Administer Server and Database Security

Administer group-level security on SQL Server instances and databases

Overview

Data resource security enables the Data Bridge tenants to restrict access to data resources (server instances and databases) in their Data Bridge cluster. Security is an optional feature that may be independently implemented on server instances and databases.

If data resource is secured, the owner of that server instance or database can grant or revoke access to that data resource on a group-by-group basis. No principal can access a data resource unless that principal belongs to a group that has been granted access to that data resource by owner.

The Data Bridge API exposes operations that enable the owner of a data resource (server instance and database) to grant or revoke access to that data resource to one or more groups and to view security details for that data resource.

Administer group access to server instances

The Update Server Instance Security operation (PATCH /databridge/v1/sql-instances/{instanceName}/groups) enables the owner of a secured server instance to grant or revoke access to that data resource on a group-by-group basis.

Once a server instance is secured, no principal can access that server instance unless the principal belongs to a group that has been granted access to that server instance. Group-level access enables principals to perform all of the operations granted to them as members of that group.

The request property defines an array of updates that enable the owner to add or revoke access rights for one one or more groups. Each object identifies the operation (Add or Remove), the targetProperty (groupId), and the unique value that identifies the group by its ID. Access for multiple groups can be administered in a single request:

[
  {
    "operation": "Add",
    "targetProperty": "groupId",
    "value": "8e676a8f-63ed-4cc0-8678-9a20ce41a80a"
  }
  {
    "operation": "Remove",
    "targetProperty": "groupId",
    "value": "4x679a8a-74et-4cc0-8678-7g90ee96d00f"
  }
]

For each object in the request package, the operation, targetProperty, and value properties are required:

PropertyDescription
operationOperation to perform. One of Add or Remove. If Add the specified group is granted access to the server instance. If Remove, access to the server instance is revoked for the specified group.
targetPropertyProperty to update. In the current implementation, groupId is the only supported property.
valueUnique group ID of the group.

The server instance owner may view a list of the groups that can access the server instances they own using the List Server Instances and Get Server Instance operations.

Administer group access to databases

The Administer access to database by group service (PATCH /databridge/v1/sql-instances/{instanceName}/Databases/{databaseName/groups}) enables administrators to grant or revoke group access to databases on managed SQL Server instances.

Once a database is secured, no principal can access that server instance unless the principal belongs to a group that has been granted access to that database. Group-level access enables principals to perform all of the operations granted to them as members of that group.

The request property defines an array of updates that enable the owner to add or revoke access rights for one or more groups. Each object identifies the operation (Add or Remove), the targetProperty (groupId), and the unique value that identifies the group by its ID. Access for multiple groups can be administered in a single request:

[
  {
    "operation": "Add",
    "targetProperty": "groupId",
    "value": "8e676a8f-63ed-4cc0-8678-9a20ce41a80a"
  }
  {
    "operation": "Remove",
    "targetProperty": "groupId",
    "value": "4x679a8a-74et-4cc0-8678-7g90ee96d00f"
  }
]

For each object in the request package, the operation, targetProperty, and value properties are required:

PropertyDescription
operationOperation to perform. One of Add or Remove. If Add the specified group is granted access to the database. If Remove, access to the database is revoked for the specified group.
targetPropertyProperty to update. In the current implementation, groupId is the only supported property.
valueUnique group ID of the group.

The database owner may view a list of the groups that can access the database they own using the List Databases and Get Database operations.

Enable data source security

Data resource security is an optional security feature that can be enabled by a Data Admin in Admin Center. The Data Admin may enable security on individual server instances and databases. Every secured data resource, is assigned an owner that is responsible for administering access to that data resource.

The ownership of all secured data resource is managed by the Tenant Admin in Admin Center. Ownership of secured server instances and database may be assigned to groups or user logins.

Owner permissions

The owner of a secured server instances or secured database may perform certain operations on that data resource that are not available to other principals regardless of group or role.

The owner of a data resource may perform the following operations:

OperationDescription
Update Server Instance SecurityAdd or revoke group-level access.
List Server InstancesView security information. If the owner of the data resource makes the request, the response returns the owner, secured, and groups attributes.
Get Server InstanceView security information. If the owner of the data resource makes the request, the response returns the owner, secured, and groups attributes.
Update Database SecurityAdd or revoke group-level access.
List DatabasesView security information. If the owner of the data resource makes the request, the response returns the owner, secured, and groups attributes.
Get DatabaseView security information. If the owner of the data resource makes the request, the response returns the owner, secured, and groups attributes.

More information

For detailed information about administering Intelligent Risk groups and role-based permissions, see the Intelligent Risk Platform Administrator Guide.