Give users access to databases depending on which Active Directory group they are a member of.

  • I have a SQL Server 2005 database server which end-users have RDP access to- their reason is that they need to administer their own databases. The problem here is that the SQL server is now a terminal server where users have full administrator access to the server and all databases on it- and management is OK with this!?

    I would like to secure the server, but I am not a SQL person, so my goal is to create Active Directory groups, one for each database, and assign relevant users to those groups. I then wish to secure each database by assigning access to the database to only those users in the relevant groups.

    Is this possible? If so, I would really appreaciate a detailed set of instructions on how to set this up. Thanks.

    PS. The users log onto their workstation as aUser but have admin accounts to access the databases, say adminUser. I can't see anywhere in the SQL Server Management Studio logon where you can specify a different active directory user to logon as?

  • This is how to add a AD group in SQL Server through a New Query window:

    USE [master]

    GO

    CREATE LOGIN [AD_group_name] FROM WINDOWS WITH DEFAULT_DATABASE=[user_database]

    GO

    PS. The users log onto their workstation as aUser but have admin accounts to access the databases, say adminUser. I can't see anywhere in the SQL Server Management Studio logon where you can specify a different active directory user to logon as?

    You can explicitly say when you see this user, change credentials to this user. Whichever account they open SSMS with is the account they work under. There is an EXECUTE AS statement that can be used but that is within T-SQL code.

    The right plan depends on how many users we are talking about. A small amount you could just restrict each account individually. A large number of users, you could probably create an AD group like SQL_AdminLockdown, and then add that group to SQL and deny the major Admin permissions to that group that you don't want any user to be able to do. Like DENY EXECUTE on sp_detach_db FROM SQL_AdminLockDown

    A lot of securing the server has to do with ignorance of the user. If they know how to do advanced things in SQL then they can probably figure out how to get around things. I would get your plan down on how much you actually can lock it down, without interfering with users, and then take that to management. If they want you to support it when something breaks, some rules have to be put in place on what a user can and cannot do. Then the users need to know the ramifications if those boundaries are crossed.

    I would also look at creating server-side traces. This will allow you to monitor everything the user/group is doing on the server. This can be used as your backup document for disputes;-). User says "I did not do that, so-and-so did". Your response "Oh yeah, well according to this trace file your user account executed these commands against this database at this time.".

    Shawn Melton
    Twitter: @wsmelton
    Blog: wsmelton.github.com
    Github: wsmelton

  • Thanks Shawn, I appreciate the explanation and will give it a go today. Btw, can this be done using the GUI as well?

  • I'm not a SQLServer God & Guru by anymeans, but I'd be doing a lot of reading up on security to ensure that one user doesn't accidentally (or deliberately) screw up another's data.

  • You might want to take a look into DDL triggers.

    Wayne
    Microsoft Certified Master: SQL Server 2008
    Author - SQL Server T-SQL Recipes


    If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
    Links:
    For better assistance in answering your questions
    Performance Problems
    Common date/time routines
    Understanding and Using APPLY Part 1 & Part 2

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply