 |
|
|
|
Next: Table is Ambiguous
|
| Author |
Message |
External
Since: Dec 12, 2008
Posts: 2
|
(Msg. 1) Posted: Fri Dec 12, 2008 10:43 am
Post subject: sql server 2005 security and schemas: an example please?
Archived from groups: microsoft>public>sqlserver>security (more info?)
|
|
|
Let me establish the following didactic escenario:
There are 1000 users registered in the active directory , 50 of them are
going to use an application that is not developed yet. They belong to
different departments.
Only the people of the TI support department can use the "sa" account of the
sql server.
The group of developers has 3 members. They must be provided with
privileges for the sql development in the base (create-alter-etc.) for
tables, views, stored procedures, etc.
The final users must not have privileges to do that, they will only read and
write data in tables, views, and execute stored procedures.
During the development, the developers sould test the functionallity of the
application by loggin in with privileges of a final user, so they can see if
it works fine.
At the end of the development, the access to the base must be revoqued to
the developers
Eventually, the number of users can raise, so they must use the tables,
views, stored procedures, etc. without intervention of the developent team.
The access to the sql server must be "Windows Authentication"
How to resolve this?
How do the queries should look like? (select * from XXXX.myTable)
Do they can be written without the XXXX prefix?
What is the order of creation for: the base, the schema, the login, the
users, etc.?
Could you answer with a step by step script?
Please include a sample of the sql code involved
Thanks in advance |
|
| Back to top |
|
 | |
External
Since: Aug 24, 2003
Posts: 1744
|
(Msg. 2) Posted: Sun Dec 14, 2008 4:25 am
Post subject: Re: sql server 2005 security and schemas: an example please? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Robeito
First of all what vesrion of SQL Server are you using? If it is SQL Server
2005 you can schema object to separate different groups and give them
permission only for schema that belongs to them. It is very huge and
important topic, I'd suggest to spend a few days to study it
---Schemas and metadata permissions
USE dbDemo
GO
-- Create a dbo table
CREATE TABLE dbo.t (id int)
GO
-- new user
CREATE LOGIN Joe WITH password='jghghghj'
CREATE USER Joe FOR LOGIN Joe
GRANT CREATE TABLE TO Joe
GO
-- this fails, because Joe does not have permissions on schema 'dbo'
SETUSER 'Joe'
GO
CREATE TABLE t1 (id int)
GO
-- schema for Joe
SETUSER
GO
CREATE SCHEMA JoeSchema AUTHORIZATION Joe
GO
-- this still fails, because Joe does not have permissions on schema 'dbo'
SETUSER 'Joe'
GO
CREATE TABLE t1 (id int)
GO
-- this works
CREATE TABLE JoeSchema.t1 (id int)
GO
SETUSER
GO
--- Execution context
-- prepare
CREATE LOGIN Joe WITH PASSWORD = 'hj'
CREATE LOGIN Paul WITH PASSWORD = 'fff'
CREATE LOGIN Tom WITH PASSWORD = 'hhhhh'
GO
CREATE USER Joe FOR LOGIN Joe WITH DEFAULT_SCHEMA = Joe
CREATE USER Paul FOR LOGIN Paul WITH DEFAULT_SCHEMA = Paul
CREATE USER Tom FOR LOGIN Tom WITH DEFAULT_SCHEMA = Tom
CREATE SCHEMA JoeSchema AUTHORIZATION Joe
GO
CREATE SCHEMA PaulSchema AUTHORIZATION Paul
GO
CREATE SCHEMA TomSchema AUTHORIZATION Tom
GO
GRANT CREATE TABLE TO Joe, Paul, Tom
GRANT CREATE PROCEDURE TO Joe, Paul, Tom
GO
-- create as Joe
SETUSER 'Joe'
CREATE TABLE JoeSchema.Joetbl(id int)
GO
CREATE PROCEDURE JoeSchema.JoeProcNoDynamic
AS
SELECT * FROM JoeSchema.Joetbl
GO
CREATE PROCEDURE JoeSchema.JoeProcDynamic
AS
EXECUTE ('SELECT * FROM JoeSchema.JoeTab')
GO
GRANT EXECUTE ON JoeSchema.JoeProcNoDynamic TO Paul
GRANT EXECUTE ON JoeSchema.JoeProcDynamic TO Paul
GO
SETUSER
GO
"robeito" wrote in message
> Let me establish the following didactic escenario:
>
> There are 1000 users registered in the active directory , 50 of them are
> going to use an application that is not developed yet. They belong to
> different departments.
>
> Only the people of the TI support department can use the "sa" account of
> the
> sql server.
>
> The group of developers has 3 members. They must be provided with
> privileges for the sql development in the base (create-alter-etc.) for
> tables, views, stored procedures, etc.
>
> The final users must not have privileges to do that, they will only read
> and
> write data in tables, views, and execute stored procedures.
>
> During the development, the developers sould test the functionallity of
> the
> application by loggin in with privileges of a final user, so they can see
> if
> it works fine.
>
> At the end of the development, the access to the base must be revoqued to
> the developers
>
> Eventually, the number of users can raise, so they must use the tables,
> views, stored procedures, etc. without intervention of the developent
> team.
>
> The access to the sql server must be "Windows Authentication"
>
> How to resolve this?
> How do the queries should look like? (select * from XXXX.myTable)
> Do they can be written without the XXXX prefix?
> What is the order of creation for: the base, the schema, the login, the
> users, etc.?
>
> Could you answer with a step by step script?
> Please include a sample of the sql code involved
>
> Thanks in advance |
|
| Back to top |
|
| |
External
Since: May 30, 2004
Posts: 2061
|
(Msg. 3) Posted: Sun Dec 14, 2008 4:25 am
Post subject: Re: sql server 2005 security and schemas: an example please? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
External
Since: Aug 24, 2003
Posts: 1744
|
(Msg. 4) Posted: Sun Dec 14, 2008 7:25 am
Post subject: Re: sql server 2005 security and schemas: an example please? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
|
|
| Back to top |
|
| |
External
Since: Dec 12, 2008
Posts: 2
|
(Msg. 5) Posted: Mon Dec 15, 2008 8:07 am
Post subject: Re: sql server 2005 security and schemas: an example please? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
The 3 developers will share a common schema, could this be "dbo"?
Would this be enough to allow them to
create-alter-view-select-insert-execute...?
If so, how could they log in for testing as final users? Remember that
Windows Authentication is going to be used,
By the way, maybe the scripts should include something like "domain\username"
Thinking about the future, is it convenient to create a group in the active
directory and add the 50 final users to it?
Could the permissions on the sql server be granted to that group?
Thanks for your time >> Stay informed about: sql server 2005 security and schemas: an example please? |
|
| Back to top |
|
| |
External
Since: May 30, 2004
Posts: 2061
|
(Msg. 6) Posted: Mon Dec 15, 2008 2:13 pm
Post subject: Re: sql server 2005 security and schemas: an example please? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
robeito (robeito@discussions.microsoft.com) writes:
> The 3 developers will share a common schema, could this be "dbo"?
> Would this be enough to allow them to
> create-alter-view-select-insert-execute...?
> If so, how could they log in for testing as final users? Remember that
> Windows Authentication is going to be used,
I think the best is that you create three database users without login,
one per developer. You grant these database-less users CONTROL on the
dbo schema. Then you grant three developers IMPERSONATE rights on one
each of these users. This means that when the developers need to create
a procedure, they do
EXECUTE AS USER = 'devuser1'
When they test the application, they are their normal self.
I've assumed here that the developers only need to work in this
particular database. If they need to do work on server level, it
may be better to create logins that they have impersonation rights
to.
One thing you need to be careful with is that the developers do not
grant their regular Windows users any extra permission beyond what
they need as mere users.
> Thinking about the future, is it convenient to create a group in the
> active directory and add the 50 final users to it?
> Could the permissions on the sql server be granted to that group?
Yes, you can grant permissions to a Windows group.
--
Erland Sommarskog, SQL Server MVP, esquel.DeleteThis@sommarskog.se
Links for SQL Server Books Online:
SQL 2008: http://msdn.microsoft.com/en-us/sqlserver/cc514207.aspx
SQL 2005: http://msdn.microsoft.com/en-us/sqlserver/bb895970.aspx
SQL 2000: http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx >> Stay informed about: sql server 2005 security and schemas: an example please? |
|
| Back to top |
|
| |
| Related Topics: | SQL Server 2005 security question - I am new to SQL Server 2005. I have a user who is db_owner equivalent. However, when he starts SQL Server Management Studio (logged in with his ID), he cannot see anyting in the Securables box under database user properties or database role..
The server principal "dhtest" is not able to access the da.. - Hi, I am running into an issue that I really need resolved today. Simply put, I am getting the error: The server principal "dhtest" is not able to access the database "dhtest2" under the current security context. (Microsoft SQL Se...
SQL 2005 express security issue - Hi, We just revamp our application from Access to use SQL Express 2005 as database engine, which is a standalone application running on client PC. I'm now simulating the scenario when I deploy the DB to client, how can I protect the database (or some...
Linked Server Security Trouble - Hello, I am having trouble configuring a linked server on a Windows domain that does not have Active Directory. I would like to be able to use Windows Authentication for this Linked Server. We are building an app that needs to run from SERVER1 and....
Migration from existing database server 2005 to new databa.. - Can we do online database migration from existing database server 2005 to new database server 2005, plz help me in this regard how to do it Thanks, Big |
|
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
