473,765 Members | 2,001 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SQL Server Object Security

Hello,

We are using Access Front End (ADP Project) and SQL Server 2000
backend. SQL Server is using NT Security.

We do not want the users to access the the underlying tables. So, we
went to each table and unchecked 'Select'. We also placed an 'X' in
all columns for guest and public account.

Next, we created a view. The view has 'Select' permission given to the
users (it is also enforcing some business rules on whether a record
should be returned).

Access XP is behaving as expected - the tables are not showing up, and
a report can be created using the view.

Here is the test situation we have set up:
User 'test_a' has 'select' allowed on the view.
Built in user 'public' and 'guest' were not allowed on the view.

When we configured the view as stated above, 'test_a' did not have
access to the view (even though we specifically granted). It appears
the 'public' must also have at least 'Select'.

It is not the case for a member of BUILTIN\Adminis trators.

Is this expected behavior? Does SQL server not follow the NT Security
model? Or am I simply missing something with the 'public' role?

Should I create roles, then add users to the roles (so I can remove
public). This seems a little different than the NT model of
users/groups.

Also, thanks to Simon and Pete for their previous replies.

Jeff
no******@yahoo. com
Jul 20 '05 #1
3 4820
> We also placed an 'X' in
all columns for guest and public account.
The red 'X' denotes an explicit DENY. Because DENY takes precedence over a
GRANT, the effective result is that no users can access the view because all
users are members of the public role. It is generally best to avoid using
DENY unless you have a specific reason to use it.
Should I create roles, then add users to the roles (so I can remove
public). This seems a little different than the NT model of
users/groups.
Yes, it's a good practice to grant permissions to roles rather than
individual users. This allows you to more easily control data access via
role membership. You can ignore the public role unless you want to grant
permissions to all database users.

I suggest you clear (REVOKE) all permissions on the view and then grant
permissions only to those roles as desired.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Noloader" <no******@yahoo .com> wrote in message
news:6b******** *************** ***@posting.goo gle.com... Hello,

We are using Access Front End (ADP Project) and SQL Server 2000
backend. SQL Server is using NT Security.

We do not want the users to access the the underlying tables. So, we
went to each table and unchecked 'Select'. We also placed an 'X' in
all columns for guest and public account.

Next, we created a view. The view has 'Select' permission given to the
users (it is also enforcing some business rules on whether a record
should be returned).

Access XP is behaving as expected - the tables are not showing up, and
a report can be created using the view.

Here is the test situation we have set up:
User 'test_a' has 'select' allowed on the view.
Built in user 'public' and 'guest' were not allowed on the view.

When we configured the view as stated above, 'test_a' did not have
access to the view (even though we specifically granted). It appears
the 'public' must also have at least 'Select'.

It is not the case for a member of BUILTIN\Adminis trators.

Is this expected behavior? Does SQL server not follow the NT Security
model? Or am I simply missing something with the 'public' role?

Should I create roles, then add users to the roles (so I can remove
public). This seems a little different than the NT model of
users/groups.

Also, thanks to Simon and Pete for their previous replies.

Jeff
no******@yahoo. com

Jul 20 '05 #2
"Dan Guzman" <da*******@nosp am-earthlink.net> wrote in message news:<MU******* **********@news read2.news.pas. earthlink.net>. ..
We also placed an 'X' in
all columns for guest and public account.
The red 'X' denotes an explicit DENY. Because DENY takes precedence over a
GRANT, the effective result is that no users can access the view because all
users are members of the public role. It is generally best to avoid using
DENY unless you have a specific reason to use it.
Should I create roles, then add users to the roles (so I can remove
public). This seems a little different than the NT model of
users/groups.


Yes, it's a good practice to grant permissions to roles rather than
individual users. This allows you to more easily control data access via
role membership. You can ignore the public role unless you want to grant
permissions to all database users.

I suggest you clear (REVOKE) all permissions on the view and then grant
permissions only to those roles as desired.

--
Hope this helps.

Dan Guzman
SQL Server MVP

...


Hi Dan,

Thanks for the reply.
You can ignore the public role unless you want to grant
permissions to all database users.

We found if we revoke the deny role, other roles loose access. So
would you suggest we simply revoke (not deny) the public role and add
a role to encompass our users? If we deny the public role, then our
additional role does not have access to the view.

Also, what is the difference between revoke and deny. I've seen the
behavior it exhibits, but I was not able to get a good definition from
the help files.

Thanks,
Jeff
no******@yahoo. com
Jul 20 '05 #3
> So would you suggest we simply revoke (not deny) the public role and add
a role to encompass our users? If we deny the public role, then our
additional role does not have access to the view.
Yes, I suggest you start by revoking all object permissions. Then create
your own role(s), add role members and grant permissions to the role.
Also, what is the difference between revoke and deny. I've seen the
behavior it exhibits, but I was not able to get a good definition from
the help files.
This is a bit confusing and is why I discourage using DENY in most cases. A
GRANT adds a security entry that gives a user/role the specified permission.
A DENY adds a security entry that prohibits a user/role the specified
permission. The important point is that both GRANT and DENY *add* security
entries and, when conflicting entries exist, DENY takes precedence.

A REVOKE *removes* GRANT and DENY security entries so the result is no
permission entries. With no object permissions, the only users that can
directly access the object are:

1) the dbo user (includes sysadmin role members)

2) db_owner role members

3) db_datareader and db_datawriter role members (tables and views)

Other users can still access the object indirectly if the ownership chain is
unbroken and they have been granted permissions on the directly referenced
object. You can use unbroken ownership chains as a security mechanism by
allowing data access only via views and procs while prohibiting direct
access to the underlying data.

The example below illustrates how to implement this.

USE MyDatabase
GO

EXEC sp_addlogin 'MyUser1'
EXEC sp_addlogin 'MyUser2'

EXEC sp_addrole 'MyUserRole'
EXEC sp_addrole 'MyPowerUserRol e'

EXEC sp_adduser 'MyUser1'
EXEC sp_adduser 'MyUser2'

EXEC sp_addrolemembe r 'MyUserRole', 'MyUser1'
EXEC sp_addrolemembe r 'MyPowerUserRol e', 'MyUser2'
GO

CREATE TABLE MyTable
(
MyNonSensitiveD ata int NOT NULL,
MySensitiveData int NOT NULL
)
GO

CREATE VIEW MyView
AS
SELECT MyNonSensitiveD ata FROM MyTable
GO

GRANT SELECT ON MyView TO MyUserRole
GRANT ALL ON MyView TO MyPowerUserRole
GO

CREATE VIEW MyOtherView
AS
SELECT MyNonSensitiveD ata, MySensitiveData FROM MyTable
GO
GRANT ALL ON MyOtherView TO MyPowerUserRole
--
Hope this helps.

Dan Guzman
SQL Server MVP

"Noloader" <no******@yahoo .com> wrote in message
news:6b******** *************** ***@posting.goo gle.com... "Dan Guzman" <da*******@nosp am-earthlink.net> wrote in message

news:<MU******* **********@news read2.news.pas. earthlink.net>. ..
We also placed an 'X' in
all columns for guest and public account.


The red 'X' denotes an explicit DENY. Because DENY takes precedence over a GRANT, the effective result is that no users can access the view because all users are members of the public role. It is generally best to avoid using DENY unless you have a specific reason to use it.
Should I create roles, then add users to the roles (so I can remove
public). This seems a little different than the NT model of
users/groups.


Yes, it's a good practice to grant permissions to roles rather than
individual users. This allows you to more easily control data access via role membership. You can ignore the public role unless you want to grant permissions to all database users.

I suggest you clear (REVOKE) all permissions on the view and then grant
permissions only to those roles as desired.

--
Hope this helps.

Dan Guzman
SQL Server MVP

...


Hi Dan,

Thanks for the reply.
You can ignore the public role unless you want to grant
permissions to all database users.

We found if we revoke the deny role, other roles loose access. So
would you suggest we simply revoke (not deny) the public role and add
a role to encompass our users? If we deny the public role, then our
additional role does not have access to the view.

Also, what is the difference between revoke and deny. I've seen the
behavior it exhibits, but I was not able to get a good definition from
the help files.

Thanks,
Jeff
no******@yahoo. com

Jul 20 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
1525
SQL Server Object Security
by: Noloader | last post by:
Hello, We are using Access Front End (ADP Project) and SQL Server 2000 backend. SQL Server is using NT Security. We do not want the users to access the the underlying tables. So, we went to each table and unchecked 'Select'. We also placed an 'X' in all columns for guest and public account. Next, we created a view. The view has 'Select' permission given to the
Microsoft SQL Server
2
13519
C# Application not allowed to write to event log on Windows Server 2003
by: FrodoBaggins | last post by:
Dear Team, I am running Visual Studio 2003 Version 7.1.3088 on Windows Server 2003. I have written a C# application that must write to the event log. When it attempts to write to the event log, however, I get the following message on the browser shown below in bold text: Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required...
.NET Framework
13
2283
Server Error in '/MyWebForm' Application
by: Edward Mitchell | last post by:
I have a problem that involves the error I receive when attempting to complete the asp.net web application example (Walkthrough: Creating a Web Application Using a Third-Party Business Object). When I first create the SQL connection in VS.NET 2003, I test the connection and everything works fine. However, when I attempt to run the first stage of the app (the bound datagrid), I receive an error stating: login failed for user...
ASP.NET
0
2229
Another Windows Server 2003 Security Issue?
by: Charles Leonard | last post by:
I am having yet another issue with Windows Server 2003. This time, the web service (a file import web service) appears to run except for one odd message: "ActiveX component can't create object". There are no other statements to indicate what object cannot be created. Otherwise, everything on the test Windows Server 2003 works fine—all import data updates correctly. Unfortunately, my normal development environment is not Windows...
.NET Framework
4
13191
Urgent: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding.
by: VB Programmer | last post by:
When I run my ASP.NET 2.0 web app on my dev machine it works perfect. When I precomile it to my web deployment project and then copy the debug files to my web server I get this problem when trying to login (obviously it's using ASPNETDB.mdf). Any ideas? Server Error in '/' Application. --------------------------------------------------------------------------------
ASP.NET
2
6966
Download the JAVA , .NET and SQL Server interview with answers
by: Jobs | last post by:
Download the JAVA , .NET and SQL Server interview with answers Download the JAVA , .NET and SQL Server interview sheet and rate yourself. This will help you judge yourself are you really worth of attending interviews. If you own a company best way to judge if the candidate is worth of it. http://www.questpond.com/InterviewRatingSheet.zip
C# / C Sharp
5
1939
Server Error in '/mates' Application.
by: James | last post by:
Hello, I have written a simple logon page that redirects to another page when successful. All works fine on my computer but when I upload it I get the error message below. I have written it in ASP.net v2, and have put it on IIS v6 on windows server 2003. I think it may be something to do with connection string to the database,
ASP.NET
17
2653
ASP and SQL Server 2005 Express
by: Anil Gupte | last post by:
I am using the following to try to connect to the database, but it does not seem to be working. Dim sConnString sConnString = "Provider=SQLNCLI.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=MediaDB;Data Source=MEDIAMACHINE\SQLEXPRESS" Connection.Open sConnString Dim Recordset Set Recordset=Server.CreateObject("ADODB.Recordset")
ASP / Active Server Pages
0
9398
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10160
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10007
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
9951
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
1
7378
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5275
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5421
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3924
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3531
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us