SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Implementing RBAC


Implementing RBAC

Author
Message
SQLRNNR
SQLRNNR
SSC-Dedicated
SSC-Dedicated (32K reputation)SSC-Dedicated (32K reputation)SSC-Dedicated (32K reputation)SSC-Dedicated (32K reputation)SSC-Dedicated (32K reputation)SSC-Dedicated (32K reputation)SSC-Dedicated (32K reputation)SSC-Dedicated (32K reputation)

Group: General Forum Members
Points: 32867 Visits: 18559
Steve Jones - SSC Editor (3/22/2013)
Are you saying you want a read only and a read/write role? Separate from db_Datereader/writer?

That's easy to script.
loop through all tables in all databases, grant rights to a standard named role (MyReadRole).
Add users to the role.

However if you want something that's not a pattern, you have to do it manually.


Agreed on the manual aspect for the roles that don't follow a pattern.

If a decision is made to grant access via stored procedures, the manual labor becomes a little easier.

But I have to wonder - if you are looking to recreate db_datareader, why?



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

NielsGrove
NielsGrove
SSC Journeyman
SSC Journeyman (87 reputation)SSC Journeyman (87 reputation)SSC Journeyman (87 reputation)SSC Journeyman (87 reputation)SSC Journeyman (87 reputation)SSC Journeyman (87 reputation)SSC Journeyman (87 reputation)SSC Journeyman (87 reputation)

Group: General Forum Members
Points: 87 Visits: 169
If you want to comply with the principle of Least Privilege, then you should start by talking with business.
I usually take the time to talk with business about their business roles, and what they do.
This I use to make a logical model, and when we agree on the functionality and the principles then I can make a physical model.
It is very important if you work in a high-security organisation to know the demands of security and audit.
With a physical model, that is acceptepted by business, I can implement roles by AD-groups and user defined database- or server-roles. I do not use the default roles, as they do not comply with the principle of Least Privilege.
The roles I usually named by their function, which helps business, operations and service disk in the daily administration.
This is a huge task, but you will get new and unique knowledge about the business. In the long run your work will pay off.

/Niels Grove-Rasmussen
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search