Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Give users access to databases depending on which Active Directory group they are a member of.


Give users access to databases depending on which Active Directory group they are a member of.

Author
Message
Julian Milano-440574
Julian Milano-440574
Grasshopper
Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)

Group: General Forum Members
Points: 14 Visits: 88
I have a SQL Server 2005 database server which end-users have RDP access to- their reason is that they need to administer their own databases. The problem here is that the SQL server is now a terminal server where users have full administrator access to the server and all databases on it- and management is OK with this!?

I would like to secure the server, but I am not a SQL person, so my goal is to create Active Directory groups, one for each database, and assign relevant users to those groups. I then wish to secure each database by assigning access to the database to only those users in the relevant groups.

Is this possible? If so, I would really appreaciate a detailed set of instructions on how to set this up. Thanks.

PS. The users log onto their workstation as aUser but have admin accounts to access the databases, say adminUser. I can't see anywhere in the SQL Server Management Studio logon where you can specify a different active directory user to logon as?
Shawn Melton
Shawn Melton
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1097 Visits: 3490
This is how to add a AD group in SQL Server through a New Query window:

USE [master]
GO
CREATE LOGIN [AD_group_name] FROM WINDOWS WITH DEFAULT_DATABASE=[user_database]
GO



PS. The users log onto their workstation as aUser but have admin accounts to access the databases, say adminUser. I can't see anywhere in the SQL Server Management Studio logon where you can specify a different active directory user to logon as?

You can explicitly say when you see this user, change credentials to this user. Whichever account they open SSMS with is the account they work under. There is an EXECUTE AS statement that can be used but that is within T-SQL code.

The right plan depends on how many users we are talking about. A small amount you could just restrict each account individually. A large number of users, you could probably create an AD group like SQL_AdminLockdown, and then add that group to SQL and deny the major Admin permissions to that group that you don't want any user to be able to do. Like
DENY EXECUTE on sp_detach_db FROM SQL_AdminLockDown



A lot of securing the server has to do with ignorance of the user. If they know how to do advanced things in SQL then they can probably figure out how to get around things. I would get your plan down on how much you actually can lock it down, without interfering with users, and then take that to management. If they want you to support it when something breaks, some rules have to be put in place on what a user can and cannot do. Then the users need to know the ramifications if those boundaries are crossed.

I would also look at creating server-side traces. This will allow you to monitor everything the user/group is doing on the server. This can be used as your backup document for disputes;-). User says "I did not do that, so-and-so did". Your response "Oh yeah, well according to this trace file your user account executed these commands against this database at this time.".

Shawn Melton
PS C:\>(Find-Me).TwitterURL
@wsmelton
PS C:\>(Find-Me).BlogURL
meltondba.wordpress.com
Julian Milano-440574
Julian Milano-440574
Grasshopper
Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)Grasshopper (14 reputation)

Group: General Forum Members
Points: 14 Visits: 88
Thanks Shawn, I appreciate the explanation and will give it a go today. Btw, can this be done using the GUI as well?
david.c.holley
david.c.holley
SSC-Enthusiastic
SSC-Enthusiastic (113 reputation)SSC-Enthusiastic (113 reputation)SSC-Enthusiastic (113 reputation)SSC-Enthusiastic (113 reputation)SSC-Enthusiastic (113 reputation)SSC-Enthusiastic (113 reputation)SSC-Enthusiastic (113 reputation)SSC-Enthusiastic (113 reputation)

Group: General Forum Members
Points: 113 Visits: 191
I'm not a SQLServer God & Guru by anymeans, but I'd be doing a lot of reading up on security to ensure that one user doesn't accidentally (or deliberately) screw up another's data.
WayneS
WayneS
SSCertifiable
SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)

Group: General Forum Members
Points: 6220 Visits: 10398
You might want to take a look into DDL triggers.

Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
Links: For better assistance in answering your questions, How to ask a question, Performance Problems, Common date/time routines,
CROSS-TABS and PIVOT tables Part 1 & Part 2, Using APPLY Part 1 & Part 2, Splitting Delimited Strings

Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search