Access Rights To Two Mssql Dbs Via Password Protected Role
Jan 30, 2007
I dont know how to arrange situation when application enduser needs to access data in two databases of mssql server concurently in those circumstances that access rights to the data should be restricted by password protected role (whose password is not known to the end user).
Detailed description of problem:
So far there was an application, that manipulated its data, saved in mssql server's database. End user authenticates to application by his (mssql server's) login name and password. The application authenticates the user by connecting to the database with the given name/password credentials, and then the application sets application role with hardcoded name/password. Thus application role sets the access rights for consequent end user's requests, delivered via application to the database server.
The goal is that end user cannot manipulate application database data when connects to the database by other means (e. g. via SQL server Manager), because he does not know the application role's password.
Now suppose that there are two applications (A1, A2), both using the same model for access restrictions. Each of them has its own database (A1DB, A2DB) and its own application role (A1R residing in A1DB, A2R residing in A2DB). End user (login) X can manipulate A1DB data when connects via A1, and A2DB data when connects via A2, and NO data when connects by other means.
Finally suppose that some subset of A2 data (let's say one table) is useful to see also via A1 application. There is no problem to add to A1DB view, that shows data from A2DB table together with A1DB tables. But when the user is connected via A1, he cannot see the data, because query on A1 view fails (user has not access rights on A2 data).
The access rights for A1 enduser cannot be set by no means i know because:
1) I cannot set the rights via public (guest) access because in that case they will be accessible to any users connected by any third party products, which is supposed to be security hole.
2) I cannot set the rights via dbuser or dbrole privileges, because they will not work when connected via A1 application (setting the app role suppresses the db privileges)
3) I cannot set the rights via application role because two application roles cannot be set concurrently.
4) I cannot abandon using application roles mechanism and use database roles mechanism, because db roles cannot be protected by independent password (not known to the enduser).
Please can anybody review my problem and either find the mistake in my approach, or propose other solution? So far I suppose the problem is my ignorance, because I am not great mssql expert.
View 3 Replies
ADVERTISEMENT
Jul 20, 2015
HowTo: Import data to MS SQL 2008 from password protected Access DB ?
View 2 Replies
View Related
Feb 14, 2008
Writing to tables created by regular users on MSSQL2005
I have users creating tables through an application, I gave them ddl_admin, datareader, datawriter. They can create tables but cannot insert/update data (to their own tables), I cannot insert data either using Access or any other application to those tables created by them (under dbo schema) Is there something I am missing with permissions? Thank you very much
View 3 Replies
View Related
Sep 7, 2013
how to make my sqlserver 2005 database password protected.i make a database and i want to make a password protected.
View 4 Replies
View Related
Oct 30, 2001
Hi everybody,
The below I posted on SQL 2000 Forum about a week ago.
Any new thoughts................
I would like to get an input from as many people as possible on the following:
In our organization DBA is responsible for 5 servers ( currently NT 4/SQL 7)and is a part of group of a 5 people including manager and 3 developers.
DBA currently has a FULL access to every server.
In a few months we will be replacing the existing system with Windows 2000/SQL 2000.
LAN group will give to DBA only a read rights for the Windows 2000 environment, saying that the AUDITORS, both internal and external, require that. In other words, if DBA needs to run a command prompt, move files from one directory to another in Production environment, he has to fill the request to LAN, so LAN group would do that.
So I guess the main question(s) is:
What is the degree of involmment of DBA with Operating system?
Is DBA suppose to be an NT administrator ( I dont think so, since DBA has a lot of other thing to do?
If DBA accidently makes an unwanted changes to the Operating System, who should be blamed for ( not personally, but in more general terms) and would it be an extra argument to take write rights away from a DBA?
What auditors saying about that?
Thanks a lot in advance,
Andrei
View 3 Replies
View Related
Oct 24, 2001
Hi everybody,
I would like to get an input from as many people as possible on the following:
In our organization DBA is responsible for 5 servers ( currently NT 4/SQL 7)and is a part of group of a 5 people including manager and 3 developers.
DBA currently has a FULL access to every server.
In a few months we will be replacing the existing system with Windows 2000/SQL 2000.
LAN group will give to DBA only a read rights for the Windows 2000 environment, saying that the AUDITORS, both internal and external, require that. In other words, if DBA needs to run a command prompt, move files from one directory to another in Production environment, he has to fill the request to LAN, so LAN group would do that.
So I guess the main question(s) is:
What is the degree of involmment of DBA with Operating system?
Is DBA suppose to be an NT administrator ( I dont think so, since DBA has a lot of other thing to do?
If DBA accidently makes an unwanted changes to the Operating System, who should be blamed for ( not personally, but in more general terms) and would it be an extra argument to take write rights away from a DBA?
What auditors saying about that?
Thanks a lot in advance,
Andrei
View 1 Replies
View Related
Jul 23, 2005
I am trying to import a password-protected Excel file into SQL Serverusing DTS. I am getting an error that it can't decrypt file. Doesanyone know how I can pass the password to the file during the DTSexecution. Please help.Thanks,Michelle
View 1 Replies
View Related
Apr 13, 2006
Hi - I have a master package that executes a series of other packages. Each of these 'sub' packages has the security property Encryption Level set to 'EncryptSensitiveWithPassword'.
The master package has a series of file connections in the Connection Manager, one for each sub package, in which the password of the corresponding sub package is provided.
When I run the master package in BIDS (in interactive mode) it opens each of the sub packages, requests the password and gives the 'Document contains one or more lines of extremely long text' dialog box.
Is there any way to suppress the repeated password requests (seeing as it has already been provided in the Connection Manager) and warnings about long lines of text when executing the master package?
Thanks . . . Ed
View 6 Replies
View Related
Jul 28, 2006
I'm trying to pull certain Filemaker 5 tables into SQL Server 2000 inan automated import job using a file DSN. Everything resides locallyon a Windows XP machine. My process works fine on a test FM file withno password, but with the real FM files, all password protected, itfails with this error:******Error Source: Microsoft OLE DB Provider for ODBC DriversError Description: Unspecified error[FileMaker][ODBC FileMaker Pro driver]An error has occurred whiletrying to gather a list of available tables.[FileMaker][ODBC FileMaker Pro driver][FileMaker Pro]Connect failed.Context: Error calling GetRowSet to get DBSCHEMA_TABLES schema info.Your provider does not support all the schema rowsets required by DTS.******This happens whether or not I supply a password to the SQL Server job.It has been nagging me for days and I can't find any documentation onit. Has anyone else encountered this?Thanks very much.Scott
View 1 Replies
View Related
Oct 4, 2006
I have been selecting the option to protect sensitive info in my packages with a password. However, this poses problems when later execute the packages by using the Execute Package Task. The problem is that I am repeated required to input the password before the packages will execute.
I was making this selection in the hope of not tying execution to a partiular user's credentials (my boss may also want to execute these pacakages at some point).
I find this subject confusing. Once I have selected this option, how can I change to another method? Additionally, does anyone have any advice vis a vis best practices in this matter? I want to store connection passwords, etc. in the package so they don't have to be supplied each time but I also want the information to be secure.
Thanks in advance for any information.
View 1 Replies
View Related
Jun 8, 2001
Hi All,
I'm rather new to the MS SQL Server development in general and especially to its data security architecture and features - I'd like to know if it is possible for end-user to retrieve/update(!?) the data using a SP which executes on a table for which she/he doesn't have any privileges.
TIA,
Shamil
View 4 Replies
View Related
Sep 19, 2005
I gave a developer rights to the Public role on a SQL Server 2000 database. The Public role only has explicitly set select rights to the system tables and one user table. There are no other explicit rights set. The developer was able to open a table that had no rights set in enterprise manager and change data. Is this possible?
View 1 Replies
View Related
Jun 16, 2015
We are migrating the SQL Server database from 2000 to 2012 and part of this exercise we are migrating the DTS Package to SSIS Package. we were unable to convert the password protected DTS Package to SSIS Package. Â The DTS Package created in early 2000 and we don't have a password for the DTS Package.Â
Is there a way to remove the password or read the content of the DTS Package?
View 2 Replies
View Related
May 22, 2008
Hello,
I need to run SSIS packages with the 32 bit dtexec version, and I am storing these files into the MSDB package store, in SQL Server 2005. I have chosen to encrypt sensitive data with password, and then to execute the packages with xp_cmdshell.
The problem is that I receive the following message when I try to run it from management studio (when running this, I am logged in with the sa user): exec master..xp_cmdshell 'dtexec /Ser ServerName /SQL "TestFolderPackage" /De "testPass"'
€œMicrosoft (R) SQL Server Execute Package Utility
Version 9.00.1399.06 for 32-bit
Copyright (C) Microsoft Corp 1984-2005. All rights reserved.
NULL
Started: 9:41:29 AM
Error: 2008-05-22 09:41:29.70
Code: 0xC0016016
Source:
Description: Failed to decrypt protected XML node "DTSassword" with error 0x8009000B "Key not valid for use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available.
End Error€?
If I run the same package with the same command specified above, but without sensitive data in it (a simpler version with no passwords and connection strings, it works fine)
exec master..xp_cmdshell 'dtexec /Ser ServerName /SQL "TestFolderPackage"'
If I run the firs package version (with sensitive data and password protected) from the command line, everything works well:
DTExec.exe /ServerName OLAP /SQL "TestFolderPackage" /De "testPass"
I know in ASP.NET when encrypting web.config section, the system stores the decryption keys in a app data folder, and in order to be able to read from the encrypted web.config, the user under which runs the ASP.NET must be granted access to that folder, by running asp_regiis.exe with some parameters. I believe here a have a similar problem, with users not being granted access to encryption keys.
Thanks in advance
View 2 Replies
View Related
Oct 10, 2007
Hi:
When I restore DB from testing to production, we want to remove extra access rights granted to public group. Is there a simple way to query to find out for which objects (table, view, sp, fn) that public group were granted select, delete, update insert, or execute rights?
My objective is to write a sp to remove all user assigned rights to public group (role), but not to deny any rights. How to do it?
Any suggestion will be appreciated.
View 1 Replies
View Related
Oct 18, 2007
Hello all, I have read many topics about this error but it doesn't fix my packages in my particular case. The problem is that I access to a database in Oracle using the Ole DB provider for Oracle
I get that the mentioned error when I try to run a job from the agent.
1 - When I set "DontSaveSensitive" to ProtectionLevel I get this error: SSIS Error Code DTS_E_OLEDBERROR. An OLE DB error has occurred. Error code: 0x80040E4D.
An OLE DB record is available. Source: "Microsoft OLE DB Provider for Oracle" Hresult: 0x80040E4D Description: "ORA-01017: username/password no valid".
This is normal because the connection needs a password.
2 - When I set "EncryptSensitiveWithUserKey" to ProtectionLevel I get the mentioned error: "Failed to decrypt protected XML node "DTSassword" ..
The other options to ProtectionLevel doesn't work neither. I have tried to write the password in the field required...
I have tried many possibilities but nothing new, it doesn't work.
Does anybody have this error with Oracle as source file ???
Thank you .
View 4 Replies
View Related
Jun 20, 2006
I have a package (PackageA) with an Execute Package Task that execs PackageB. When I run PackageA I get this error on the Execute Package Task :
Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B "Key not valid for use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available.
PackageB has 'EncryptSensitiveWithUserKey' ProtectionLevel. I'm providing passwords in the dtsConfig so I'm guessing I should change it to 'DontSaveSensitive'?
Interestingly, PackageA also has 'EncryptSensitiveWithUserKey' ProtectionLevel, but I don't get an error about PackageA, just on the task that runs PackageB.
(SP1 is installed).
View 9 Replies
View Related
Apr 21, 2008
Dear all,
I've built SSIS package and made a job to execute it automatically but it always returns an error. The job returns OK but when we looked at the Log File viewer, it conatins this error log :
Key not valid for use in specified state
Failed to decrypt protected XML node "DTS Password" with error
What's wrong with the package ?
Thanks in advance.
Best regards,
Hery
View 22 Replies
View Related
Jul 24, 2015
I have connected to Database using my credentials by checking remember password option. After few days I forgot my password. How can I recover the password as SQL remember it. Is there any way to recover my password instead of resetting it.
View 3 Replies
View Related
Mar 25, 2008
I need to determine the following about the current authenticated Windows domain user who is trying to access a SQL Server via a trusted connection.
1 Has the current user been granted login access to the trusted SQL Server?
2 Has the current user been granted access to a specific database?
3 Is the current user a member of a specific database role such as (DB_ROLE_ADMINISTRATORS)?
Thanks,
Sean
View 6 Replies
View Related
Oct 19, 2000
hi, I am having a database in sql server 7.0. it has a web front end database. how can I grant access to the tables. do I create a guest logins in the security folder, then in the database user tab, I give access as read,write. Or there is another way to do it.
Thanks
Ali
View 2 Replies
View Related
Jul 18, 2002
I remember seeing a document on this site a couple of years ago that explained reasons why a DBA needs sa access rights. I can go into BOL and generate a list of things you can only do with sa rights. However the article I am looking for was well written, much better than I could do.
My infrastructure team has decided that the DBA's and Sr. Developers will not have sa access rights. All schema changes, stored proc creation, view creation, database backups, maintenance plans, etc will go through their server engineers. They do not understand what they are getting into.
Does anyone have a nice document that would aid me in my efforts to convince the Infrastructure group to change their "new" policy?
Thanks for any info!!
Jeff
View 3 Replies
View Related
Apr 19, 2006
Hello,
I want to restrict the database not to be accessed from anywhere except
my webservice...I mean, my client applications or anyone else can not
be able to access the database...
How can I do this?
Thanks very much...
View 1 Replies
View Related
Aug 4, 2004
I am having trouble openning a connection to a sql server database that resides on another machine. When the web server and SQL server run on the same machine, everything works fine. When the web server and sql server are located on different machines, I get an access rights error when i try to open the connection. I suspect that this involves trust levels, but all the tweaking I have done has not resolved this issue. Any help would be much appreciated!
View 1 Replies
View Related
Jul 18, 2001
Hi All,
Is there a way in SQL Server 7.0 or 2000, where I can grant/deny/revoke access rights on a database objects like Table, Stored Procedures for a particular time of the day.
Example: I want to prevent user A from acessing Table x and Stored Procedure Y from 9Am to 12 noon everyday. After 12 Noon till 8.59 AM he can have access to Table x and Stored Procedure Y.
Is there a way to do this at SQL Server level.
Thanks
Sri
View 1 Replies
View Related
Oct 30, 2007
Guys,
What are roles and access rights I need to assign my backup operator so that he can see Maintainence plans under Management node of SQL Server Management Studio. I do not want to assign any admin related privileges.
Thanks
View 3 Replies
View Related
Jul 10, 2004
I have SQL Server 2000 the Microsoft SQL Enterprise Mangaer version 8.0 and I don't know the password of sa account and I found this page where it shows how to change it and I tried it but it didnt work for me. Password didnt change
So what to do? Is there any way to see the current pw?
View 3 Replies
View Related
Feb 7, 2007
I'm attempting to grant rights to Report Builder as deployed as part of my TFS install. My problem is that I have to add my users to the builtinadmin group in order for them to see the report builder button on the SQL Server Reporting homepage & then have rights to launch the ReportBuilder click once app. I obviously do not want make users admins on the box, but I've tried adding them to all of the other groups having to do with SQLServer to no avail. How can I grant users access to launch the Report Builder app?
View 6 Replies
View Related
Jul 2, 2014
I would like to provide the db_datareader and db_executor role to a particular SQL Server Login in a database
But, I would like to avoid any INSERT's, UPDATE's or DELETE's that may happen by calling the stored procedures
I tried assigning the db_denydatawriter role but it doesn't seem to be doing the trick as the INSERT's, UPDATE's and DELETE's were still working
Is there any way to provide the db_datareader and db_executor role but avoid any DML actions.
View 7 Replies
View Related
Nov 22, 2000
I have recently changed my NT password and since then one of my machines has not been able to start MSSQL server. When I re-boot the machine it lets me know that it was unable to start MSSQL server. If I right click on the SQL server group in EM and try to manually start the service, it tells me that I have a login failure. I don't understand how changing my NT password would affect one machine and not the others. When I right click on the "edit SQL service registration properties" tab, all of the machines are using the NT password selection as opposed to the SQL server authentication password. Any ideas would be greatly appreciated
View 1 Replies
View Related
Jul 12, 2007
The DBA at our location is demanding local admin (windows) right's to the box so he can function. Right now when he logs in i have given him right's to the inetpub directory, sql directory, i have set him as a sysadmin on sql2005 and gone into the http:\localhost
eports and set him up as a system manager and under site priveledges set him as a sys admin. When he tries to login and configure the report server he gets the following error:
Title-Reporting services configuration manager
Error-There was an error refreshing the UI. bla bla bla
A WMI error has occurred and no additional error information is availiable
Title-Reporting services configuration manager
Error-There was an error while switching panels. The most likely cause is an error retrieving WMI properties. bla bla bla
A WMI error has occurred and no additional error information is availiable
then when he's in sql server 2005 surface area configuation
Title-Surface Area Configuration
Error-Access denied (system.management)
Is there any documentation or anythign anyone can tell me that i can do to give this DBA full access to configure and admin the SQL portion of his system without giving him admin rights to the OS???
Please help!!
Thanks for any time anyone has taken to review this thread!!
View 8 Replies
View Related
Apr 18, 2008
I deployed a package on mssql-server.
How can I save passwords for OLEDB connections of the package?
I want to launch the package from server agent according to the schedule, but I don't know how can I save passwords for connectons?
Thanks in advance.
View 8 Replies
View Related