The first concept to understand about SQL Server’s security model is the difference between authentication and authorization.
Authentication defines who is being given a right. SQL Server formally calls the authentication objects principals, but you’ll also see the older terms logins and users.
Authorization defines what rights are being given. Formally, these are called permissions. In modern versions of SQL Server, permissions are very granular and can be found on nearly every object in the instance. There’s also a vast hierarchy that interrelates all of the permissions. (We’ll cover permissions in a future post. For now, know that they’re there.)
Ed has started a series on security basics. Given that there are relatively few people who talk security (and even fewer who know security), I consider this a great thing.