTestInsert (@a int, @b int)
as 
begin
    insert dbo.tTest(a, b) values (@a, @a * @b)
end
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should fail
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 4: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
 

Scenario 4 throws an exception as expected:

Msg 50000, Level 16, State 1, Line 9
 Scenario 4: Exception occured in pTestInsert: The EXECUTE permission was denied on the object 'pTestInsert', database 'testExecRights', schema 'dbo'. (229)

Obviously there is an issue here. The release process must take care of the proper assignment of the rights. The problem is if the script consists of smaller parts prepared by developers, it may be virtually impossible to verify if the rights are scripted correctly in the release script. One can script all explicit permissions to objects before the release and then reconcile them with the permissions existing after the release. This also can be tricky, as sometimes the rights have to change, sometimes new objects don’t have properly scripted permissions etc. What if you have may users that need to perform certain operations on tables and views? In general, it looks like the idea of assigning rights one by one for all users and objects is bad in most scenarios. Imagine the amount of failure points if you have 3000+ objects in database and you change, say, a few hundred of them within the release. What can you do about it?

First thing that you should do is to break explicit relationship of users and objects. You can do this by creating a database role which will serve as single point of security assignments. By having several roles in the database, you can tune the security fairly easily without having to rescript permissions for all users each time you need to make a change. Scenario 5 shows such database role example:

 ---Scenario 5: belongs to DATABASE ROLE with explicit right to execute the procedure 
---and the stored procedure is DROPPED an CREATED in subsequent release
go
---this is executed at sa/dbo level
create role [pTestExecRightRole]
go
grant execute on dbo.pTestInsert to [pTestExecRightRole]
go
exec sp_addrolemember 'pTestExecRightRole', 'RemoteUser'
go
---now DROP and CREATE the procedure
drop procedure dbo.pTestInsert 
go
create procedure dbo.pTestInsert (@a int, @b int)
as 
begin
    insert dbo.tTest(a, b) values (@a, @a * @b)
end
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should succeed
        exec dbo.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 5: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
go
exec sp_droprolemember 'pTestExecRightRole', 'RemoteUser'
go
drop role [pTestExecRightRole]
go
 

The issue with the above is that still, when an object is dropped and recreated, the rights assigned to it are lost. The script above throws the same exception again:

Msg 50000, Level 16, State 1, Line 9
 Scenario 5: Exception occured in pTestInsert: The EXECUTE permission was denied on the object 'pTestInsert', database 'testExecRights', schema 'dbo'. (229)

To solve this you have to group objects in a similar way you do it with users. While database role is used as a container for usSers, schema serves the same purpose for database objects. Scenario 6 shows this approach.

 ---Scenario 6: user belongs to DATABASE ROLE with explicit right to execute on the SCHEMA
---and the stored procedure is DROPPED an CREATED in subsequent release
go
---this is executed at sa/dbo level
create role [pTestExecRightRole]
go
create schema RemoteExec authorization dbo
go
grant execute on schema::RemoteExec to [pTestExecRightRole]
go
exec sp_addrolemember 'pTestExecRightRole', 'RemoteUser'
go
---now DROP and CREATE the procedure
drop procedure dbo.pTestInsert 
go
create procedure RemoteExec.pTestInsert (@a int, @b int)
as 
begin
    insert dbo.tTest(a, b) values (@a, @a * @b)
end
go
execute as login='RemoteLogin'
select suser_name()
go
    begin try
        ---should succeed
        exec RemoteExec.pTestInsert 1, 1
        return;
    end try
    begin catch
        declare @errormsg nvarchar(2000)
        set @errormsg = N'Scenario 6: Exception occured in ' + error_procedure() + N': ' + error_message() + N' (' + convert(nvarchar, error_number()) + N')'
        raiserror(@errormsg, 16, 1)
    end catch
go
revert
select suser_name()
 
go
 

As you see, I created schema RemoteExec in line 7. I granted explicit right to execute on all objects belonging to the schema to the database role pTestExecRightRole. Subsequently I simulate release process by dropping existing procedure dbo.pTestInsert and creating it in the schema RemoteExec. As you see, I don’t apply any explicit rights to the stored procedure. The fact that it belongs to the RemoteExec schema is sufficient for it to be callable by the user belonging to pTestExecRightRole. You can easily add and remove procedures from the RemoteExec schema and they will automatically inherit any rights you have chosen to assign to them, without any manual coding. More importantly, the rights are not tied to the objects, so you will not loose required functionality after making changes to the objects.

As I said before, this approach has its consequences. You may need to modify some of the code that calls the stored procedures to explicitly reference schema, in some cases you need to modify the code of the stored procedures. If you work with older code the most likely schema it references is an implicit dbo – object names are used without any schema part. This may be OK and resolve at runtime, but in some cases it won’t especially if you move the procedure to a different schema. It is a good practice to explicitly reference schemas in your code to avoid any confusion and problems.

You can download the test script with all scenarios and cleanup code from this location. Enjoy.

Technorati Tags: SQL Server 2008,T-SQL,programming,database design

BNF – how to read syntax?

rodak.p@gmail.com — Tue, 07 Dec 2010 21:40:00 GMT

A few days ago I read post of Jen McCown (blog) about her idea of blogging about random articles from Books Online. I think this is a great idea, even if Jen says that it’s not exciting or sexy. I noticed that many of the questions that appear on forums and other media arise from pure fact that people asking questions didn’t bother to read and understand the manual – Books Online. Jen came up with a brilliant, concise acronym that describes very well the category of posts about Books Online – RTFM365. I take liberty of tagging this post with the same acronym.

I often come across questions of type – ‘Hey, i am trying to create a table, but I am getting an error’. The error often says that the syntax is invalid.

1 CREATE TABLE dbo.Employees
2     (guid uniqueidentifier CONSTRAINT DEFAULT Guid_Default NEWSEQUENTIALID() ROWGUIDCOL,
3     Employee_Name varchar(60)
4     CONSTRAINT Guid_PK PRIMARY KEY (guid) );
5

The answer is usually(1), ‘Ok, let me check it out.. Ah yes – you have to put name of the DEFAULT constraint before the type of constraint:

1 CREATE TABLE dbo.Employees
2     (guid uniqueidentifier CONSTRAINT Guid_Default DEFAULT NEWSEQUENTIALID() ROWGUIDCOL,
3     Employee_Name varchar(60)
4     CONSTRAINT Guid_PK PRIMARY KEY (guid) );

Why many people stumble on syntax errors? Is the syntax poorly documented? No, the issue is, that correct syntax of the CREATE TABLE statement is documented very well in Books Online and is.. intimidating. Many people can be taken aback by the rather complex block of code that describes all intricacies of the statement.

However, I don’t know better way of defining syntax of the statement or command.

The notation that is used to describe syntax in Books Online is a form of Backus-Naur notatiion, called BNF for short sometimes. This is a notation that was invented around 50 years ago, and some say that even earlier, around 400 BC – would you believe? Originally it was used to define syntax of, rather ancient now, ALGOL programming language (in 1950’s, not in ancient India).

If you look closer at the definition of the BNF, it turns out that the principles of this syntax are pretty simple. Here are a few bullet points:

italic_text is a placeholder for your identifier
<italic_text_in_angle_brackets> is a definition which is described further.
[everything in square brackets] is optional
{everything in curly brackets} is obligatory
everything | separated | by | operator is an alternative
::= “assigns” definition to an identifier

Yes, it looks like these six simple points give you the key to understand even the most complicated syntax definitions in Books Online. Books Online contain an article about syntax conventions – have you ever read it?

Let’s have a look at fragment of the CREATE TABLE statement:

 1 CREATE TABLE 
 2     [ database_name . [ schema_name ] . | schema_name . ] table_name 
 3         ( { <column_definition> | <computed_column_definition> 
 4                 | <column_set_definition> }
 5         [ <table_constraint> ] [ ,...n ] ) 
 6     [ ON { partition_scheme_name ( partition_column_name ) | filegroup 
 7         | "default" } ] 
 8     [ { TEXTIMAGE_ON { filegroup | "default" } ] 
 9     [ FILESTREAM_ON { partition_scheme_name | filegroup 
10         | "default" } ]
11     [ WITH ( <table_option> [ ,...n ] ) ]
12 [ ; ]

Let’s look at line 2 of the above snippet: This line uses rules 3 and 5 from the list. So you know that you can create table which has specified one of the following.

just name – table will be created in default user schema
schema name and table name – table will be created in specified schema
database name, schema name and table name – table will be created in specified database, in specified schema
database name, .., table name – table will be created in specified database, in default schema of the user.

Note that this single line of the notation describes each of the naming schemes in deterministic way. The ‘optionality’ of the schema_name element is nested within database_name.. section. You can use either database_name and optional schema name, or just schema name – this is specified by the pipe character ‘|’.

The error that user gets with execution of the first script fragment in this post is as follows:

Msg 156, Level 15, State 1, Line 2
Incorrect syntax near the keyword 'DEFAULT'.

Ok, let’s have a look how to find out the correct syntax. Line number 3 of the BNF fragment above contains reference to <column_definition>. Since column_definition is in angle brackets, we know that this is a reference to notion described further in the code. And indeed, the very next fragment of BNF contains syntax of the column definition.

 1 <column_definition> ::=
 2 column_name <data_type>
 3     [ FILESTREAM ]
 4     [ COLLATE collation_name ] 
 5     [ NULL | NOT NULL ]
 6     [ 
 7         [ CONSTRAINT constraint_name ] DEFAULT constant_expression ] 
 8       | [ IDENTITY [ ( seed ,increment ) ] [ NOT FOR REPLICATION ] 
 9     ]
10     [ ROWGUIDCOL ] [ <column_constraint> [ ...n ] ] 
11     [ SPARSE ]

Look at line 7 in the above fragment. It says, that the column can have a DEFAULT constraint which, if you want to name it, has to be prepended with [CONSTRAINT constraint_name] sequence. The name of the constraint is optional, but I strongly recommend you to make the effort of coming up with some meaningful name yourself. So the correct syntax of the CREATE TABLE statement from the beginning of the article is like this:

1 CREATE TABLE dbo.Employees
2     (guid uniqueidentifier CONSTRAINT Guid_Default DEFAULT NEWSEQUENTIALID() ROWGUIDCOL,
3     Employee_Name varchar(60)
4     CONSTRAINT Guid_PK PRIMARY KEY (guid) );

That is practically everything you should know about BNF. I encourage you to study the syntax definitions for various statements and commands in Books Online, you can find really interesting things hidden there.

Technorati Tags: SQL Server,t-sql,BNF,syntax

(1) No, my answer usually is a question – ‘What error message? What does it say?’. You’d be surprised to know how many people think I can go through time and space and look at their screen at the moment they received the error.

Setting reporting database–what happens behind the scenes

rodak.p@gmail.com — Sun, 28 Nov 2010 14:30:07 GMT

When you install reporting server, you have in general two options available – either you install the reporting server and configure its database at the same time, or install just reporting service and point it to an existing database later.

We had recently opportunity to configure server to point to existing reporting database. We encountered a security related issue, because the account we were using to connect to the SQL Server database engine was not ‘good enough’ to configure reporting service connectivity. Namely, the installation fails if you are not a sysadmin, security admin, or dbo on master and msdb databases.

So what is happening if you are configuring reporting server to point to existing database? This is how it seems to work in SQL Server 2008 R2:

First, new role called RSExecRole is added to master database if it doesn’t exist:

1 use master
2 go
3 if not exists (select * from sysusers where issqlrole = 1 and name = 'RSExecRole')
4 BEGIN
5  EXEC sp_addrole 'RSExecRole'
6 END
7 
8 go

Then do the same in the msdb database:

1 use msdb
2 
3 go
4 
5 if not exists (select * from sysusers where issqlrole = 1 and name = 'RSExecRole')
6 BEGIN
7  EXEC sp_addrole 'RSExecRole'
8 END
9 go

And in reporting database and the temp database for reporting:

 1 USE [ReportServer$SQL1]
 2 
 3 go
 4 
 5 if not exists (select * from sysusers where issqlrole = 1 and name = 'RSExecRole')
 6 BEGIN
 7  EXEC sp_addrole 'RSExecRole'
 8 END
 9 
10 go
11 
12 USE [ReportServer$SQL1TempDB]
13 go
14 
15 if not exists (select * from sysusers where issqlrole = 1 and name = 'RSExecRole')
16 BEGIN
17  EXEC sp_addrole 'RSExecRole'
18 END
19 
20 go
21

Next the reporting server configuration manager is mapping user to the login we want to use in each of the databases, interestingly in the order as below:

 1 
 2 USE [ReportServer$SQL1]
 3 
 4 go
 5 
 6 
 7 if not exists (select name from master.dbo.syslogins where name = N'RSUser' and sysadmin =1)
 8 BEGIN
 9     if not exists (select name from sysusers where name = N'RSUser' and issqluser = 1)
10     BEGIN
11         EXEC sp_grantdbaccess N'RSUser'
12     END
13 END
14 
15 go
16 
17 
18 USE [ReportServer$SQL1TempDB]
19 
20 go
21 
22 
23 if not exists (select name from master.dbo.syslogins where name = N'RSUser' and sysadmin =1)
24 BEGIN
25     if not exists (select name from sysusers where name = N'RSUser' and issqluser = 1)
26     BEGIN
27         EXEC sp_grantdbaccess N'RSUser'
28     END
29 END
30 
31 go
32 
33 
34 USE [msdb]
35 
36 go
37 
38 
39 if not exists (select name from master.dbo.syslogins where name = N'RSUser' and sysadmin =1)
40 BEGIN
41     if not exists (select name from sysusers where name = N'RSUser' and issqluser = 1)
42     BEGIN
43         EXEC sp_grantdbaccess N'RSUser'
44     END
45 END
46 
47 go
48 
49 USE [master]
50 go
51 
52 if not exists (select name from master.dbo.syslogins where name = N'RSUser' and sysadmin =1)
53 BEGIN
54     if not exists (select name from sysusers where name = N'RSUser' and issqluser = 1)
55     BEGIN
56         EXEC sp_grantdbaccess N'RSUser'
57     END
58 END
59 
60 GO
61

Eventually the user is added to the RSExecRole:

 1 
 2 USE [ReportServer$SQL1]
 3 go
 4 
 5 if not exists (select name from master.dbo.syslogins where name = N'RSUser' and sysadmin = 1)
 6 BEGIN
 7     EXEC sp_addrolemember 'RSExecRole', N'RSUser'
 8 END
 9 
10 go
11 
12 
13 USE [msdb]
14 go
15 
16 if not exists (select name from master.dbo.syslogins where name = N'RSUser' and sysadmin = 1)
17 BEGIN
18     EXEC sp_addrolemember 'RSExecRole', N'RSUser'
19 END
20 go
21 
22 USE [master]
23 go
24 
25 if not exists (select name from master.dbo.syslogins where name = N'RSUser' and sysadmin = 1)
26 BEGIN
27     EXEC sp_addrolemember 'RSExecRole', N'RSUser'
28 END
29 
30 go
31 
32 
33 USE [ReportServer$SQL1TempDB]
34 go
35 
36 if not exists (select name from master.dbo.syslogins where name = N'RSUser' and sysadmin = 1)
37 BEGIN
38     EXEC sp_addrolemember 'RSExecRole', N'RSUser'
39 END
40 
41

Ha. I was about to give a rant about implementation of sp_addrolemember system procedure, which in SQL 2005 is using sysusers and other obsolete objects. The version in SQL Server 2008 R2 has been rewritten from what I see, and is using sys.database_principals in its logic. Well done Microsoft .

Technorati Tags: SQL Server,t-sql,reporting services