Vikas Rajput's Weblog

Previously I touched on how SQL Server Schema can be of immense use. I think its best if I cover some more content on same topic:

What is SQL Server Schema?
SQL Server schema is a container of database objects and follows following rules:
- May contain different object types, like tables, indexes, views, procedures, functions, etc.
- A database user can be assigned with a default schema. Every schema has a single owner (a database user). A database user may own multiple schemas.
- Object names must be prefixed with schema names when referencing schemas outside user’s default schema.
- If your login name is mapped to the owner of a schema, you have full permissions on this schema.
- To drop a schema, you need to empty the schema first.

How to create a new Schema?
USE <DBName>
GO
CREATE SCHEMA <yourSchemaName>
GO

How to list all schema in a Database?
SELECT * FROM sys.schemas;

How to create table in a given schema?
CREATE TABLE <yourSchemaName>.testTable ( id INT);
GO

How to transfer objects (table in our example) from one schema to other?
– Create the needed schema and test object
CREATE SCHEMA test1
GO
CREATE SCHEMA test2
GO
CREATE TABLE test1.testTable(ID INT)
GO

– Validate for test object’s current Schema
SELECT t.name AS table_name, t.type_desc,
s.name AS schema_name
FROM sys.tables t, sys.schemas s
WHERE t.schema_id = s.schema_id
and t.name like ‘%test%’

– Transfer the object to new schema
ALTER SCHEMA test2 transfer test1.testTable

– Validate for test object’s current Schema
SELECT t.name AS table_name, t.type_desc,
s.name AS schema_name
FROM sys.tables t, sys.schemas s
WHERE t.schema_id = s.schema_id
and t.name like ‘%test%’

How to list objects within a Schema?
USEAdventureWorks
GO
Select o.name, o.schema_id, o.type_desc
FROM sys.objects o, sys.schemas s
WHERE o.schema_id = s.schema_id
AND s.name = ‘HumanResources’;
– HumanResources is the schema name

How to create an User account and assigning Default Schema?
USE [master]
GO
CREATE LOGIN [testUser] WITH PASSWORD=N’testUser’, DEFAULT_DATABASE=[AdventureWorks], CHECK_EXPIRATION=ON, CHECK_POLICY=ON
GO
USE [AdventureWorks]
GO
CREATE USER [testUser] FOR LOGIN [testUser]
GO
ALTER USER [testUser] WITH DEFAULT_SCHEMA=[test2]
GO
EXEC sp_addrolememberN’db_owner’, N’vikas’
GO

How to check default Schema of your Login?
select name, default_schema_name
FROM sys.database_principals WHERE type = ‘S’;

How to check ownership of specific Schema?
SELECT s.name, u.name AS owner
FROM sys.schemas s, sys.database_principals u
WHERE s.principal_id = u.principal_id
AND s.name like ‘%test%’;
– where %test% is the schema name patter

How to change ownership of a schema?
ALTER AUTHORIZATION ON SCHEMA::test1 TO testUser

How to drop a schema?
DROP SCHEMA testUsertest1
– you might receive an error if the schema is not empty. In such case either drop or transfer the objects to other schema.

There are many times I have been scratching my [mug shaped] head on what use Schema provides in SQL Server (available with SQL Server 2005 or later).
I have now recovered from my Schema knowledge void, thanks to Michael Redman (MSDN) and Dinesh Asanka (sql-server-performance.com). Both the pages are good start point on the topic. Also, behavioral changes for Schema have been discussed well within MSDN.

For advantages part, schema facilitates for:
- less user admin hassles (no all-object-within-dbo paradigm)
- neat and clean databases in terms of managed objects carried within defined schema,
- act as a container for objects,
- can be owned by any user and ownership can be transferred any time (imagine the scope in change management preview)
- schema level permissions (for all or subset of contained objects) be given out to a reference schema (which are legitimate even when a new object is created). Basically, schemas can act as security boundaries.

Disadvantage:
- Only that I can think of is that you would need to know specific role a security role and schema plays in an application. On bright side, you shall be documenting it anyways and shall be part of your User Admin Procedures (and documentation).

Please let me know if you have come across any other usage or shortcoming.

Default Service Accounts for SQL Server Startup:
For  SSIS and SQL Server Browser: NT Authority\Network Service is default logon.
For SQLServer, SQLAgent, SSRS, SSAS: There is no default logon.
For SQL Server Full-Text Daemon: Though there is no default logon, but its recommended to have one Local Account as FDHOST.EXE service account.

Key Note for choosing SQL Server Startup account:
1. If an account with lesser privileges is available, then Microsoft recommends that you do not use the Network Service account for the SQL Server or the SQL Server Agent services. Its because Network Service is generally a shared account and is appropriate for use as a SQL Server service account only if you can ensure that no other services that use the same account are installed on the computer. Local User or Domain User accounts that are not a Windows administrator are more appropriate for SQL Server services.
2. Always use SQL Server tools such as SQL Server Configuration Manager to change the account used by the SQL Server or SQL Server Agent services, or to change the password for the account. In addition to changing the account name, SQL Server Configuration Manager performs additional configuration such as setting permissions in the Windows Registry so that the new account can read the SQL Server settings.

Now, its pivotal to understand different types Windows Accounts, some of which are to be used for SQL Server Startup.
Domain User Account
If the service must interact with network services, access domain resources like file shares or if it uses linked server connections to other computers running SQL Server, you might use a minimally-privileged domain account.
Local User Account
If the computer is not part of a domain, a local user account without Windows administrator permissions is recommended.
Local Service Account
The Local Service account, built-in account and has the same level of access to resources and objects as members of the Users group. Services that run as the Local Service account access network resources as a null session without credentials. The actual name of the account is "NT AUTHORITY\LOCAL SERVICE". Please note that the Local Service account is not supported for the SQL Server or SQL Server Agent services.
Network Service Account
It is a built-in account that has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account. The actual name of the account is "NT AUTHORITY\NETWORK SERVICE".
Local System Account
Local System is a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network. The actual name of the account is "NT AUTHORITY\SYSTEM".