Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


different user database permissions across servers


different user database permissions across servers

Author
Message
sslyle-1091060
sslyle-1091060
Forum Newbie
Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)

Group: General Forum Members
Points: 9 Visits: 32
I'm looking for an efficient way to grant/block database permissions based on which server a user connects to.

I have a development server that has a copy of a database which grants development users fairly open permissions (execute/create/drop/alter/read).

When I copy this database to the production server I want the development users to only have read access. I want this to happen for no more reason that I copied the database between the two servers.

What is a way to get this done with very low administrative overhead?
george sibbald
george sibbald
SSCertifiable
SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)

Group: General Forum Members
Points: 6324 Visits: 13687
script up the database copy\restore and include the permission change in the script.

---------------------------------------------------------------------
sslyle-1091060
sslyle-1091060
Forum Newbie
Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)

Group: General Forum Members
Points: 9 Visits: 32
George. Thanks for the reply but it doesn't really give me much to go on. What I'm seeking would be some difference at the SERVER level.

What would be different with the servers' configurations that would accomplish this?

Do you have such a script as you suggest OR can you point me to SERVER level screens which I can utilize as the bases of my continued research?
george sibbald
george sibbald
SSCertifiable
SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)SSCertifiable (6.3K reputation)

Group: General Forum Members
Points: 6324 Visits: 13687
database permissions are held within the database, so when you copy a database across its permissions come across with it, so there are no server level configurations that can be used. You will need to make the permissions changes each time in the database, hence why I say script it. Do it through the GUI first time and use the script function to produce the SQL for you

---------------------------------------------------------------------
sslyle-1091060
sslyle-1091060
Forum Newbie
Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)

Group: General Forum Members
Points: 9 Visits: 32
That it is only possible at the db level is exactly not what I wanted to hear - but expected as the answer.
Perry Whittle
Perry Whittle
SSCrazy Eights
SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)SSCrazy Eights (8.8K reputation)

Group: General Forum Members
Points: 8780 Visits: 16554
sslyle-1091060 (1/28/2014)
I'm looking for an efficient way to grant/block database permissions based on which server a user connects to.

I have a development server that has a copy of a database which grants development users fairly open permissions (execute/create/drop/alter/read).

When I copy this database to the production server I want the development users to only have read access. I want this to happen for no more reason that I copied the database between the two servers.

What is a way to get this done with very low administrative overhead?



The easiest way is to list out the database users and then drop them, then add them back with read permission only. Otherwise your script will have to list out current permissions too and then revoke them, messy!

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
Lowell
Lowell
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14942 Visits: 38940
a scheduled job could check each database, and if it finds the right role or user, perform the same script we are recommending above.

Lowell

--
help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

sslyle-1091060
sslyle-1091060
Forum Newbie
Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)Forum Newbie (9 reputation)

Group: General Forum Members
Points: 9 Visits: 32
Thanks guys.
All good remarks.

Just getting to the fact that you cannot do this from the simpler server level is what I was thinking as far as I need to carry the conversation.

I appreciate your remarks. And the idea of an Agent Task will certainly pickup changes without my having to do it in the day-to-day routine.
Erland Sommarskog
Erland Sommarskog
SSC Eights!
SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)SSC Eights! (931 reputation)

Group: General Forum Members
Points: 931 Visits: 866
First of all, don't grant access the individual developers. Grant access to roles or Windows groups. If you grant the exec etc access to a role, all you need to do in the restored database is to drop that role. Poof, permissions gone. There could still be a role that gives the developers membership in db_datareader.

You should spend to much on effort on this part, because you will only copy from test to production once. You may copy in the other direction more often, though.

I'm assuming here that you are using Windows logins. If you use SQL Server logins, it is all a lot simpler - don't add the logins for the developers on the production server, but give them other logins.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search