Home Forums Database Design Security and Auditing Is db_datareader and db_datawriter *typically* all that's needed? RE: Is db_datareader and db_datawriter *typically* all that's needed?

  • February 22, 2018 at 2:01 pm

    #1980856

    lptech - Thursday, February 22, 2018 11:31 AM

    Even db_datareader and datawriter could be too much in today's environment. Do 'most users' really need to be able to read or update every table in the database? Not that there may be any malicious intent, but with all of the hacker activity going on in the world, one compromised workstation could do an incredible amount of damage. Better to set up application roles with only the required privileges.

    +1000.  PUBLIC and the privs to execute certain stored procedures should be enough, especially App logins.  Of course, that's the "Gold Standard" that most would never be happy with.  There is some good merit to apps being able to do C.R.U.D. without having to gen a bazillion C.R.U.D. procs.

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)