Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Give users access to databases depending on which Active Directory group they are a member of. Expand / Collapse
Author
Message
Posted Tuesday, May 4, 2010 6:20 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Thursday, August 30, 2012 6:09 PM
Points: 14, Visits: 88
I have a SQL Server 2005 database server which end-users have RDP access to- their reason is that they need to administer their own databases. The problem here is that the SQL server is now a terminal server where users have full administrator access to the server and all databases on it- and management is OK with this!?

I would like to secure the server, but I am not a SQL person, so my goal is to create Active Directory groups, one for each database, and assign relevant users to those groups. I then wish to secure each database by assigning access to the database to only those users in the relevant groups.

Is this possible? If so, I would really appreaciate a detailed set of instructions on how to set this up. Thanks.

PS. The users log onto their workstation as aUser but have admin accounts to access the databases, say adminUser. I can't see anywhere in the SQL Server Management Studio logon where you can specify a different active directory user to logon as?
Post #915758
Posted Wednesday, May 5, 2010 8:25 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 6:40 PM
Points: 895, Visits: 2,525
This is how to add a AD group in SQL Server through a New Query window:
USE [master]
GO
CREATE LOGIN [AD_group_name] FROM WINDOWS WITH DEFAULT_DATABASE=[user_database]
GO

PS. The users log onto their workstation as aUser but have admin accounts to access the databases, say adminUser. I can't see anywhere in the SQL Server Management Studio logon where you can specify a different active directory user to logon as?

You can explicitly say when you see this user, change credentials to this user. Whichever account they open SSMS with is the account they work under. There is an EXECUTE AS statement that can be used but that is within T-SQL code.

The right plan depends on how many users we are talking about. A small amount you could just restrict each account individually. A large number of users, you could probably create an AD group like SQL_AdminLockdown, and then add that group to SQL and deny the major Admin permissions to that group that you don't want any user to be able to do. Like
DENY EXECUTE on sp_detach_db FROM SQL_AdminLockDown

A lot of securing the server has to do with ignorance of the user. If they know how to do advanced things in SQL then they can probably figure out how to get around things. I would get your plan down on how much you actually can lock it down, without interfering with users, and then take that to management. If they want you to support it when something breaks, some rules have to be put in place on what a user can and cannot do. Then the users need to know the ramifications if those boundaries are crossed.

I would also look at creating server-side traces. This will allow you to monitor everything the user/group is doing on the server. This can be used as your backup document for disputes. User says "I did not do that, so-and-so did". Your response "Oh yeah, well according to this trace file your user account executed these commands against this database at this time.".


Shawn Melton
PS C:\>(Find-Me).TwitterURL
@wsmelton
PS C:\>(Find-Me).BlogURL
meltondba.wordpress.com
Post #916112
Posted Wednesday, May 5, 2010 4:37 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Thursday, August 30, 2012 6:09 PM
Points: 14, Visits: 88
Thanks Shawn, I appreciate the explanation and will give it a go today. Btw, can this be done using the GUI as well?
Post #916563
Posted Wednesday, May 5, 2010 5:49 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, September 20, 2010 6:12 AM
Points: 105, Visits: 172
I'm not a SQLServer God & Guru by anymeans, but I'd be doing a lot of reading up on security to ensure that one user doesn't accidentally (or deliberately) screw up another's data.
Post #916592
Posted Wednesday, May 5, 2010 7:30 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 3:11 PM
Points: 5,361, Visits: 8,924
You might want to take a look into DDL triggers.

Wayne
Microsoft Certified Master: SQL Server 2008
If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
Links: For better assistance in answering your questions, How to ask a question, Performance Problems, Common date/time routines,
CROSS-TABS and PIVOT tables Part 1 & Part 2, Using APPLY Part 1 & Part 2, Splitting Delimited Strings
Post #916617
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse