SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Implementing RBAC


Implementing RBAC

Author
Message
SQLisAwE5OmE
SQLisAwE5OmE
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3058 Visits: 3075
All,

We are implementing RBAC(Role Based Access Control)....and I have to create number of customized DB roles with permission in all the instances/databases. Anyone have suggestions/script to accomplish this? Please advise.

Thanks,
SueTons.

Regards,
SQLisAwe5oMe.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)

Group: Administrators
Points: 145455 Visits: 19425
SQL Server roles won't help here. Row based access means you're using joins to help accomplish this.

A couple links that might help:
http://technet.microsoft.com/en-us/library/cc966395.aspx
http://stackoverflow.com/questions/1122513/how-to-implement-database-access-control-on-row-basis

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLisAwE5OmE
SQLisAwE5OmE
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3058 Visits: 3075
Steve Jones - SSC Editor (3/22/2013)
SQL Server roles won't help here. Row based access means you're using joins to help accomplish this.

A couple links that might help:
http://technet.microsoft.com/en-us/library/cc966395.aspx
http://stackoverflow.com/questions/1122513/how-to-implement-database-access-control-on-row-basis


I think you misunderstood my question, since you mentioned row based and I said role based? Are we talking about the same here?

SueTons.

Regards,
SQLisAwe5oMe.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)

Group: Administrators
Points: 145455 Visits: 19425
You are right, I did. I was thinking row and misread that. I've seen RBAC mostly as row based, not role.

In terms of roles, there isn't a script to do this because the roles will have disparate requirements. Ultimately you need to map roles to specific tables and rights. Build a grid of the roles (admin, manager, developer, reporting user, data entry, etc), the tables, and rights( select, insert, update, delete).

You can do this a few ways, but essentially drop two of these on the axis and the third in the middle.

Once you've determined who gets what rights, it's easy. Create the roles. Add the rights to the roles for the objects, move people into roles.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLisAwE5OmE
SQLisAwE5OmE
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3058 Visits: 3075
Steve Jones - SSC Editor (3/22/2013)
You are right, I did. I was thinking row and misread that. I've seen RBAC mostly as row based, not role.

In terms of roles, there isn't a script to do this because the roles will have disparate requirements. Ultimately you need to map roles to specific tables and rights. Build a grid of the roles (admin, manager, developer, reporting user, data entry, etc), the tables, and rights( select, insert, update, delete).

You can do this a few ways, but essentially drop two of these on the axis and the third in the middle.

Once you've determined who gets what rights, it's easy. Create the roles. Add the rights to the roles for the objects, move people into roles.


Maybe I am still not clear with my requirement, I think there has to be a way that I can do this using script....because we have hundreds of insances and maybe 1000 or more databases, and I need to create these roles in every database.

Basically, we are looking to create some customized roles that will replace the SQL standard roles, for example db_datareader, etc......

So, you are saying this won't be doable?

SueTons.

Regards,
SQLisAwe5oMe.
Lynn Pettis
Lynn Pettis
SSC Guru
SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)

Group: General Forum Members
Points: 94119 Visits: 38955
SQLCrazyCertified (3/22/2013)
Steve Jones - SSC Editor (3/22/2013)
You are right, I did. I was thinking row and misread that. I've seen RBAC mostly as row based, not role.

In terms of roles, there isn't a script to do this because the roles will have disparate requirements. Ultimately you need to map roles to specific tables and rights. Build a grid of the roles (admin, manager, developer, reporting user, data entry, etc), the tables, and rights( select, insert, update, delete).

You can do this a few ways, but essentially drop two of these on the axis and the third in the middle.

Once you've determined who gets what rights, it's easy. Create the roles. Add the rights to the roles for the objects, move people into roles.


Maybe I am still not clear with my requirement, I think there has to be a way that I can do this using script....because we have hundreds of insances and maybe 1000 or more databases, and I need to create these roles in every database.

Basically, we are looking to create some customized roles that will replace the SQL standard roles, for example db_datareader, etc......

So, you are saying this won't be doable?

SueTons.



What you want to do is doable, you just have to write the scripts. There is no magic script that is going to create the roles you need with the proper permissions for each role on each of the objects in each of the databases on hundreds of instances on an unknown number of servers. This is something you will need to determine. It will take time and effort to implement.

Cool
Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
SQLisAwE5OmE
SQLisAwE5OmE
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3058 Visits: 3075
I know this is doable by using sp_msforeachdb and a loop, but not really sure where to begin with.

SueTons.

Regards,
SQLisAwe5oMe.
Lynn Pettis
Lynn Pettis
SSC Guru
SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)SSC Guru (94K reputation)

Group: General Forum Members
Points: 94119 Visits: 38955
The way I would start, is do the first one manually creating the scripts as I went along using SSMS. Then it is just a matter of automating those scripts.

But you still need to start where Steve said before you even start appling these changes.

Cool
Lynn Pettis

For better assistance in answering your questions, click here
For tips to get better help with Performance Problems, click here
For Running Totals and its variations, click here or when working with partitioned tables
For more about Tally Tables, click here
For more about Cross Tabs and Pivots, click here and here
Managing Transaction Logs

SQL Musings from the Desert Fountain Valley SQL (My Mirror Blog)
SQLisAwE5OmE
SQLisAwE5OmE
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3058 Visits: 3075
Lynn Pettis (3/22/2013)
The way I would start, is do the first one manually creating the scripts as I went along using SSMS. Then it is just a matter of automating those scripts.

But you still need to start where Steve said before you even start appling these changes.


Ok, Thank you, I will look into it.

SueTons.

Regards,
SQLisAwe5oMe.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)

Group: Administrators
Points: 145455 Visits: 19425
Are you saying you want a read only and a read/write role? Separate from db_Datereader/writer?

That's easy to script.
loop through all tables in all databases, grant rights to a standard named role (MyReadRole).
Add users to the role.

However if you want something that's not a pattern, you have to do it manually.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search