| Groups | Blog | Home |
sql server new users : SQL Security & User-Level Access
as the front end. I'm pretty good with Access and moderate with SQL. In the database, I was told that different users need to have access to certain tables and columsn in those tables. Some users need to be able to create new users to have access. So my admin user needs to grant "grant" permission to another user. The users, however, are stored in a table in the database called Members. Certain members in the Members table need to have access to the database. My question(s): Where is a good place to start when designing something like this? Is there some kind of add-in I can import and use or is there some other direction I should be headed? Any direction is much appreciated. -- Ian O'Betz Clear Results www.clearresults.net
Those are good articles. Good stuff. I'm printing them out and reading them
now. Thanks for your help. -- Ian O'Betz Clear Results www.clearresults.net [quoted text, click to view] "Andrea Montanari" <andrea.sqlDMO@virgilio.it> wrote in message http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=16029&DisplayTab=Arnews:38rmedF5qo5mpU1@individual.net... > hi Ian, > Ian O'Betz wrote: > > I've been asked to create an online database for my organization with > > Access as the front end. I'm pretty good with Access and moderate > > with SQL. In the database, I was told that different users need to > > have access to certain tables and columsn in those tables. Some users > > need to be able to create new users to have access. So my admin user > > needs to grant "grant" permission to another user. > > > > The users, however, are stored in a table in the database called > > Members. Certain members in the Members table need to have access to > > the database. > > > > My question(s): Where is a good place to start when designing > > something like this? Is there some kind of add-in I can import and > > use or is there some other direction I should be headed? Any > > direction is much appreciated. > > you are "reproducing" in a user table the security feature SQL Server > already offers out of the box.. > that's to say you could make your "admin user" member of the > db_securityadmin database role, in order to grant him permissions to grant > other users read/write access to the desired tables/views or exec privileges > to stored procedures... > I'm not an Access expert (on the contrary :) ) but I'm not aware of such an > add-in existence, so I think you have to code yourself such a dialog that > will enable permission managament... > Usually I'd create a set of database roles, making the desired database user > member of the required database role(s) and setting privileges at the role > base, not at the single user level... > so each database role would have a predefined set of permission to access > dbo.tableA, dbo.tableB and so on, and making a database user member of the > specified role will make him able to access (or not) the defined object. > > perhaps the following can be worth reading.. > http://www.windowsitpro.com/Article/ArticleID/16322/16322.html > ticle [quoted text, click to view] > http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=8552&DisplayTab=Article [quoted text, click to view] > -- > Andrea Montanari (Microsoft MVP - SQL Server) > http://www.asql.biz/DbaMgr.shtm http://italy.mvps.org > DbaMgr2k ver 0.10.0 - DbaMgr ver 0.56.0 > (my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual > interface) > --------- remove DMO to reply > >
It sounds like you have two security related items to consider. First of
all, SQL Server security is the overall security mechanism that is used which allows a user (login) to do something. If they don't have rights to perform an action they don't have rights. Secondly, it sounds like you have user (member) level security as well. Specific members can do some things (like create, read, update, or delete data) and others can only read specific data. How are you going to handle the SQL Server authentication? SQL Server authentication or integrated security (based on the network user)? You could do either. Depending on which option you choose you could solve the "who can do what" and "who can see what" problems in different ways. You could handle the entire security issue within your application by coding the business logic into the MS Access gui. You could also allow or deny specific things to each SQL Server login/user. It is possible to enforce security down to the column level if you are allowing direct table access. If you use stored procedures to retrieve data you could only retrieve the data that the user is authorized to see. You could also return all rows and columns to the application gui but only show the specific data that the user is authorized to see. You would use a different solution for each option. -- Keith [quoted text, click to view] "Ian O'Betz" <webmaster@(NoSpam)premier-ed.com> wrote in message
news:OOY1JFOIFHA.156@TK2MSFTNGP10.phx.gbl... > I've been asked to create an online database for my organization with Access > as the front end. I'm pretty good with Access and moderate with SQL. In the > database, I was told that different users need to have access to certain > tables and columsn in those tables. Some users need to be able to create new > users to have access. So my admin user needs to grant "grant" permission to > another user. > > The users, however, are stored in a table in the database called Members. > Certain members in the Members table need to have access to the database. > > My question(s): Where is a good place to start when designing something like > this? Is there some kind of add-in I can import and use or is there some > other direction I should be headed? Any direction is much appreciated. > > -- > Ian O'Betz > Clear Results > www.clearresults.net > > >
Because the users are going to be accessing the SQL Server through an .ade
file using runtime, I am forced to use SQL Server Authentication (If I understand everything correctly). I don't necessarily need to restrict access to specific columns of data, but I am going to need to break down security access levels. I'd like the users to be able to login to the SQL Server database using their username and password in the Members table. And based on roles, their access level is determined. I'm not sure how difficult that is going to be, but it would work well in the application. -- Ian O'Betz Clear Results www.clearresults.net [quoted text, click to view] "Keith Kratochvil" <sqlguy.back2u@comcast.net> wrote in message news:OKP$XYOIFHA.2564@tk2msftngp13.phx.gbl... > It sounds like you have two security related items to consider. First of > all, SQL Server security is the overall security mechanism that is used > which allows a user (login) to do something. If they don't have rights to > perform an action they don't have rights. > > Secondly, it sounds like you have user (member) level security as well. > Specific members can do some things (like create, read, update, or delete > data) and others can only read specific data. > > How are you going to handle the SQL Server authentication? SQL Server > authentication or integrated security (based on the network user)? You > could do either. Depending on which option you choose you could solve the > "who can do what" and "who can see what" problems in different ways. You > could handle the entire security issue within your application by coding the > business logic into the MS Access gui. You could also allow or deny > specific things to each SQL Server login/user. > > It is possible to enforce security down to the column level if you are > allowing direct table access. If you use stored procedures to retrieve data > you could only retrieve the data that the user is authorized to see. You > could also return all rows and columns to the application gui but only show > the specific data that the user is authorized to see. You would use a > different solution for each option. > > -- > Keith > > > "Ian O'Betz" <webmaster@(NoSpam)premier-ed.com> wrote in message > news:OOY1JFOIFHA.156@TK2MSFTNGP10.phx.gbl... > > I've been asked to create an online database for my organization with > Access > > as the front end. I'm pretty good with Access and moderate with SQL. In > the > > database, I was told that different users need to have access to certain > > tables and columsn in those tables. Some users need to be able to create > new > > users to have access. So my admin user needs to grant "grant" permission > to > > another user. > > > > The users, however, are stored in a table in the database called Members. > > Certain members in the Members table need to have access to the database. > > > > My question(s): Where is a good place to start when designing something > like > > this? Is there some kind of add-in I can import and use or is there some > > other direction I should be headed? Any direction is much appreciated. > > > > -- > > Ian O'Betz > > Clear Results > > www.clearresults.net > > > > > > >
I'm creating the project from scratch (not upgrading from Access), so no, I
didn't use the built-in user-level security. I will checkout that resource though. Thanks for your help. -- Ian O'Betz Clear Results www.clearresults.net [quoted text, click to view] "Mary Chipman [MSFT]" <mchip@online.microsoft.com> wrote in message news:us9h21hlcar8v0i7lloc7248kmp3vs26j6@4ax.com... > Did you use the built-in user-level security with Access? If so, then > SQL Server security works much the same way, with the ability to add > users to groups (called database roles in SQLS) where they inherit the > permissions granted to the role. You never want to grant permissions > directly to users because it becomes an administrative nightmare. > There are good resources on MSDN, see > http://msdn.microsoft.com/SQL/sqlsecurity/default.aspx to start with. > The major difference is that SQLS security is actually effective, and > failure to implement it correctly can compromise more than just the > database, so you'll want to learn as much as you can and plan > carefully before forging ahead. > > --Mary > > On Fri, 4 Mar 2005 10:40:41 -0700, "Ian O'Betz" > <webmaster@(NoSpam)premier-ed.com> wrote: > > >I've been asked to create an online database for my organization with Access > >as the front end. I'm pretty good with Access and moderate with SQL. In the > >database, I was told that different users need to have access to certain > >tables and columsn in those tables. Some users need to be able to create new > >users to have access. So my admin user needs to grant "grant" permission to > >another user. > > > >The users, however, are stored in a table in the database called Members. > >Certain members in the Members table need to have access to the database. > > > >My question(s): Where is a good place to start when designing something like > >this? Is there some kind of add-in I can import and use or is there some > >other direction I should be headed? Any direction is much appreciated. >
Did you use the built-in user-level security with Access? If so, then
SQL Server security works much the same way, with the ability to add users to groups (called database roles in SQLS) where they inherit the permissions granted to the role. You never want to grant permissions directly to users because it becomes an administrative nightmare. There are good resources on MSDN, see http://msdn.microsoft.com/SQL/sqlsecurity/default.aspx to start with. The major difference is that SQLS security is actually effective, and failure to implement it correctly can compromise more than just the database, so you'll want to learn as much as you can and plan carefully before forging ahead. --Mary On Fri, 4 Mar 2005 10:40:41 -0700, "Ian O'Betz" [quoted text, click to view] <webmaster@(NoSpam)premier-ed.com> wrote:
>I've been asked to create an online database for my organization with Access >as the front end. I'm pretty good with Access and moderate with SQL. In the >database, I was told that different users need to have access to certain >tables and columsn in those tables. Some users need to be able to create new >users to have access. So my admin user needs to grant "grant" permission to >another user. > >The users, however, are stored in a table in the database called Members. >Certain members in the Members table need to have access to the database. > >My question(s): Where is a good place to start when designing something like >this? Is there some kind of add-in I can import and use or is there some >other direction I should be headed? Any direction is much appreciated.
hi Ian,
[quoted text, click to view] Ian O'Betz wrote: > I've been asked to create an online database for my organization with > Access as the front end. I'm pretty good with Access and moderate > with SQL. In the database, I was told that different users need to > have access to certain tables and columsn in those tables. Some users > need to be able to create new users to have access. So my admin user > needs to grant "grant" permission to another user. > > The users, however, are stored in a table in the database called > Members. Certain members in the Members table need to have access to > the database. > > My question(s): Where is a good place to start when designing > something like this? Is there some kind of add-in I can import and > use or is there some other direction I should be headed? Any > direction is much appreciated. you are "reproducing" in a user table the security feature SQL Server already offers out of the box.. that's to say you could make your "admin user" member of the db_securityadmin database role, in order to grant him permissions to grant other users read/write access to the desired tables/views or exec privileges to stored procedures... I'm not an Access expert (on the contrary :) ) but I'm not aware of such an add-in existence, so I think you have to code yourself such a dialog that will enable permission managament... Usually I'd create a set of database roles, making the desired database user member of the required database role(s) and setting privileges at the role base, not at the single user level... so each database role would have a predefined set of permission to access dbo.tableA, dbo.tableB and so on, and making a database user member of the specified role will make him able to access (or not) the defined object. perhaps the following can be worth reading.. http://www.windowsitpro.com/Article/ArticleID/16322/16322.html http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=16029&DisplayTab=Article http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=8552&DisplayTab=Article -- Andrea Montanari (Microsoft MVP - SQL Server) http://www.asql.biz/DbaMgr.shtm http://italy.mvps.org DbaMgr2k ver 0.10.0 - DbaMgr ver 0.56.0 (my vb6+sql-dmo little try to provide MS MSDE 1.0 and MSDE 2000 a visual interface) --------- remove DMO to reply
Don't see what you're looking for? Try a search.
|
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |