June 9, 2008 at 7:49 am
Ok....Here is the current model and my thoughts that I need some help with.....
Currently we have a couple of roles in the database that have the execute rights to the procedures.Then inside the procedures we do a check to see if you have rights to continue execution code below.......My question is can't all this be done through a group that the user could be added to instead of having "extra" logic in the procedure itself...seems ugly to me......
udf_IsAdmin()'checks to see if the user is in a role........
udf_CanManage()'checks to see if the user can update data
proc as normal
Can we not just place the user in the appropratie sql group and in turn that group manages execute rights????
Some example would help.....
June 9, 2008 at 2:02 pm
I would think so, yes.
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
June 9, 2008 at 2:12 pm
Yes, you can do exactly what you're asking about.
Create a group, go to the Securables tab, use it to grant execution rights on the procs they should have access to, and to deny execution on the procs they should not have access to.
As you create or modify procs, make sure they end up with rights for the right groups.
Add users to the groups.
Then all you have to do is keep it up-to-date. Right users in the right groups, and right procs in the right groups, and you're good to go.
In an established database with a lot of procs, it takes a little work to set up initially. But it will save you time and make you more secure in the long run.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply