As our customers demand that we tighten our IT security in the company,
I've been asked to prepare a report quarterly showing, for each user in
Active directory, what his effective permissions are for every table in
every database that he has permission for on our SQL Server 2000 server. I
searched a bit for a tool to do this, but all I found was the PERMISSIONS()
function for showing effective permissions of the current user. Is there
any way to do it for an arbitrary user, without logging in as them?
5  11613 
Ross Presser (rp******@imtek .com) writes: As our customers demand that we tighten our IT security in the company,
I've been asked to prepare a report quarterly showing, for each user in
Active directory, what his effective permissions are for every table in
every database that he has permission for on our SQL Server 2000 server.
I searched a bit for a tool to do this, but all I found was the
PERMISSIONS() function for showing effective permissions of the current
user. Is there any way to do it for an arbitrary user, without logging
in as them?
You would have to trawl system tables like syspermissions for this. I
decline to provide any samples, because you need account for roles,
including fixed server roles.
This you would do per database. You could set up views for all system
tables that are of interest like:
CREATE VIEW serverpermissio ns AS
SELECT dbname = 'master', * FROM master.dbo.sysp ermissions
UNION ALL
SELECT 'model', * FROM model.dbo.syspe rmissions
UNION ALL
...
Preferably such views would be built dynamically.
I would estimate that the devlopment time for a correct report would be
at least 40 hours. And it might produces over 100 pages of output that
I doubt that no one will ever get through.
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se
Books Online for SQL Server SP3 at http://www.microsoft.com/sql/techinf...2000/books.asp
On Wed, 15 Sep 2004 22:19:42 +0000 (UTC), Erland Sommarskog wrote: Ross Presser (rp******@imtek .com) writes: As our customers demand that we tighten our IT security in the company,
I've been asked to prepare a report quarterly showing, for each user in
Active directory, what his effective permissions are for every table in
every database that he has permission for on our SQL Server 2000 server.
I searched a bit for a tool to do this, but all I found was the
PERMISSIONS() function for showing effective permissions of the current
user. Is there any way to do it for an arbitrary user, without logging
in as them?
You would have to trawl system tables like syspermissions for this. I
decline to provide any samples, because you need account for roles,
including fixed server roles.
This you would do per database. You could set up views for all system
tables that are of interest like:
CREATE VIEW serverpermissio ns AS
SELECT dbname = 'master', * FROM master.dbo.sysp ermissions
UNION ALL
SELECT 'model', * FROM model.dbo.syspe rmissions
UNION ALL
...
Preferably such views would be built dynamically.
I would estimate that the devlopment time for a correct report would be
at least 40 hours. And it might produces over 100 pages of output that
I doubt that no one will ever get through.
Well, I may have talked them down somewhat. Here's what I offered them: http://www.sql-server-performance.com/rd_auditing2.asp has a stored
procedure that will list all roles that each database user belongs to.
The system stored procedure sp_helprotect lists all explicitly granted
permissions in the database, whether to a role or a database user, but not
including the system defined server roles or database roles like db_reader.
The system stored procedure sp_helplogins shows all the logins defined on
the server, and which database user and roles they map to in each database.
Between these three, I can picture a script that enumerates effective
permissions on each database object. for each sql login. Such a chart would
probably be 10-30 pages long at our site.
The last piece would be a script that takes each Active Directory user and
determines which sql login would apply. Determining a user's permissions
would then require looking up their AD user to find the sql login, then
looking up the sql login to find the permissions.
Looking forward, we plan to revise our security so that:
(a) all permissions are set at the user-defined role level
(b) no logins (except sa) are assigned to any system-defined server or
database roles
(c) sa is the dbo of all databases
What do you think?
Ross Presser (rp******@imtek .com) writes: Looking forward, we plan to revise our security so that:
(a) all permissions are set at the user-defined role level
(b) no logins (except sa) are assigned to any system-defined server or
database roles
(c) sa is the dbo of all databases
What do you think?
This does not sound right to me. It sounds almost right, but if I understand
this alright, all administration will be performed thruogh the "sa" account.
If you have exactly one DBA who knows this password, that is OK.
If you have more than one DBA, each one who is entitled to do admin
work on the server should be granted admin rights, either explicitly
or through BUILTIN/Administrators.
Anonymous high-power accounts like "sa" is not a good thing, since this
makes impossible to hold anyone accountable.
But plain users should be granted access through roles, and not by user.
And having only plain users and sysadmin users makes things a little easier.
But for security it's only good if you can afford to give anyone who needs
to something beyond simple access admin rights.
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se
Books Online for SQL Server SP3 at http://www.microsoft.com/sql/techinf...2000/books.asp
>> What do you think?
This does not sound right to me. It sounds almost right, but if I understand
this alright, all administration will be performed thruogh the "sa" account.
If you have exactly one DBA who knows this password, that is OK.
If you have more than one DBA, each one who is entitled to do admin
work on the server should be granted admin rights, either explicitly
or through BUILTIN/Administrators.
Anonymous high-power accounts like "sa" is not a good thing, since this
makes impossible to hold anyone accountable.
But plain users should be granted access through roles, and not by user.
And having only plain users and sysadmin users makes things a little easier.
But for security it's only good if you can afford to give anyone who needs
to something beyond simple access admin rights.
Very good point, but not quite what I intended. Although sa would be the
dbo, administration would be done through non-sa accounts that belonged to
user-defined roles that had been granted the needed admin rights, at
whatever granularity was needed.
I just didn't want any users getting rights that were not from roles, by
virtue of them being the dbo of a database (or owner of a table, etc.)
But now that I type these words, I realize that to prevent users from
owning databases or other objects, I will have to do all admin as sa, just
like you said! That's not very good...
Can the owner of an object be reassigned by some stored proc? Then I could
create the table as rpresser then immediately reassign it to sa (still as
rpresser).
Ross Presser (rp******@imtek .com) writes: Can the owner of an object be reassigned by some stored proc? Then I could
create the table as rpresser then immediately reassign it to sa (still as
rpresser).
sp_changeobject owner. rpresser would then have to have dbo permissions to
do this.
And in such case you should just as well say CREATE TABLE dbo.ladida the
first time round.
But I would suggest that it is better that you are logged in as
DOMAIN\rpresser and this account is a member of BUILTIN\Adminis trator.
You may want to pursue the topic in microsoft.sqlse rver.public.sec urity.
I might not be able to contribute more on the thread, since I'm going away
on holiday tomorrow.
--
Erland Sommarskog, SQL Server MVP, es****@sommarsk og.se
Books Online for SQL Server SP3 at http://www.microsoft.com/sql/techinf...2000/books.asp This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Shelly |
last post by:
I have a new server and I have my files up there. The files are in
/var/www/html/. In this directory I have another directory that I created
called "users". I am unable to figure out how to set permissions on this
directory, and what those permissions should be. I am using ShieldHost.
When there is a new user, and he enters his desired name and password, as
part of the process I want to create a small directory tree under "users"...
|
by: Bob Quintal |
last post by:
I have a report that prints a single record. Normally it's enter
one record, then print it.
This works great.
New requirement: Each record needs to be printed to an individual
..pdf file from any of several workstations. These will be digitally
signed. No problem except that I have been asked to batch all
existing records.
Wrote a code loop that calls the report for each record. Works
|
by: codepuller |
last post by:
Consider this approach:
Embed the report in your project (add it to the project)
Then put this code in the page that holds the viewer
control
'Set the connection information
crConnectionInfo.ServerName = "servername"
crConnectionInfo.DatabaseName = "dbname"
|
by: hari krishna |
last post by:
hi,
I want to send the data from dataset information to Excel through ASP.Net.
there will be no XL installed on web server. web server is win 2000 server
machine. I am using visual basic code in asp.net.
The Xl sheet should not be opened in the browser. All the information from
dataset(datatable,datarows) should be sent to XL and the file name should be
given dynamically through program and the xl file should be saved dynamically
through...
|
by: mvsguy |
last post by:
I'm an Access noob and apologize if I'm asking a stupid question. The
problem is that I'm unable to design/preview reports on a database.
How do I go about fixing this?
Background -
A user has a database which I need to examine. This user is able
design/preview all reports on a certain database.
When I copy the database to my machine, I am unable to design/preview
reports. I am also unable to design/preview reports when I use my box...
| | |
by: Orchid |
last post by:
Hello all,
I have different version of reports which used for different months.
For example, I am using report version 1 up to September, but we have
some design changes on the report for October, so I created report
version 2. I want a same Command Button to open the appropriated
version report for the specific month.
I create a table with the following Fields: Month, ReportID,
ReportToOpen (this is the exact report name). On a form,...
|
by: akkha1234 |
last post by:
When I click on the properties of a 2005 sql server database and then
permissions.
If I select a group and then effective permission, I got an error,
saying that "cannot execute as the principal server because the 'xxx
\group' does not exist, this type of principal cannot be impersonated,
or you do not have permission (Microsoft SQL Server; Error: 15406)"
I guess the error is valid, since the group does not exist in the
database as a...
|
by: FAQ server |
last post by:
-----------------------------------------------------------------------
FAQ Topic - How do I get my browser to report javascript
errors?
-----------------------------------------------------------------------
Various browsers include mechanisms for reporting javascript
errors in more or less detail but often they need to be enabled
or actively viewed. The quick way of activating error messages
in the Windows version of IE is to wait...
|
by: Snoopy33 |
last post by:
I have a DB that I developed on access XP (2002) and deployed over a
year ago. No one has had problems printing any of the reports within
the DB until we started loading 2007 on new computers. The access
2007 users cannot print one of the reports. This is maddening since I
cannot duplicate the issue on any computer that runs 2003 or below.
Is there something going on that I'm not seeing? Does anyone have any
suggestions at all on...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
| | |
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
