Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Table Security Expand / Collapse
Author
Message
Posted Monday, July 28, 2008 1:39 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, April 10, 2014 9:55 AM
Points: 44, Visits: 267
I have a table which needs records inserted and updated. I do not want to grant select because that right will be abused. Is there a way to grant update and insert without granting select?



Thank you.
Francis S. Mazeika
Human Interface.
Post #542167
Posted Monday, July 28, 2008 1:55 PM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Yesterday @ 12:06 PM
Points: 10,910, Visits: 12,546
How can someone update a row they cannot see?

How do you abuse select?
Yes you can grant insert and update without select. I am of the opinion that you control access using stored procedures and views.




Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Post #542173
Posted Tuesday, July 29, 2008 10:14 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Thursday, April 10, 2014 9:55 AM
Points: 44, Visits: 267
They abuse select by dumping the contents of tables using select * with no where clause. I was hoping that by granting update with out select they can't do table dumps. I may be able to set grant update without select but the code fails, I may need to go to views.

Thank you.
Francis S. Mazeika
Human Interface.
Post #542830
Posted Tuesday, July 29, 2008 10:19 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Yesterday @ 12:06 PM
Points: 10,910, Visits: 12,546
The reasons you give are why I avoid granting direct table access whenever possible. I typically only grant access to the database through stored procedures as I can control the ability of users to do select * from table.



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Post #542839
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse