Skip to main content

Handling account attributes

You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module. To do this, select Microsoft SQL Server from the Manage the system > Resources > Account attributes > Target system type menu.

This section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior on the SQL Server.

Server roles

SQL Server uses server roles to grant server-wide security privileges to a login. Server roles correspond to the following boolean attributes in Bravura Security Fabric :

sysadmin System Administrators

securityadmin Security Administrators

serveradmin Server Administrators

setupadmin Setup Administrators

processadmin Process Administrators

diskadmin Disk Administrators

dbcreator Database Creators

bulkadmin Bulk Insert Administrators.

By default, server roles are copied from the template user. Alternatively you can assign users to server roles using the Bravura Security Fabric group management facility.

Database roles

Each SQL Server database also contains a set of roles. Because roles are unique to each database, you must create a db_roles_<database name> attribute for each database. For example, an SQL Server install always has a database called "master". To manage roles for this database, create the attribute db_roles_master .

Create the db_roles_<database name> attribute as a multi-valued attribute. Its values list the roles that a user has in that database. The "fixed" list of possible roles are:

  • db_owner

  • db_accessadmin

  • db_datareader

  • db_datawriter

  • db_ddladmin

  • db_securityadmin

  • db_backupoperator

  • db_denydatareader

  • db_denydatawriter

Note

The database roles (db_roles_<database name> ) attributes are copied by default. If you want to SET one or more of the attributes, they must have a Sequence Number higher than that of the databases attribute, since a user must have access to a database before the user can have a role for that database.

Disabling and enabling accounts

You can disable and enable accounts created from a Windows domain user template. The status is handled by the accessgranted attribute.

You cannot disable accounts created from a Standard user template.

Deleting accounts

When you delete a Windows user from Bravura Security Fabric , the Windows user’s access to SQL Server is revoked. When you delete a standard user from Bravura Security Fabric , the user is deleted completely.

In this section: