January 1, 2016 at 2:06 pm
Horatiu Ripa (5/4/2011)
- A fine grained authorization at application level can block one to update some fields while enabling you to edit others, I don't think you can cover this with SQL.
SQL Server has provided this feature at least since SQL Server 2000 and possibly even before that.
Granting, revoking, and denying permissions on columns is straightforwards, for example
GRANT SELECT ON MySchema.MyTable(Col1,Col4) TO SomeUser ;
REVOKE UPDATE ON OBJECT::MySchema.MyTable(Col2) TO AnOther ;
DENY SELECT ON OBJECT::MySchema.MyTable(Col3) TO SomeOneElse ;
The only odd thing here is that a table level DENY doesn't override a column level GRANT.
Tom
January 1, 2016 at 2:27 pm
dragonfly (12/21/2015)
Netbackup from Symantec still requires the sysadmin role. Otherwise it fails.I mean - how long has the backup role been around. You'd think an organisation like Symantec would be more up to date with Security.:cool:
I certainly wouldn't think that an outfit like Symantec would be up to date and competent in anything other than extracting money from their customers for their overpriced and undercapable products.
Tom
January 1, 2016 at 2:44 pm
Cody K (12/21/2015)
andrew gothard (12/21/2015)In fact, using a highly privileged single account for app access is nothing more than deliberate incompetence.
The last time I heard something like this said the person saying it was fired. Your job as a DBA doesn't extend to making demands about how vendors build their applications, nor making value judgements about their staff.
I'm really glad we don't tolerate this kind of vicious attitude towards colleagues and vendors in our workplace 🙂
Last time I said it to the CEO it resulted in my being stuck with choosing suppliers and also in the in-house development team being told to do security my way.
I was really glad we didn't have to allow idiots with no concept of security in depth to ruin our service to our customers.
Incidentally, we had security terms in our sales contracts which meant what our developers were doing would place us in breach of contract with all our customers and those terms had been in place long before I joined the company - but the development team apparently thought that didn't matter, it was all security nonsense, and they could do security in the apps - a bit like what you propose, I think.
Tom
January 2, 2016 at 12:29 pm
Cody K (12/21/2015)
andrew gothard (12/21/2015)In fact, using a highly privileged single account for app access is nothing more than deliberate incompetence.
The last time I heard something like this said the person saying it was fired. Your job as a DBA doesn't extend to making demands about how vendors build their applications, nor making value judgements about their staff.
I'm really glad we don't tolerate this kind of vicious attitude towards colleagues and vendors in our workplace 🙂
Heh... it's not a "vicious" attitude that's speaking there. While many DBAs may have been born at night, they weren't born "last night" and what you're hearing, as bombastic as it may seem, is sage advice honed by experience, the flames are fueled by the multiple failures of people that don't have that experience and failed because they didn't listen to advice in a more thoughtful manner. Sometimes you do have to break a 2x4 over the donkey's *** to get it's attention.
A DBA's job is to protect the data, protect the servers, ensure that the data is always available to those authorized to use it, and to protect the people using all that... sometimes from themselves... especially from 3rd party vendors and "insiders" that think that any app actually needs any direct privs (a compromise that many DBAs are compelled to put up with), never mind "sysadmin" privs. A good DBA will frequently do so even at their own expense.
Firing the person who says "No and it's incompetent to do so" is the worst thing that a company can do. Perhaps it's time to start listening when a person gets to the point of citing incompetence of others because they only get to that point after they've given much quieter advice that fell on deaf ears.
--Jeff Moden
Change is inevitable... Change for the better is not.
January 3, 2016 at 10:03 am
Jeff Moden (1/2/2016)
Perhaps it's time to start listening when a person gets to the point of citing incompetence of others because they only get to that point after they've given much quieter advice that fell on deaf ears.
I've learnt the very hard way that the only way that stands a chance of working is to state your case in a calm, confident manner. If you are a very calm person then a once-in-a-blue-moon outburst might be listened to but I wouldn't put money on it.
You might be presented with an idea that sounds like the God of stupid has just invested their entire divine powers in a single individual and gifted them with the hand of cack. However, you have to say "I can see how you reached your conclusion and it might achieve the short goals but is likely to prevent you from achieving your more strategic objectives. For example....."
The problem is that we became good at our jobs by being passionate about our subject. The DBAs I know treat their job as a vocation rather than a clock-watching exercise merely to fulfil a contractual obligation. Passion is good for your internal motivation but an absolute killer for external communication.
January 25, 2016 at 4:20 am
David.Poole (1/3/2016)
...Passion is good for your internal motivation but an absolute killer for external communication.
Totally agree.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
Viewing 6 posts - 91 through 95 (of 95 total)
You must be logged in to reply to this topic. Login to reply