Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Worst Practices - Assigning Users Rights


Worst Practices - Assigning Users Rights

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)

Group: Administrators
Points: 52494 Visits: 19009
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/sjones/wp_userrights.asp

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
David.Poole
David.Poole
SSCertifiable
SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)

Group: General Forum Members
Points: 6107 Visits: 3239
Whole heartedly agree.

I also remove all rights assigned to the PUBLIC group/role so that a user has to be explicitly associated with a specific role. You don't come in one morning and find a strange IUSR_WebServer user in your database!

I also use NT security with a lot of my database, but NOT the NT administrators group.

I'm fortunate in that I can dictate exactly what goes on in my database so I also remove any direct on tables so that everything has to come via stored procedures.

I find that once my developers see the performance increase of stored procedures and realise how much simpler a stored procedure makes their life I find they become absolute zealots on the subject!

LinkedIn Profile

Newbie on www.simple-talk.com
Andy Warren
Andy Warren
SSCrazy Eights
SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)

Group: Moderators
Points: 9551 Visits: 2729
Very well said!

I totally agree. The arguments I get are "this is the only user I'll ever need" which usually occurs because the developer will be using a sql login embedded in the application. This isn't a bad argument, as arguments go. The other is "no other user will need these exact permissions/it takes TOOOOO much time to make a role for just one person, why would you do that". Not a good argument.

I definitely agree with David about removing access to Public! Stored procedures aren't always an option, depending on how/who/when the app was built.

I thought the reasons you presented were sound - much better than the other knucklehead who rights worst practices articles...what's his name again?

Andy

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter
Steve Jones
Steve Jones
SSC Guru
SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)

Group: Administrators
Points: 52494 Visits: 19009
I think that other knuckclehead was Genghis Warren.

Glad you guys agree. This is one area that I think causes more problems than it solves.

I hate embedding logins in an application. At the least, it should be in a text file (can be encrypted) so it can be changed. Nothing worse than a security breach causing an app to be recompiled. Especially if you have distributed this to clients.

Steve Jones
steve@dkranch.net

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Andy Warren
Andy Warren
SSCrazy Eights
SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)

Group: Moderators
Points: 9551 Visits: 2729
The problem with embedding login/password is there arent any simple good alternatives (depending on your definition of simple and good). If you're going to encrypt something, do it well or you might be making it worse instead of better.

I'd like to see a discussion of the alternatives.

Andy

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter
Steve Jones
Steve Jones
SSC Guru
SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)

Group: Administrators
Points: 52494 Visits: 19009
I agree there isn't a good alternative. IMHO, it's poor practice to allow an application to log in without requiring a user to log in as well.

The only good solution I saw, was an app that logged into a login server and submitted a user/pwd. The result set then "told" the app where to go for the real database. Hard part here was replicating login information.

Steve Jones
steve@dkranch.net

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
VegaMachine
VegaMachine
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1066 Visits: 4
I have removed the BUILTIN/Administrators group, since our hardware people are NT admins and don't really need them rootin around in SQL. I also have created several groups, General Users, Confidential Data Viewers, etc…, but I also have a few singled out users that I assign rights to on an individual basis. Most are Admins, but on occasion we have visiting engineers that revolve around the company that require changes to their access almost daily, then they are gone. I find it easier to adjust their rights as needed then to create a group for a one time thing.



- Vega
Andy Warren
Andy Warren
SSCrazy Eights
SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)SSCrazy Eights (9.6K reputation)

Group: Moderators
Points: 9551 Visits: 2729
But how much longer would it take to do it "the right" way?

Andy

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter
VegaMachine
VegaMachine
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1066 Visits: 4
1 user in 1 group, whats the difference?



- Vega
Steve Jones
Steve Jones
SSC Guru
SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)SSC Guru (52K reputation)

Group: Administrators
Points: 52494 Visits: 19009
Where there's one, there will often be more. What's wrong with having a Eng1 group and adjusting the rights there? If they leave, you are no worse off. If they come back or someone takes their place, then you are covered. You can also remove teh user and leave the role.

Steve Jones
steve@dkranch.net

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search