Worst Practices - Assigning Users Rights

  • Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/sjones/wp_userrights.asp

  • Whole heartedly agree.

    I also remove all rights assigned to the PUBLIC group/role so that a user has to be explicitly associated with a specific role. You don't come in one morning and find a strange IUSR_WebServer user in your database!

    I also use NT security with a lot of my database, but NOT the NT administrators group.

    I'm fortunate in that I can dictate exactly what goes on in my database so I also remove any direct on tables so that everything has to come via stored procedures.

    I find that once my developers see the performance increase of stored procedures and realise how much simpler a stored procedure makes their life I find they become absolute zealots on the subject!

  • Very well said!

    I totally agree. The arguments I get are "this is the only user I'll ever need" which usually occurs because the developer will be using a sql login embedded in the application. This isn't a bad argument, as arguments go. The other is "no other user will need these exact permissions/it takes TOOOOO much time to make a role for just one person, why would you do that". Not a good argument.

    I definitely agree with David about removing access to Public! Stored procedures aren't always an option, depending on how/who/when the app was built.

    I thought the reasons you presented were sound - much better than the other knucklehead who rights worst practices articles...what's his name again?

    Andy

  • I think that other knuckclehead was Genghis Warren.

    Glad you guys agree. This is one area that I think causes more problems than it solves.

    I hate embedding logins in an application. At the least, it should be in a text file (can be encrypted) so it can be changed. Nothing worse than a security breach causing an app to be recompiled. Especially if you have distributed this to clients.

    Steve Jones

    steve@dkranch.net

  • The problem with embedding login/password is there arent any simple good alternatives (depending on your definition of simple and good). If you're going to encrypt something, do it well or you might be making it worse instead of better.

    I'd like to see a discussion of the alternatives.

    Andy

  • I agree there isn't a good alternative. IMHO, it's poor practice to allow an application to log in without requiring a user to log in as well.

    The only good solution I saw, was an app that logged into a login server and submitted a user/pwd. The result set then "told" the app where to go for the real database. Hard part here was replicating login information.

    Steve Jones

    steve@dkranch.net

  • I have removed the BUILTIN/Administrators group, since our hardware people are NT admins and don't really need them rootin around in SQL. I also have created several groups, General Users, Confidential Data Viewers, etc…, but I also have a few singled out users that I assign rights to on an individual basis. Most are Admins, but on occasion we have visiting engineers that revolve around the company that require changes to their access almost daily, then they are gone. I find it easier to adjust their rights as needed then to create a group for a one time thing.



    - Vega

  • But how much longer would it take to do it "the right" way?

    Andy

  • 1 user in 1 group, whats the difference?



    - Vega

  • Where there's one, there will often be more. What's wrong with having a Eng1 group and adjusting the rights there? If they leave, you are no worse off. If they come back or someone takes their place, then you are covered. You can also remove teh user and leave the role.

    Steve Jones

    steve@dkranch.net

  • People come and go so I agree that groups assigned to roles is the best way to go. I wonder what happens when you are on Active Directory native mode? Probably can't just pop into User Manager and create NT global group 5032. Also if you create global groups and your accounts domain is large then groups can get lost in the ether. So better have some sensible naming conventions before things get too far out of hand!

    We take the NT group thing one step further and make the application owner or their delegate the group owner and provide them with an application to maintain membership for their own NT group. It works fairly well and gets us DBAs out of the having to do very much group maintenance.

  • In native mode this is probably true (Andy?).

    This does, though, meet the division of roles. You should create the roles and hopefully they map to the network groups. If not, then you can still create your role and add domain users. Ideally, you'd use global groups and the network groups would map appropriately to database roles.

    Steve Jones

    steve@dkranch.net

  • In production area with sensitive information, assigning rights/sensitive DB/ to anybody/group, user, administrator.../ except one special user/with stored procedures exec access and with embedded internal security/ is a worst practice...

  • I agree that using NT groups (AD or not) is a good way to hand off administration to someone who has the time. You'd still want to map the NT group into a role, not assign permissions to the NT group (which is really a login/user). Double edged sword, if you've got an NT group that has full access to the HR db and someone adds 'everyone' to it by my mistake, oops!

    AD does offer some flexibility with regards to OU's - haven't needed it much so far as our network admin does most of the people configuring, moving people into/out of groups as they are reassigned or whatever.

    I consider this a good practice - having the DBA be the bottle neck for routine stuff like this doesn't make sense.

    Andy

    Andy

  • I disagree especially for the sensitive access. Sooner or later that special person will change and having a role makes that more secure. If you use AD or integrated security, the network people can revoke access and it applies to SQL automatically. Plus it's already setup to add a new person in there.

    Steve Jones

    steve@dkranch.net

Viewing 15 posts - 1 through 15 (of 16 total)

You must be logged in to reply to this topic. Login to reply