<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 2008
»
SQL Server 2008 Administration
»
Implementing RBAC
11 posts, Page 1 of 2
1
2
»»
Implementing RBAC
Rate Topic
Display Mode
Topic Options
Author
Message
SQLCrazyCertified
SQLCrazyCertified
Posted Friday, March 22, 2013 9:57 AM
Old Hand
Group: General Forum Members
Last Login: Today @ 6:20 AM
Points: 312,
Visits: 1,868
All,
We are implementing RBAC(Role Based Access Control)....and I have to create number of customized DB roles with permission in all the instances/databases. Anyone have suggestions/script to accomplish this? Please advise.
Thanks,
SueTons.
Post #1434351
Steve Jones - SSC Editor
Steve Jones - SSC Editor
Posted Friday, March 22, 2013 10:06 AM
SSC-Dedicated
Group: Administrators
Last Login: Today @ 1:14 AM
Points: 31,433,
Visits: 13,746
SQL Server roles won't help here. Row based access means you're using joins to help accomplish this.
A couple links that might help:
http://technet.microsoft.com/en-us/library/cc966395.aspx
http://stackoverflow.com/questions/1122513/how-to-implement-database-access-control-on-row-basis
Follow me on Twitter:
@way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
Post #1434361
SQLCrazyCertified
SQLCrazyCertified
Posted Friday, March 22, 2013 10:10 AM
Old Hand
Group: General Forum Members
Last Login: Today @ 6:20 AM
Points: 312,
Visits: 1,868
Steve Jones - SSC Editor (3/22/2013)
SQL Server roles won't help here. Row based access means you're using joins to help accomplish this.
A couple links that might help:
http://technet.microsoft.com/en-us/library/cc966395.aspx
http://stackoverflow.com/questions/1122513/how-to-implement-database-access-control-on-row-basis
I think you misunderstood my question, since you mentioned row based and I said role based? Are we talking about the same here?
SueTons.
Post #1434370
Steve Jones - SSC Editor
Steve Jones - SSC Editor
Posted Friday, March 22, 2013 10:42 AM
SSC-Dedicated
Group: Administrators
Last Login: Today @ 1:14 AM
Points: 31,433,
Visits: 13,746
You are right, I did. I was thinking row and misread that. I've seen RBAC mostly as row based, not role.
In terms of roles, there isn't a script to do this because the roles will have disparate requirements. Ultimately you need to map roles to specific tables and rights. Build a grid of the roles (admin, manager, developer, reporting user, data entry, etc), the tables, and rights( select, insert, update, delete).
You can do this a few ways, but essentially drop two of these on the axis and the third in the middle.
Once you've determined who gets what rights, it's easy. Create the roles. Add the rights to the roles for the objects, move people into roles.
Follow me on Twitter:
@way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
Post #1434391
SQLCrazyCertified
SQLCrazyCertified
Posted Friday, March 22, 2013 11:07 AM
Old Hand
Group: General Forum Members
Last Login: Today @ 6:20 AM
Points: 312,
Visits: 1,868
Steve Jones - SSC Editor (3/22/2013)
You are right, I did. I was thinking row and misread that. I've seen RBAC mostly as row based, not role.
In terms of roles, there isn't a script to do this because the roles will have disparate requirements. Ultimately you need to map roles to specific tables and rights. Build a grid of the roles (admin, manager, developer, reporting user, data entry, etc), the tables, and rights( select, insert, update, delete).
You can do this a few ways, but essentially drop two of these on the axis and the third in the middle.
Once you've determined who gets what rights, it's easy. Create the roles. Add the rights to the roles for the objects, move people into roles.
Maybe I am still not clear with my requirement, I think there has to be a way that I can do this using script....because we have hundreds of insances and maybe 1000 or more databases, and I need to create these roles in every database.
Basically, we are looking to create some customized roles that will replace the SQL standard roles, for example db_datareader, etc......
So, you are saying this won't be doable?
SueTons.
Post #1434412
Lynn Pettis
Lynn Pettis
Posted Friday, March 22, 2013 11:19 AM
SSC-Insane
Group: General Forum Members
Last Login: Yesterday @ 11:07 PM
Points: 21,625,
Visits: 27,468
SQLCrazyCertified (3/22/2013)
Steve Jones - SSC Editor (3/22/2013)
You are right, I did. I was thinking row and misread that. I've seen RBAC mostly as row based, not role.
In terms of roles, there isn't a script to do this because the roles will have disparate requirements. Ultimately you need to map roles to specific tables and rights. Build a grid of the roles (admin, manager, developer, reporting user, data entry, etc), the tables, and rights( select, insert, update, delete).
You can do this a few ways, but essentially drop two of these on the axis and the third in the middle.
Once you've determined who gets what rights, it's easy. Create the roles. Add the rights to the roles for the objects, move people into roles.
Maybe I am still not clear with my requirement, I think there has to be a way that I can do this using script....because we have hundreds of insances and maybe 1000 or more databases, and I need to create these roles in every database.
Basically, we are looking to create some customized roles that will replace the SQL standard roles, for example db_datareader, etc......
So, you are saying this won't be doable?
SueTons.
What you want to do is doable, you just have to write the scripts. There is no magic script that is going to create the roles you need with the proper permissions for each role on each of the objects in each of the databases on hundreds of instances on an unknown number of servers. This is something you will need to determine. It will take time and effort to implement.
Lynn Pettis
For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here
or
when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here
and
here
Managing Transaction Logs
SQL Musings from the Desert
Fountain Valley SQL
(My Mirror Blog)
Post #1434424
SQLCrazyCertified
SQLCrazyCertified
Posted Friday, March 22, 2013 12:10 PM
Old Hand
Group: General Forum Members
Last Login: Today @ 6:20 AM
Points: 312,
Visits: 1,868
I know this is doable by using sp_msforeachdb and a loop, but not really sure where to begin with.
SueTons.
Post #1434453
Lynn Pettis
Lynn Pettis
Posted Friday, March 22, 2013 1:05 PM
SSC-Insane
Group: General Forum Members
Last Login: Yesterday @ 11:07 PM
Points: 21,625,
Visits: 27,468
The way I would start, is do the first one manually creating the scripts as I went along using SSMS. Then it is just a matter of automating those scripts.
But you still need to start where Steve said before you even start appling these changes.
Lynn Pettis
For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here
or
when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here
and
here
Managing Transaction Logs
SQL Musings from the Desert
Fountain Valley SQL
(My Mirror Blog)
Post #1434488
SQLCrazyCertified
SQLCrazyCertified
Posted Friday, March 22, 2013 1:34 PM
Old Hand
Group: General Forum Members
Last Login: Today @ 6:20 AM
Points: 312,
Visits: 1,868
Lynn Pettis (3/22/2013)
The way I would start, is do the first one manually creating the scripts as I went along using SSMS. Then it is just a matter of automating those scripts.
But you still need to start where Steve said before you even start appling these changes.
Ok, Thank you, I will look into it.
SueTons.
Post #1434501
Steve Jones - SSC Editor
Steve Jones - SSC Editor
Posted Friday, March 22, 2013 6:17 PM
SSC-Dedicated
Group: Administrators
Last Login: Today @ 1:14 AM
Points: 31,433,
Visits: 13,746
Are you saying you want a read only and a read/write role? Separate from db_Datereader/writer?
That's easy to script.
loop through all tables in all databases, grant rights to a standard named role (MyReadRole).
Add users to the role.
However if you want something that's not a pattern, you have to do it manually.
Follow me on Twitter:
@way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
Post #1434555
« Prev Topic
|
Next Topic »
11 posts, Page 1 of 2
1
2
»»
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
