Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Table Security Expand / Collapse
Author
Message
Posted Monday, July 28, 2008 1:39 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Tuesday, December 16, 2014 1:38 PM
Points: 56, Visits: 353
I have a table which needs records inserted and updated. I do not want to grant select because that right will be abused. Is there a way to grant update and insert without granting select?



Thank you.
Francis S. Mazeika
Human Interface.
Post #542167
Posted Monday, July 28, 2008 1:55 PM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Thursday, December 18, 2014 8:26 AM
Points: 10,381, Visits: 13,436
How can someone update a row they cannot see?

How do you abuse select?
Yes you can grant insert and update without select. I am of the opinion that you control access using stored procedures and views.




Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Post #542173
Posted Tuesday, July 29, 2008 10:14 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Tuesday, December 16, 2014 1:38 PM
Points: 56, Visits: 353
They abuse select by dumping the contents of tables using select * with no where clause. I was hoping that by granting update with out select they can't do table dumps. I may be able to set grant update without select but the code fails, I may need to go to views.

Thank you.
Francis S. Mazeika
Human Interface.
Post #542830
Posted Tuesday, July 29, 2008 10:19 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Thursday, December 18, 2014 8:26 AM
Points: 10,381, Visits: 13,436
The reasons you give are why I avoid granting direct table access whenever possible. I typically only grant access to the database through stored procedures as I can control the ability of users to do select * from table.



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Post #542839
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse