Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Windows AD Groups Question Expand / Collapse
Author
Message
Posted Monday, March 25, 2013 9:12 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Thursday, August 28, 2014 7:35 AM
Points: 239, Visits: 369
We want to introduce Integrated Security and use Windows Groups to simplify some things in our SQL Server access. I believe I understand how this works, but I want to verify that the following scenario will work in the way that I understand it:

GroupA will be assigned to the db_datareader role in a given database.

GroupB will be assigned both db_datareader and db_datawriter role in the same database.

A couple of users will be part of both groups because the groups are used for file access as well that is unrelated to sql server. I want to verify that the users who are members of both groups will still be able to make changes to the data. As I understand it, they should as long as no DENY command has been used on GroupA which would prevent making changes to the data.

Thanks,




Del Lee
Post #1434968
Posted Monday, March 25, 2013 11:39 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 10:47 AM
Points: 7,126, Visits: 12,727
Del Lee (3/25/2013)
We want to introduce Integrated Security and use Windows Groups to simplify some things in our SQL Server access. I believe I understand how this works, but I want to verify that the following scenario will work in the way that I understand it:

GroupA will be assigned to the db_datareader role in a given database.

GroupB will be assigned both db_datareader and db_datawriter role in the same database.

A couple of users will be part of both groups because the groups are used for file access as well that is unrelated to sql server. I want to verify that the users who are members of both groups will still be able to make changes to the data. As I understand it, they should as long as no DENY command has been used on GroupA which would prevent making changes to the data.

Thanks,

You are correct, the user will have the permissions granted to both Roles if they are a member of both Groups. It's a good idea not to overlap permissions like this however, since it make it more difficult to troubleshoot. Consider removing db_datareader permissions from GroupB and just adding all Windows Users that need reader and writer permissions to both Windows Groups as needed, or leave things as is with the Group permissions but only add each Windows User to one of the other Group, and never both.

On a side note, the use of db_datareader and db_datawriter are red flags for me. The use of them tells me there is a string potential for violating the idea of only granting 'least privilege.' If it is a non-production environment and this is for QA or Development personnel to have access to do some work then I am a little more lenient but for production I avoid adding anyone to those Database Roles.


__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1435076
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse