Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Windows AD Groups Question


Windows AD Groups Question

Author
Message
Del Lee
Del Lee
SSC Veteran
SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)

Group: General Forum Members
Points: 278 Visits: 1193
We want to introduce Integrated Security and use Windows Groups to simplify some things in our SQL Server access. I believe I understand how this works, but I want to verify that the following scenario will work in the way that I understand it:

GroupA will be assigned to the db_datareader role in a given database.

GroupB will be assigned both db_datareader and db_datawriter role in the same database.

A couple of users will be part of both groups because the groups are used for file access as well that is unrelated to sql server. I want to verify that the users who are members of both groups will still be able to make changes to the data. As I understand it, they should as long as no DENY command has been used on GroupA which would prevent making changes to the data.

Thanks,



Del Lee
Orlando Colamatteo
Orlando Colamatteo
SSCrazy Eights
SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)

Group: General Forum Members
Points: 8243 Visits: 14368
Del Lee (3/25/2013)
We want to introduce Integrated Security and use Windows Groups to simplify some things in our SQL Server access. I believe I understand how this works, but I want to verify that the following scenario will work in the way that I understand it:

GroupA will be assigned to the db_datareader role in a given database.

GroupB will be assigned both db_datareader and db_datawriter role in the same database.

A couple of users will be part of both groups because the groups are used for file access as well that is unrelated to sql server. I want to verify that the users who are members of both groups will still be able to make changes to the data. As I understand it, they should as long as no DENY command has been used on GroupA which would prevent making changes to the data.

Thanks,

You are correct, the user will have the permissions granted to both Roles if they are a member of both Groups. It's a good idea not to overlap permissions like this however, since it make it more difficult to troubleshoot. Consider removing db_datareader permissions from GroupB and just adding all Windows Users that need reader and writer permissions to both Windows Groups as needed, or leave things as is with the Group permissions but only add each Windows User to one of the other Group, and never both.

On a side note, the use of db_datareader and db_datawriter are red flags for me. The use of them tells me there is a string potential for violating the idea of only granting 'least privilege.' If it is a non-production environment and this is for QA or Development personnel to have access to do some work then I am a little more lenient but for production I avoid adding anyone to those Database Roles.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search