Editor's Note: The following MVP Monday post is by SQL Server MVP Artemakis Artemiou and is part of our special series on SQL Server 2012.
One of the many new features shipped with the release of SQL Server 2012 are“Contained Databases”.
A contained database is isolated from the SQL Server instance on which is hosted, as well as from the rest of the databases. It somehow exists in its own world, meaning that it does not interact with anything outside itself and does not depend on anything else outside its scope.
The contained databases feature changes the SQL Server security model by making it even more robust as access to contained databases is permitted through special users (known as “contained database users”) which do not require logins. The main benefit of this is that contained databases can become fully portable thus easily allowing the Database Administrator to move them among SQL Server instances without having to resolve issues such as orphaned database users (database users not associated to a login), etc.
Before proceeding with an example, it must be noted that currently, SQL Server 2012 provides partial database containment, meaning that a partially contained database can also allow some features that are outside of its scope.
Now let’s see how we can create and use a partially contained database in SQL Server 2012.
First, we need to enable “contained database authentication” on the SQL Server instance:
sp_configure 'contained database authentication', 1;
Then, we create the partially contained database (along with a sample table for demo purposes):
--Create partially contained database
--Create sample table with sample records
id int ,
INSERT INTO tblSample
(10,'Sample value 1'),
(20,'Sample value 2'),
(30,'Sample value 3')
The last step is to create the user(s) that will be accessing the contained database:
CREATE USER ContUser1WITHPASSWORD=N'secure1$',DEFAULT_SCHEMA=[dbo]
EXEC sp_addrolemember'db_owner', 'ContUser1'
*Note: You are also able to use a Windows login if preferred.
Now let’s try to log into the database using the user “ContUser1”:
Step 1: We enter the database user credentials.
Step 2: We enter the database name to connect to and click on“Connect”.
That’s it! As you can see from the screenshot below, the user “ContUser1” was able to successfully connect to the SQL Server instance’s database engine and has access only to the partially contained database he/she belongs to:
The last step is to run a simple query against the earlier created table just for checking out that our contained database user has access to the database’s objects:
As you can see from the above screenshot the table is fully accessible.
Contained databases are a significant new feature in SQL Server 2012. The portability derived by this feature provides a solution to critical business questions, when it comes to the underlying data platform. Portability has always been a key factor in the software world. When it comes to the infrastructure level and more specifically to the data platform, portability is something extremely useful and with contained databases in SQL Server 2012 is now available!
Artemakis Artemiou Biography
Artemakis Artemiou is a SQL Server MVP and works as a Systems Engineer in the Information Technology Division of the Bank of Cyprus Group, specializing on advanced database systems engineering and infrastructure systems development. He holds many SQL Server certifications (MCTS, MCITP) on different versions of SQL Server. Artemakis is the president of the Cyprus .NET User Group (CDNUG) and the INETA-Europe Country Leader for Cyprus. He regularly writes articles on different topics on SQL Server and publishes them on his blog or on other blogs as guest articles. Artemakis also participates as a speaker on many local user group events as well as an invited speaker on local Microsoft conferences and workshops. You can find his blog at: http://aartemiou.blogspot.com. You can also find him on Twitter at: http://twitter.com/artemakis
About MVP Mondays
The MVP Monday Series is created by Melissa Travers. In this series we work to provide readers with a guest post from an MVP every Monday. Melissa is a Community Program Manager for Dynamics, Excel, Office 365, Platforms and SharePoint in the United States. She has been working with MVPs since her early days as Microsoft Exchange Support Engineer when MVPs would answer all the questions in the old newsgroups before she could get to them.
Contained databases are useful and they actually help the migration of platform simple.
It is a good feature but because of Audit and Risk concern organization not going to allow !
I heard that user/login access permissions can be retained in 'contained database' after failover/failback. But user permission/jobs...will not be retained if 'AlwaysOn High Availability' is used ONLY.
This is an issue because after failover/failback, script has to be run to reinstate user/app access permission.
Can you please elaborate more using 'contained databases' in AlwaysOn HA environment?
What really matters to end-user is their application must work regardless backend databases are on or off after failover/failback. Usually after failover, application stops working because of permission access is lost, then DBA needs to apply/reinstate security permission to each user/application again in secondary server.
David N Nguyen.