SQL Server 2005 introduces a world of new features and in my first article for Windows IT Pro News UK I gave a very high-level overview about some of them. In my previous article I wrote about SQL Server Service broker, the new messaging infrastructure in SQL Server 2005. In this article, I will take a look at a new feature in the SQL Server called schemas.
The fully qualified name of a database object in SQL Server 2000 (and earlier versions) was like the following:
So, for example, if the user Bob in the database db1 in the server serv1 created a table called tab1, the fully qualified name would be:
In other words, the creator was tightly coupled to the object itself. Subsequently, if we for some reason wanted to delete Bob from the database (DROP USER BOB), we could not do that without first dropping the objects owned by Bob or change the owner of the objects. Neither of these options is really appealing as we probably have code referencing the objects and we would then need to change our code.
We can see a schema as a collection of database entities, sharing the same schema name. If you are familiar with the Common Language Runtime, you can draw a parallel between schemas and namespaces.
You may now say that in SQL Server 2000 we had the ability to create a schema with the CREATE SCHEMA statement. However, in SQL Server 2000 this does not create a schema independent of the user that creates it. It implicitly connects the user with the schema, and if you try to drop the user you run into the same problems as mentioned before.
Therefore, in SQL Server 2005, Microsoft has given us the ability to create schemas independent of the user, and by this we achieve separation of schemas and users. This gives us some considerable advantages:
- Dropping database users is greatly simplified.
- Dropping a database user does not require the renaming of objects contained by that
user's schema. Thus it is no longer necessary to revise and test applications that refer
explicitly to schema-contained objects after dropping the user that created them.
- Multiple users can share a single default schema for uniform name resolution.
- Shared default schemas allow developers to store shared objects in a schema created
specifically for a specific application, rather than in the DBO schema.
- Permissions on schemas and schema-contained objects can be managed with a higher degree of granularity than in earlier releases.
The syntax to create a schema is like so:
CREATE SCHEMA schema_name
where the AUTHORIZATION clause is optional. In addition to the syntax above you can also create tables, views and GRANT and DENY permissions for the particular schema when it is being created. For example, the following statement:
CREATE SCHEMA Marketing
CREATE TABLE Mailshots (id int primary key, description varchar(max)) GRANT SELECT TO Alice
DENY SELECT TO Kent;
will create the Marketing schema with Bob being the owner. Furthermore, it creates a table called Mailshots with Marketing being the schema qualifier and it allows Alice to run SELECT statements against tables in the schema but denies Kent. Schemas and users
In the CREATE SCHEMA statement above we explicitly granted and denied permissions to two users (Alice and Kent), which will be part of this schema. In SQL Server 2005 every user will have a default schema and if no default schema has been assigned to a user, she will be part of the DBO schema.
Being part of the DBO schema may initially sound a bit dangerous -- does that imply that the user then has the permissions as the dbo? No, absolutely not! Every user has to be given explicit permissions for that particular schema (or have to be be part of a role which has rights in that schema) in order to be able to do anything. The user also has to have general permissions, ie GRANT CREATE TABLE TO user-name.
The following code snippet shows an example:
--create a user called niels
CREATE USER niels FROM LOGIN niels
--by default niels is part of the DBO schema
--grant the user general table creation rights
GRANT CREATE TABLE TO niels
--change to niels and try to create a table
--this will fail
CREATE TABLE n(id int)
--change back to admin and grant niels table creation rights in the Marketing schema created previously
GRANT ALTER ON SCHEMA::Marketing to niels
--go back to niels
--try to create a table in the Marketing schema
--this will succeed
CREATE TABLE Marketing.n(id int)
Notice how the user had to schema-qualify the table name, as the user created the table in her non-default schema. To make Marketing the default schema for niels we could run following code:
ALTER USER niels
WITH DEFAULT_SCHEMA = niels
It is also worth noticing that even though niels has rights to create tables in that particular schema, he has no rights to SELECT from those tables. For that to happen we need to grant niels SELECT permissions:
GRANT SELECT ON SCHEMA::Marketing to niels
This may sound like a lot of work, and to a degree it is. In real life you'll probably find that you assign permissions to roles (as before) and then add users to the roles. Summary
Schemas gives us the ability to separate users from objects, which will make our database objects easier to administer. In addition, the introduction of schemas will also make it easier to implement a more granular security model within a database.