May 15, 2017 at 4:31 am
Hello,
I am on a bit of a learning curver and started looking at the security issues in my databases. I can see that it is not a good idea to use the db_owner permission to grant users access to their specific database, altough I inherited a third party database and inherited whatever bad comes with it - everyone is a DB_OWNER.
Based on these links:
http://sqlmag.com/sql-server/5-reasons-against-allowing-dbowner-role-permissions
https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles
we know that anyone who has DB_OWNER can potentailly kill a database/sever. Howeever there doesn't seem to be anything about actually doing it correctly. In my example I created a new user and decided to use the following permissions:
| db_ddladmin | Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database. |
| db_datawriter | Members of the db_datawriter fixed database role can add, delete, or change data in all user tables. |
| db_datareader | Members of the db_datareader fixed database role can read all data from all user tables. |
The user needs to create/drop his own tables, he is mapped to one specific database. Can someone post any hints on what is the best practice?
Thanks,
Richard
May 15, 2017 at 5:07 am
Richard
You might consider a more granular security model, granting DML permissions on individual tables, EXECUTE permission on individual stored procedures, and DDL permissions at the schema level.
Does the user really need to create his own tables, though? How will the permissions for other users on those tables be managed? Is this a production database?
John
May 15, 2017 at 6:45 am
John Mitchell-245523 - Monday, May 15, 2017 5:07 AMRichardYou might consider a more granular security model, granting DML permissions on individual tables, EXECUTE permission on individual stored procedures, and DDL permissions at the schema level.
Does the user really need to create his own tables, though? How will the permissions for other users on those tables be managed? Is this a production database?
John
Hello,
it's actually sort of a reporting database (a mini database mart) for people who pull information from other databases and then create their own data set to do their reporting. There is one person resonsible for the whole team who manages (creates/deletes tables) and knows SQL very well. Think of it as a private database area for using as BI, so being able to create objects is a key function, hence the separate database. Otherwise I as a DBA would be nagged every 5 minutes to create/delete tables and maintain them. Not feasible in my structure. Hence a more generic approach, however with the least set of permissions I can possibly give.
May 15, 2017 at 7:01 am
Richard, why not setup a number of users for each type of access one for datareaders, one for writers etc. This breaks out the granularity and allows you to limit users to a specific function. Obviously this will depend on what is required by the users but as John said the more granular you make it the better.
May 15, 2017 at 7:09 am
By all means, give him CREATE TABLE permission on one of the schemas in the database. But know that if you do that, he'll be dragging data in from production databases at all times of the day, which may not be what you want. If your datamart is properly designed then this shouldn't be necessary.
John
May 16, 2017 at 3:45 am
Hello,
Thank you for your answers , you are all most helpful. I'll look into giving just CREATE TABLE permissions and a more granular approach.
Kind Regards,
May 16, 2017 at 4:05 am
Hmmm, I created a new test database (being an admin). I create a new user, let me call him XXX. The only thing I see in the properies is the database mapping where I have the database role memberships, there is no way I can give any granular access. In the securables tab there is no CREATE TABLE privilege. Is there any nice document I can have that would describe the process?
Do I need to use t-sql instead of the GUI?
Would this be a good place to start?
http://sqlmag.com/database-security/using-sql-server-permissions
Thanks
May 16, 2017 at 5:35 am
You'll need to GRANT the correct priviledge to the user of that database
USE AdventureWorks;
GRANT CREATE TABLE TO RichardM;
GO
This is where I originally got some of the information from https://docs.microsoft.com/en-us/sql/t-sql/statements/grant-database-permissions-transact-sql
Just so I'm not plagiarising.
May 19, 2017 at 2:16 am
Thank you all for your answers, I'll have to dig into the subject thoroughly. Infortunately due to the fact that the power user who is creating tables creates them so often it would not be feasible for me to keep an eye on this. I would be permanently engaged in CREATE TABLE + GRANT manual executions, unless I built a tool to maintain this kind of situation in a timely manner. It was a quick-and-dirty (my managerl has been warned!!!) solution as there was a lot of pressure on our IT to give those people a separate database. At least all newcomers won't have DB_OWNER privileges any more.
Kind Regards
Richard
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply