Journal

Ownership chaining or how to extend permissions without giving away the server

2009-11-27T03:00:54Z

The nightly process in our production system collects data from our real time systems (JD Edwards) and then processes that data. Many of these process manipulate the data and supply a modified data set for use by the dozens of client processes and applications. All of the client applications have their own databases (tables, views, procedures, etc), but due to the nature of the 'raw' data we collect (we have over 350 million rows of historical and current data) sometimes the client apps need to directly access this. It would be too costly to replicate this data for each individual application that would need it as well as maintaining dozens of copies would be impossible. This posed a unique problem:How do you grant access to the raw data in limited format?

The reason for the limited format is some of the data is for the ETL process only and if used by an application would provide false or erroneous data (one of our tables has over 250 columns). After a bit of research we came up with the following mechanism to allow specific access to specific tables in specific databases, with the added benefit of not having to add every new id to the permission roster.

First thing that needs to be done is to make sure that the same owner owns the files of the databases you are looking to chain. To simplify our servers, all files are owned by SA. This prevents the situation where a user id was used to create or restore a database, but they are no longer with us. Here is where you set that up:

Second thing we need to do is turn on 'database cross-chaining'. This enables permissions to be transferred when you have statements that cross databases, such as being in database A and doing the following: select * from B.dbo.sometable. This causes sql server to validate the user who is in database A to have permission to select from the table 'sometable' in database B. You turn on database cross chaining as follows: sp_dboption ,'db chain','ON'. This should be done in both databases, that is the database you are calling from and the database you are looking to access. In the above scenario, you would turn it on in A and B.

Third thing to be done is: grant connect to guest in both databases. This is the mechanism that SQL Server uses to pass credentials.

The next step is we create views in the 'source' database, which in the above example would be in the B database. Then you create a corresponding view in the application database, A. This does two things. First as you add users to the application databases you need not add them to any of the source databases, since they will be calling local views. Second, it provides a way to seal off the applications and as we add new sources of information, we simply create local views and hence isolate all applications from the Common data, keeping it pristine and from prying eyes.

I do realize the applications have to go through two views, the local view and then the view in the source database. Some have asked if this has a noticeable performance impact and I cannot say it does. The security flexibility we get from the above design far out ways any performance detriment as the apps run well within the time allotted (many sub-second).

Head on over to SQL University

2009-11-26T02:11:53Z

Jorge Segarra (twitter) has put together a wonderful collection of sql articles known as 'SQL University'. This is a place that all levels of sql practitioners should bookmark and go to. I am happy and honored to announce that I have been selected as one of the faculty members. Head on over and take a gander, you won't be disappointed. The link to SQL University.

Index Primer - Just what statistics are kept?

2009-11-25T23:42:26Z

Here is a link to my article on sqlservercentral. Thank you Steve Jones (twitter) for the guidance and opportunity.

Index Primer

Linked to the Microsoft SSIS Documentation Portal

2009-11-25T20:41:26Z

I am thrilled to announce that my blog has been linked to the Microsoft SSIS portal page. This information was sent to me late September and I was unable to blog at that time. Special thanks to Douglas Laudenschlager of the Microsoft SSIS documentation team. Here is the link: portal

Where I've been..

2009-11-25T13:14:44Z

This isn't a technical post, yet I believe the community deserves an answer as to where I've been for the last 75 days. I am home now and getting back into the swing of things. I originally went into the hospital for a severe back spasm, which turned out to be caused by a cancer known as Multiple Myeloma. The MM, presented in my spine, causing weakness in certain vertebrae. The muscle spams were caused by lytic lesions, which are basically small fractures, which impinged on a few nerves and hence the spams. With good doctors, shear force of will, a loving family, caring friends, a supportive community (a special thanks to Wibke Weilacher and the Exceptional DBA staff at RedGate), and countless prayers from those I know and those I don't, I have come a long way. My physical recovery has come farther in a faster period of time than the doctors had anticipated and my cancer is being pushed out at a fantastic rate. In the past 75 days a key protein indicator has shown a 34% reduction. I still have a long way to go, but this time I go with friends and family. You will begin to see me back to blogging and twittering. I have a lot of catching up to do.

Thank you everyone!

Long time overdue.

2009-10-09T22:41:23Z

My apologies for taking such a long time to post this. Had a little spill about 3 weeks back and it put me in the hospital. I guess the gardening and horsing around with my son finally took a toll on my back. I am finally able to get online and will start blogging soon (once I get back into the swing of things). Also, being that I am still in the hospital they seem to have twitter blocked (go figure). I am actively working on getting back to it and back to the community, which is why you haven't seen me out there for the last few weeks. I so do miss it. Hope to 'see' you all there soon.

I am honored to be giving a virtual presentation for PASS.

2009-09-21T01:11:11Z

Thanks to Thomas LaRock (twitter) for introducing me to Jeremiah Peschka (twitter), who took the time to review my presentation and give it the stamp of approval. I will be giving my virtual presentation on SSIS thread load balancing October 13th at 1pm EST. http://appdev.sqlpass.org/ has all the information.

Comments Welcome.

2009-09-17T12:50:57Z

I made a change in the configuration of my web page to allow anonymous comments. Writing in a vacuum doesn't help anyone.

Indexes and Convert_Implicit

2009-09-16T13:54:44Z

When you are designing your where clause to access data from a given set of tables it would benefit you to pay careful attention to the data types of the columns you will be using. SQL Server tries to help out by implicitly converting between data types which can cause 'hidden' optimizer issues.

A common example is the implicit conversion between character and integer datatypes. Listed below is a snippet of the query I was asked to tune.

You will notice the number 45 in purple. The graphical query plan produced this:

What first drew my attention was that 90% of the time was being taken up by a very small part of the overall where clause. Digging deeper I saw this:

Highlighted in purple was the culprit. A quick look at the column dbo.stcsmf11.hlvno showed it was a char(2), yet in the where clause I was joining it as a number stcsmf11.hlvno=45. I changed the where clause to be:

The subtle change in the where clause (making the number (45) into a character ('45')), yields a dramatic improvement. The time spent in that specific section of code goes from 90% to 2%:

The detailed picture shows two important pieces of information. First, we are doing an Index Seek vs. an Index Scan and secondly we have an additional join now being used. The join you see was always there, but due to the implicit conversion, SQL Server was not able to use the other qualifier. The additional seek predicate is 00779081.hlval.

It is very important to remember to be as specific as possible in your where clauses and keep a close eye on data types.

Procedures, Parameters, and the Optimizer

2009-09-09T15:08:54Z

The stored procedure is a very powerful tool and if you follow a few rules, it will perform very fast and efficiently.

Rule 1: Do not change parameters that are SARGS.

Rule2: If you must break Rule 1, split your procedures.

Let's create a procedure to use in our examples:

A little pubishing industry background. ISBN10 was a 10 character identifier used for all books. The industry started running out of available ISBNS, so a new ISBN13 was introduced. There is a formula to convert between ISBN10 & ISBN13 and many legacy applications still rely upon ISBN10. Now let's dig into RULE1.

There are two input parameters for this procedure:@ISBN and @discount, but only 1 of them is a SARG. The statement below breaks the first rule by modifying the parameter that is a SARG: @ISBN. It does this in the following sql:

SELECT @ISBN=

dbo.udf_CnvISBN13_to_ISBN10(@ISBN)

Why does this matter? The optimizer must first calculate all of the query plans prior to executing the procedure itself, so the above sql statement happens AFTER the plans have been determined. If I pass in the ISBN= '9780486438511', the optimizer will look to use that value to join to Book.ISBN. The optimizer chooses the query plan, runs and then wham! You are now looking for ISBN='0486438511' and the optimizer most likely picked a wrong plan, which will lead to poor performance.

You notice that I have mentioned nothing about the modification of @discount. That's because it is not used as a SARG and the optimizer isn't going to use it in determining the query plans.

If due to certain restrictions the application is passing in an ISBN3 and you must convert it to an ISBN10, you use RULE 2

As you can see from the above image, I have broken the stored procedure into two different procedures. The first procedure merely does the conversion of the ISBN and override of the discount before passing it on to the 'inner' procedure. When the inner procedure is executed, the optimzer will have the correct information and will grab the most efficient query plan, based upon the data passed in.