Minimum Set Of Permissions And User Rights To Execute A Report Definition
Jan 28, 2008
To use Reporting Services as a rendering engine I want to configure a local user on the server that has only the minimum set of permissions and user rights. The server is W2K3 SP2 and SQL 9.0.3200.
In particular, this local user has been removed from the local "Users" group and so is the "Authenticated Users" built-in group. In Reporting Services, it is mapped to a role that only has the "Execute Report Definitions" task permission.
Then, following the details in http://support.microsoft.com/kb/812614/ (Default permissions and user rights for IIS 6.0) I added all file security and local user rights required for "Users" and also granted and propagated "Read&Execute" on the "Reporting Services" folder and verified this using "Effective Permissions" on the ReportService2005.asmx file.
However, I still get 401 Unauthorized, also after a complete restart of all related machines and services.
Once I add the user or "Authenticated Users" back to "Users" everything works fine.
What permissions might I be missing? Where could I find those permission requirements documented?
I tried analyzing the 401 using auditing file and object access security but to no avail. There are no Failure audit entries in the Security log.
How can I investigate the minimum permission set?
What is the risk of leaving the user in the "Users" local group?
Any help appreciated.
View 1 Replies
ADVERTISEMENT
Sep 3, 2007
Hi,
I have a problem with sp execution.:
objects of [dbo]
Tables of [nuran]
Grants of [nuran]
[dbo].tabloA
[nuran].tmptabloA
Select,insert, update on [dbo].tabloA
[dbo].tmptabloA
Deny for [dbo].tmptabloA
[dbo].sp_yordam
Grant for executing [dbo].sp_yordam
(1)
create PROCEDURE [dbo].[SP_yordam]
AS
BEGIN
BEGIN TRANSACTION @Tran1
¦¦¦¦¦. ¦¦¦¦¦¦ ¦¦¦¦.
INSERT INTO [tabloA]
(, ,)
SELECT ,,
FROM [tmptabloA] WHERE ......
¦¦¦ ¦¦¦ ¦¦¦.
DELETE FROM [tmptabloA]
COMMIT TRANSACTION @Tran1
When user [nuran] execute the procedure sp_yordam by a VB program, the procedure use [dbo].tmptabloA not [nuran].[tmptaboA]. If there are data in the [dbo].tmptabloA, the procedure insert data to [dbo].tabloA from [dbo].tmptabloA. But when I checked user name in the procedure during execution, the user was [nuran].
If I write the procedure like that:
(2)
create PROCEDURE [dbo].[SP_tmpSil]
AS
declare @tablo1 as varchar(50),
DECLARE @sil as nvarchar(max)
select @tablo1='[tmptabloA]'
SELECT @sil = ' DELETE FROM ' + @tablo1 + ';'
EXEC (@sil)
END
And it executed by user [nuran],then it used the correct table [nuran].tmptabloA
Is there any way to use users table in an stored procedure without using the user name :
(3)
create PROCEDURE [dbo].[SP_yordam]
AS
BEGIN
BEGIN TRANSACTION @Tran1
¦¦¦¦¦. ¦¦¦¦¦¦ ¦¦¦¦.
INSERT INTO [tabloA]
(, ,)
SELECT ,,
FROM [nuran].[tmptabloA] WHERE ......
¦¦¦ ¦¦¦ ¦¦¦.
DELETE FROM [nuran].[tmptabloA]
COMMIT TRANSACTION @Tran1
I don't want to use (2) and (3) code methods, I prefer to use (1) script. Is there any compilation method, or any aditional way for using script (1) with correct user rights?
Thanks a lot
Nuran
View 4 Replies
View Related
Jul 26, 2006
Dear all,
Basically I want to set chain up the rights so that the anonymous web user IUSR_ .. can execute the new .NET subs, functions etc in the assembly, just as the anonymous web user can execute Stored Procedures when granted. In this way, it should be possible to call the .NET assembly just as classic stored procedures from ASP/ASP.NET.
I have written a .NET function which I can successfully execute if I log on to the database as an administrator by sending this T-SQL query; it returns the result of a given string:
select dbo.CLRHTMLString('abc')
The scenario is now to try to grant access to this assembly for a different role (webuser), which the classic IUSR_MYSERVERNAME is a login of, so that I can call the .NET Assembly when I am authenticated as the anonymous web user (e.g. via ASP, etc.).
To test access, I created a login (webusertest) for a user (webusertest) in the same role (webuser) on the database. But when I use this login, which supposedly has the same rights as the IUSR_, execution right is denied:
EXECUTE permission denied on object 'CLRHTMLString', database 'adt_db', schema 'dbo'.
Note: The 'webuser' database role has Execute permission on the Assembly.
I have also tested this from my actual web page, with the following results:
(1) IUSR_MYSERVER member of db_owner role: Web page has right to call assembly.
(2) IUSR_MYSERVER not member of db_owner role: Web page does not have right to call assembly.
Further test results:
(3) Function can be called when making the user "webusertest" member of the "db_owner" role, which is too much rights to grant for the anonymous web user.
(4) When adding the user 'webusertest' to get 'Execute' permissions on the assembly, it does not get added. After clicking OK, there is no warning message, but when opening the Assembly Properties -> Permission dialog box the same time, the 'webusertest' user does not appear in the list.
Thankful for any advice on this matter.
View 4 Replies
View Related
Mar 6, 2008
Hi, I want to execute BCP in Query Analyser in SQL Server 2005 Express for that i surf on net and find that i should execute BCP under xp_cmdShell, That works good for addministritative account on SQL. But i want the working will be done by a non administrative account or non 'sa' user.How can i assign a non sa User permissions to execute xp_cmdShell? or just tell me any other alternative way to run BCP in Query Analyser or code behined. thanx
View 1 Replies
View Related
Apr 26, 2007
Hi All,How do I set just enough permissions on a database so that a developer cancreate new objects and modify them without giving him administratorprivilege. At the moment the db objects are dbo and execute permissions aregranted to indevidual through a schema.GRANT EXECUTE ON [dbo].[My_Prcsedure] TO [MySchema]Thanks
View 2 Replies
View Related
Jan 7, 2008
Hi All:
I hope I'm in the correct forum for this question. If I'm not, forgive me and point me in the proper direction.
I have SQL Server 2000 databases that I am trying to secure. To that end I've deleted the guest account from all but the master and tempdb databases.
Within the master db I've denied access of any "flavor" to all objects but spt_values, syscharsets, sp_MSSQLDMO80_version, and sp_MSdbuserpriv (only because I've discovered they are necessary).
Can anyone tell me where I might find the absolute minimum permissions configuration for the guest account in master?
I have no third party vendor software accessing my SQL Server 2000 databases. The thought of
Demographics:
SQL Server 2000 sp4 running on Windows 2003 Server with the current service packs.
Any help is greatly appreciated.
caeriel
View 1 Replies
View Related
Feb 15, 2008
Hi all,
What are the minimum permissions required by the SQL Server 2005 Upgrade Advisor (UA)? I could not find it in the documentation.
Obviously being a local Administrators Windows group and a member of sysadmin SQL Server role will do the trick.
But will being a member of only the sysadmin SQL Server role be enough? I know that the UA does want to read the registry.
Running it under just sysadmin generates the following type of errors:
Database Server
PreUpgrade
Requested registry access is not allowed.
WINSOCKPROXY
Database Server
PreUpgrade
Requested registry access is not allowed.
FTUNSIGNEDCOMPONENTS
Database Server
PreUpgrade
Requested registry access is not allowed.
NETPROTOCOL
Database Server
PreUpgrade
Requested registry access is not allowed.
FTMULTIPLEINSTANCES
Database Server
PreUpgrade
Requested registry access is not allowed.
INVALIDNAMEDPIPE
Database Server
PreUpgrade
Requested registry access is not allowed.
FTCOMPONENTREG
Database Server
PreUpgrade
Requested registry access is not allowed.
FTACCTPASS
The issue then is whether these are significant or not. If the UA is only reading the registry to determine if SSAS, DTS, etc is installed then that is not important. But if it is affecting the end result because it cannot read critical information from the registry that is another matter.
TIA
View 1 Replies
View Related
Mar 6, 2013
The developers in our shop have a need to explicitly grant view definition permissions to themselves on stored procedures they create in their development databases. They have dbo level permissions in these databases and although they can explicitly grant view definition permissions to other developers in the same database, they are unable to do so for themselves. When they attempt this, it appears that they are successful but when they check the stored procedure afterwards the permission is not there for themselves.
While this does not cause an issue in development, the intention is for these view definition permissions to be carried forward to the test and production databases where they only have datareader permissions.
When these stored procedures are scripted out by the dba to move to Test and Production the view definition permissions are not scripted out for the developer in question.
Is there a way that a developer with dbo rights in a database can explicitly grant themselves view definition permissions on a stored procedure they create as dbo?
View 9 Replies
View Related
Sep 11, 2006
I was trying to grant access for an application user for executing xp_cmdshell, but I got some error message saying that either doesn't the user exist, or I don't have the permissions to grant this. Does the user need to be a user in Master ? Or, don't I when logged in as "sa" have the sufficient permissions to grant execute on a SP in master?
I solved it by checking "Control server" under "Properties" > "Securables"
for the login, but I don't actually want this login to have full control.
(And yes, I've read that allowing xp_cmdshell usage isn't recommended at all.)
View 3 Replies
View Related
Jan 15, 2007
Using MS SQL 200 SP4 with Reporting Services 2000 SP2 on Win 2003 Server SP1
Visual Studio .NET 2003 on different PC (Win XP SP2)
No problem creating reports or building solutions.
Problems develop when deploying report to Report Server.
Here is the Output:
------ Build started: Project: From CD, Configuration: Debug ------
Build complete -- 0 errors, 0 warnings
------ Deploy started: Project: From CD, Configuration: Debug ------
Deploying to http://<server name>/ReportServer?%2f2nd
Deploying data source '/2nd/AdventureWorks2000'.
Deploying report 'Vendor Purchase Orders'.
The report definition is not valid. Details: Could not find schema
information for the element
'http://schemas.microsoft.com/sqlserver/reporting/2003/10/reportdefinition:Report'.
Deploy complete -- 1 errors, 0 warnings
---------------------- Done ----------------------
Build: 1 succeeded, 0 failed, 0 skipped
Deploy: 0 succeeded, 1 failed, 0 skipped
These are my first attempts using report services. In a previous deployment
attempts it created the folder (named 2nd), but in another attempt (saving it
to the existing folder) I got the same result as you see above (I have also
tried with a new folder but no luck). This above output is from my last
attempt.
The Build error Task List states:
The Report Definition is not valid. Details: Could not find schema
information for the element
'http://schemas.microsoft.com/sqlserver/reporting/2003/10/reportdefinition:report'.
The shema URL as above returns HTTP 404.
If I remove :report, I receive the page for Report Definition Language
Schema May 2004
Looking at the .rdl code the schema URL is as above without :report.
As you can imagine with a limited skill set in this area I am quite
confused. I have been doing alot of research but found nothing to help (or
that I understand will help) so far.
If anyone can help me get through this I would appreciate it.
Bill
View 1 Replies
View Related
Jul 19, 2015
I have a database for which I need the permissions to execute stored procedures, perform CRUD operations on tables, execute functions and SQL jobs. What should be the SQL command if I am to create a user for this database who will have the most minimum privileges to carry out these activities?
View 4 Replies
View Related
Feb 5, 2007
The current way I have my asp.net 2.0 web app running reports is, based on an
interface the user selects the criteria for a report. The .RDL file is created
dynamically based on the user's selections.
I then need to SOAP the dynamically created report to the report server and
then the report runs fine.
BUT it requires Adminstrative rights to do this. Can this be accomplished
without giving the local machine admin rights. I am sorry if this question
has been answered before but i have not been up here in a while.
View 1 Replies
View Related
May 12, 2015
Trying to determine what the minimum permissions i can grant to a user so they can see the change tracking data
View 1 Replies
View Related
May 8, 2008
I have set up a couple of views for a user but they want to be able to see the database table columns by doing right click on table and getting the columsn.
I tried to give the permissions to database by right clicking on database and doing the user and giving view defintion.
-- [TABLEA] contains no columns that can be inserted or the current user does not have permissions on that object.
User not allowed to select the data .
Thanks
View 2 Replies
View Related
Jul 2, 2014
I would like to provide the db_datareader and db_executor role to a particular SQL Server Login in a database
But, I would like to avoid any INSERT's, UPDATE's or DELETE's that may happen by calling the stored procedures
I tried assigning the db_denydatawriter role but it doesn't seem to be doing the trick as the INSERT's, UPDATE's and DELETE's were still working
Is there any way to provide the db_datareader and db_executor role but avoid any DML actions.
View 7 Replies
View Related
Nov 28, 2005
Hi All,
I have a user that should only have the rights to view the jobs and database properties within Enterprise Manager. I am not sure how to do that. Can you please help? Thanks.
View 4 Replies
View Related
May 17, 2007
Hi,
I am using SSRS 2005.
Created several reports on the server where SSRS is installed.
In addition I managed to develop a few more reports on my work station and then deployed the reports to the server.
From my local machine I can brose to http://servername/reports and view/run the reports.
Now I would like to find out if/how others can view some of the reports. How/where do I set rights...?
Thanks
View 1 Replies
View Related
Dec 7, 2006
I'm running into an issue with a user with restricted rights being able to access a local SDF file. The user has Modify right to the folder (and the file), but cannot access the SDF if it was created by someone else.
The only two workarounds I've found are: 1) If the I delete the SDF and then the restricted user creates the SDF they can then access it. 2) If I grant Full Control to the folder then the restricted user can access the database.
Is this by design? Are there programatic changes that can be made to enable access?
All users who login to the box (Windows XP) need to be able to access the same SDF. The SDF is stored on the local machine.
Thanks,rlw...
View 4 Replies
View Related
Apr 5, 2001
Hi,
I want to give 'Execute' permission for all the sp to a particular user.
Any straight way of doing this then to go to each sp and give him permission for every sp.
TIA.
View 2 Replies
View Related
Nov 16, 2005
Hi All,
How can I give the user view rights only?
View 4 Replies
View Related
Feb 22, 2007
I need some advice with a msSQL 2005 databaseI'm creating a administration program in vb.net based on a new msSql db. This programme is involved with customeradmin, facturation, products, sales,...by example: Some employees don't has anything to do with product, so they don't need the rights to delete, create or edit it.The question is how can i resolve this problem, because i don't find any good solution. The rights are for every employee different, and can be changed by a admin panel. The admin can give a employee specific rights for every part of the programmeso how can we give a user certain rights when he is logging in into the program.thanks, BoardD :S ;)
View 1 Replies
View Related
Jul 23, 2005
Does anyone know if it possible to make a specific table invisible to auser when they are in Enterprise Manager?
View 1 Replies
View Related
Jun 16, 2006
In the login properties on the Database Access tab, a user's name saysdbo instead of his name. I do not want him to have dbo permissions. Icannot drop the db_owner permissions that he has on the databasebecause I get the error "Error 15405: Cannot use the reserved user orrole name 'dbo'."How do I remove these permissions from this user?
View 3 Replies
View Related
Feb 20, 2006
Hi, SQL experts.
I'm
new in the SQL Server Express Configuring Stuff and I've a problem or
more exactly I don't have any idea about configuring an secure and
hacking save user for a SQL Express DB.
What server roles/server
permissions/endpoint permissions/database permissions are neccessary to
have an rw access SQLE user? Any articles available? Any suggestions?
Scenario is a Personal Webpage for my Family & Friends located in my house
- ASP.Net Starter Website: Personal Website
- 2 MDF DB's: ASPNETDB.MDF & PERSONAL.MDF (included with the Starter Website)
- Development on DEV PC; Deploy on SERVER PC
HW:
- SERVER PC with Win2k (fully patched)
- DEV PC with Win XP Sp2 (fully patched)
- LAN 100Mbit w NAT FW
- WAN Cable Modem 128/1500
SW:
- APACHE 2.0.55 with latest aspnet_mod
- ASP.NET 2.0
- SQL Server Express
- SQL Manager 2005 Lite
- MS Web Developer Express
What I've done so far:
- APACHE: configured & working
- aspnet_mode: configured & working
- SQLExpress: configured & working
- SQLBrowser: configured & working
- TCP/IP Protocol for SQLE: configured & working
- Mixed authentication for SQLE: configured & working
- ASPNETDB.MDF: attached, configured & working
- PERSONAL.MDF: attached, configured & working
- SQL Manager 2005 Lite: configured & working
- SQLE users: created one for ASPNETDB and one for PERSONAL
(with SQL Manager Lite; Sorry MS!!! your SQL Server Mgmt Studio Express sucks!)
- WEBSITE: changed connection string from local to remote
(local doesn't work, because the LocalSystem User on Win2K, which is
used by the SQLServer, has no User Profile. Also you cannot change the
Service User, so it won't work with the local connection string, but
with an attached and remote accessible DB it works just fine)
- WEBSITE: runs locally and remotely on DEV PC with remote DB's and custom users.
But
I'm concern about the two users I've created, to access the two DB's.
I've no idea, what rights/roles aso they need to use the DB for remote
(for development) and local (for production) access and to be secure?
Thanks for any help, ideas and suggestions.
Alex
View 4 Replies
View Related
Jul 20, 2007
Is it possible to control the number of table rows that can be displayed by modifying the report definition?
View 4 Replies
View Related
Sep 27, 2007
I have a 2005 .Net 2.0 solution that includes two projects, a windows project and a Reporting Services project. The report viewer is apart of the windows project and I am wanting to open reports in the RS project but keep getting a 'the report definition has not been specified' error.
I set the ReportPath to point to the physical path of the RS project but it does no good.
Anyone have any idea how to run a report that is not apart of the project?
Thanks.
Steve
View 1 Replies
View Related
Jul 12, 2000
How can we allow users to access a MS SQL Server OLAP cube but restrict the level of data that he might see?
I mean, if there is a cube with data for three different countries. How can one user be restricted to see data pertaining to
only one of the countries and not the other two countries?
View 2 Replies
View Related
Jun 8, 2001
Hi All,
I'm rather new to the MS SQL Server development in general and especially to its data security architecture and features - I'd like to know if it is possible for end-user to retrieve/update(!?) the data using a SP which executes on a table for which she/he doesn't have any privileges.
TIA,
Shamil
View 4 Replies
View Related
Jan 18, 2007
What rights do users require to be able to use SQL Server Express?? I receive errors when the user doesn't have full admin rights. Our users cannot have admin rights all the time on their PCs. Errors below:
"Create failed for Database 'TestDatabase'. (microsoft.SqlServer.Express.Smo) Additional information: An exception occurred while executing a Tranact-SQL statement or batch. (Microsoft.SqlServer.Exress.ConnectionInfor) Create Database permission denied in database 'master'. (Microsoft SQL Server, Error: 262)"
View 1 Replies
View Related
May 28, 2007
Hi there guys!!
I am having an issue with generating a table for an report on the fly. I have been referring to the example on www.gotreportviewer.com and their example works fine but when i attempt to do my own version (by adding the table, I get the following error:
The report definition is not valid. Details: The element 'TableColumns' in namespace 'http://schemas.microsoft.com/sqlserver/reporting/2005/01/reportdefinition' has incomplete content.
List of possible elements expected: 'http://schemas.microsoft.com/sqlserver/reporting/2005/01/reportdefinition:TableColumn'.
From my understanding 'TableColumns' was not expected even though i reference it correctly in my code and I it is defined in the ReportDefinition. It also causes no problems for the example from the above website.
Can anyone help with this problem?
Thanks a million!
View 3 Replies
View Related
Aug 8, 2001
Hi,
How to ennumerate the Rights of an User for all the tables [Select/Insert/Update/Delete] in a database or how to ennumerate/list all the Table rights for a particular user in a database? By User, i mean the Login names [like bill, sam, sa] and not dbowner, public, etc. thanx in advance.
View 2 Replies
View Related
Dec 29, 2004
Does anyone have a SP which will output all users and their permissions (dbo), (read), (write) for each database for SQL 2k? I'm trying to find a way to simply automate this so I can output the data on demand for auditors. I'm currently checking each users permissions on each database through security/logins :(
View 3 Replies
View Related
Sep 28, 2004
Hello everyone,
Does anyone know of a quick way to audit all users in a database and display their rights and permissions on a table level. I would hate to have to do it one user at a time. There has to be an easier way.
I'm going through a Sarbanes Oxley audit and need to provide them this information.
View 2 Replies
View Related