SQL Database security Roles
To manage the permissions in databases, the system allows the usage of multiple user-defined roles. Domain users and group accounts can be assigned as members of these roles to assign permissions for database.
The following Database Roles exist in the database.
- LuwareDataLoader – this role has permissions to execute integration jobs.
- LuwareReporting – this role has permissions to execute all stored procedures in Reporting schema. This role is required to:
- Get data through Excel Power Pivot Reports (version 2.3 – 3.2)
- Get data through Excel Power Query Reports (any version)
- Get data through Power BI Reports (any version)
- Get data through SSRS Reports (any version)
- LuwareGetDataset (Release 3.3 and above) role has permissions to execute [Reporting].[usp_GetDataSet]. This role is the most secure way to grant access to the report user. This role is required to get data through Power BI and Excel Power Query Reports (version 3.3 and above)
- LuwareSystem – this role has permissions to run Luware application (PS Service).
Before configuring the role membership, it is important to understand the difference between SQL Server Logins and Users. Logins have the access to the server and Users have the access to the database. All work is done in the context of database, but to get to do the work, one needs to have firstly access to the SQL server. It means that to grant windows account permissions of a role, both Login and User are required.
Example: granting domain security group permissions to refresh data
The goal of this example is the permissions granting for a domain security group "Marketing" to get data in Excel Power Query and Power BI Reports using the "LuwareGetDataSet" role.
This scenario - with small changes- is applicable for granting other database roles to Users and Groups.
- Open SSMS and navigate to Object Explorer > Expand SQL Server > Security > Logins.
- Execute the right click and select New Login… in the opened context menu.
- On General page, ensure that Windows authentication is selected.
- On General page, click Search button
- Click Object Types and ensure that Groups are selected
- Click Locations and select Entire Directory
- Enter the object name, e.g. "Marketing" and click Check Names
- Click OK on Select User, Service Account, or Group window
- On the User Mapping page, find database, on which permissions are required.
- In the list of "Users mapped to this login" on database row, tick the according "Map" checkbox
- In the role membership select "LuwareGetDataSet" role in Database role Membership
- Click OK