Hello,
In NT MS suggests putting global groups into local groups and then assigning object permissions to those local groups in NTFS. I was wondering if this pattern should be followed in SQL server when assigning permissions to integrated login accounts. Is it better to use global groups or local groups?
Thanks
JJ
Hi,
We have a MS Access .adp app which is having some security problems. We have a windows global group which is a user - which is added to a role. The developers are having problems with unqualified sql statements trying to find user.table instead of dbo.table. It seems we are not able to specify a default schema for the global 'user' - the option is greyed out and a sql statement fails. MS says:
Default Schemas
A default schema is used to resolve the names of securables that are referred to without their fully qualified names. In SQL Server 2000, name resolution first checks the schema owned by the calling database user, followed by the schema owned by dbo.
In SQL Server 2005, each user has a default schema. The default schema can be set and changed by using the DEFAULT_SCHEMA option of CREATE USER or ALTER USER. If DEFAULT_SCHEMA is left undefined, the database user will have dbo as its default schema.
Is the default truly undefined in a global group user? We are not totally locked in to the global group solution, but it does make admin easier for us.
Thanks a bunch!
Can anyone tell me or post a link that says how many global temptables can exist SQL Server 2000? Also, is there a limit to thenumber of local temp tables that can exist?Thanks,Billy
View 1 Replies View RelatedSo, I have this idea of a database design I was hoping to get some input on.
I usually go through the process of creating a separate column for identity, like an auto-increment integer which serves as a context specific ID that easily can be passed around. However one of the short-comings I've come to realize is that the integer is just that, unique to the context and requires context information to make sense.
I'm pounding the idea of creating a separate table whose sole purpose is to provide global (database wide) unique IDs. As such each row in a table can still have an ID but instead of being tied to a specific context it will always make sense within the application. A foreign key constraint can ensure that and a relation.
Now, with a global ID which I can create FKs to, I don't have to create a separate table for relations between entities and can have relations through these global IDs and I think that's a good thing because if there are many relations between many entities they don't have to be defined more than once. There is also a single "hub" where all relations fit which will allow me to access most information through some relatively simple joins.
My concerns are performance and Linq to SQL implication. I'm worried that Linq to SQL might start pulling an excessive amount of data and I'm worried that the practicality of such a design might hurt the long running of the application development process.
But I'm surprisingly interested in what it could mean for a more ubiquitous view of data and tagging. Basically a way of any data to have relations to any other data through this yet simple design decision.
If you think this is a good idea or see no particular problem with, please let me know! If you think there's problems with my idea, please motivate your critic but do tell me what I should look out for, or if you know of any better approach to my idea of being able to look at the data through some more common mechanism (which applies to all tables and the entire database mostly from a programming perspective).
Hi,I am new to SQL. Please bear with me and allow me to ask a dumbquestion.I am debugging a stored procedure (written in Trans-SQL), and I foundthat the SQL analyzer that I use doesn't have a debugger. All I cando it is execute a block of code and see what is going on in aninteraction seesion of the SQL analyzer. I would need to declare somevariable to hold values of the previous query in the interactivesession.I understand that this can be easily done in a stored procedure viathe Declare command (e.g., Delcare @order_no int). Is similarfunctionality exists in an interaction session of the SQL analyzer?If so, what is the command. Please advise.Thank you very much for the help.Alex
View 1 Replies View Related
Is there a way in sqlserver where I can retrieve local groups defined in windows? Any system views contain this information?
Thanks.
Hi all.
I am stuck in a bit of a conundrum for quite a while now, and I hope someone here will help me figure this one out.
So, first things first: let me explain what I need to do. I am
designing a web application that will allow users to consult info
available in a SQL2000 database. The user will enter the search
criterea, and hopefully the web page will show matching results.
The problem is the results shown aren't available per se in the DB, I
need to process the data a bit. I decided to do so on the SQL Server
side, though the use of cursors. So, when a user defines his search
criteria, I run a stored procedure that begins by building a dynamic
sql query and creating a cursor for it. I used a global cursor in order
to do so. It looked something like this:
SET @sqlQuery = ... (build the dinamic sql query)
SET @cursorQuery = 'DECLARE myCursor CURSOR GLOBAL FAST_FORWARD FOR ' + @sqlQuery
EXEC @cursorQuery
OPEN myCursor
FETCH NEXT FROM myCursor INTO ...
CLOSE myCursor
DEALLOCATE myCursor
This works fine, if there's only one instance of the
stored procedure running at a time. Should another user connect to the
site and run a search while someone's at it, it'll fail due to the
atempt to create a cursor with the same name.
My first thought was to make the cursor name unique, which led me to:
...
SET @cursorName = 'myCursor' + @uniqueUserID
SET @cursorQuery = 'DECLARE '+ @cursorName + 'CURSOR FAST_FORWARD FOR ' + @sqlQuery
EXEC @cursorQuery
...
The problem with this is that I can't do a FETCH NEXT FROM @cursorName since
@cursorName is a char variable holding the cursor name, and not a
cursor variable. So to enforce this unique name method the only option
I have is to keep creating dynamic sql queries and exucting them. And
this makes the sp a bitch to develop and maintain, and I'm guessing it
doesn't make it very performant.
So I moved on to my second idea: local cursor variables. The problem with
this is that if I create a local cursor variable by executing a dynamic
query, I can't extract it from the EXEC (or sp_executesql) context, as
it offers no output variable.
I guess my concrete questions are:
Is it possible to execute a dynamic sql query and extract a (cursor) variable from it?Is it possible to populate a local cursor variable with a global cursor, by providing the global cursor's name?Can I create a local cursor variable for a dynamic sql query? How?
Anybody sees another way arround this?Thanks in advance,
Carlos
Hi,
I am trying to find the best way to implement a complex column based security.
Basically i need to secure data among lot of tables with millions of rows, so that some users may see some columns and others see diferent ones...
Whats the best way to implement this kind of procedure securely and flexible?
Best Regards,
Hi, I have compact sql databases which will be local on multiple users
devices. Due to space constraints, for one of the tables i have had to use
auto incrementing integer which works fine for the local database but i
would like to merge all of the users databases into a global database. The
table format can be seen below:
Code SnippetCREATE TABLE Players
(
ID UNIQUEIDENTIFIER NOT NULL PRIMARY KEY,
FirstName NVARCHAR(32),
LastName NVARCHAR(32)
);
CREATE TABLE Sessions
(
ID INTEGER NOT NULL IDENTITY,
PlayerID UNIQUEIDENTIFIER ,
SessionDateTime DATETIME,
CONSTRAINT pkSessions PRIMARY KEY (ID),
CONSTRAINT fkPlayerID FOREIGN KEY (PlayerID) REFERENCES Players(ID)
);
CREATE TABLE SessionDetail
(
SessionID INTEGER,
Time real,
Power real,
CONSTRAINT pkSessionDetail PRIMARY KEY (SessionID,StrokeTime),
CONSTRAINT fkSessionID FOREIGN KEY (SessionID) REFERENCES Sessions(ID)
);
The Players table will merge fine as GUIDs are used. However, how will the
sync capabilities of compact SQL handle the sessions table? When it pushes
the local data to the remote database will it change the Sessions.ID column
to a unique field (as no doubt lots of people will have 1, 2, 3 in their
local databases and the global database must have a unique ID), and then
transfer this changed ID back to the local database? Furthermore, if it
changes the Sessions.ID column during the merge it will also need to update
the SessionDetail.SessionID foreign key to maintain referential integrity,
is this also handled?
So my question is, how much of this sync and data merge is automated and are
there any good examples or pointers for my scenario? I cannot reasonably use
a GUID for Session.ID as there will be lots of SessionDetail entries and the
size would be far too much.
Many thanks,
Chris
I have a clustered server environment where three of the SQL Server local groups were not created during installation. One of these missing groups is SQLServer2005SQLAgentUser$ComputerName$InstanceName, and this is causing problems with trying to automate replication.
How do I create this group after I have installed SQL Server?
Thanks,
Neal
Hi
installing sql express sp1 on SBS Win 2000 box
It's up to database services, and then fails - i've tried this a number of times.
The message box says "The installer has encountered an unexpected error. The code is 2380. Error opening file for write. GetLastError: SoftwareMicrosoftMicrosoft SQL ServerMSSQL.1Setup"
The admin account did not have full admin privileges for this key and subkey- why ?
I was installing under the domain administrator account....
I fixed this, and now the latest error is as follows from the log
QL_ERROR (-1) in OdbcConnection::connect
sqlstate=08001, level=-1, state=-1, native_error=21, msg=[Microsoft][SQL Native Client]Encryption not supported on the client.
sqlstate=08001, level=-1, state=-1, native_error=21, msg=[Microsoft][SQL Native Client]Client unable to establish connection
sqlstate=08001, level=-1, state=-1, native_error=0, msg=[Microsoft][SQL Native Client]An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.
Error Code: 0x80070015 (21)
Windows Error Text: The device is not ready.
Source File Name: libodbc_connection.cpp
Compiler Timestamp: Wed Oct 26 16:37:41 2005
Function Name: OdbcConnection::connect@connect
Source Line Number: 148
Please HELP !!!
thanks
thansk
Hello,
What are the security groups that I would need to enable a user to use the conflict viewer and replication monitor for specific databases that are setup for merge replication? Thanks.
John
I am using Windows server 2012 Standard R2 and SQL Server 2014 Enterprise. I have created three AD Groups and added the groups to the SQL server:
Group A. Group B, and Group C. I have mapped each group to their database which I created on the same SQL server.
Now I have Group A mapped to Database A, Group B mapped to Database B, and Group C mapped to Database C.
Now all the users in all the groups can see each other databases, I need to give full permission to Group A for ONLY database A and NOT to allow them access Database B and C, also I need to do the same thing for the other two groups, this means each group can only access their database and not allowed to access other databases.
We have a problem authenticating domain users contained in local machine user groups across multiple web servers in a scale out deployment.
When we originally setup our single SSRS database server we were told the a best practice is to add domain users to local user groups on the SSRS machine.
Now we want to add more web servers and create a scale-out deployment. So, we added the web servers and configured the scale-out deployment. But, only administrators can see the reports since all of our SSRS roles are assigned permissions such as "Machine1User_Group".
We were told that we have to create identical local groups on Machine2 and Machine3 and then add them to the SSRS roles. This is prohibitive since it would mean managing 3 identical user groups containing thousands of domain users.
Is there a better way to do this without using Domain User Groups?
Thank you for any assistance.
hi,
i have starange problem here.
i have total 10 nt groups mapped to security manager.
today when i opened security manager it is saying no groups
in the security manager,security manager is blank.
i am using mixed security mode.
pls give me any ideas..
it is very ugent pls..
Thank u very much
--Kavira
I have been asked to copy the security groups from production to stage ,as users are not able to access the cube online...
( note :the production server is analysis sercvices 2000 and the stage server is analysis services 2005)
any ideas ? thanks in advance
yukon dba
Hi,Apologies for not knowing much around this subject, we currently run sqlserver 2000 for a database and have each user marked up on the database.We are moving to use a windows security group, so taking themanagement slightly away from the database server.What I would like to know is, will this effect functions such assuser_sname() by returning the group name instead of user id? I wouldassume not but it's worth checking!Also, I'm guessing if a user is marked on the database as their own idand as part of a security group, then all permissions are thrown in withdeny taking preference? How does this work with a database owner who isalso part of a security group that has limiting functionality?Thanks for your help,Chris
View 1 Replies View RelatedI've been reconfiguring my Windows service accounts for the SQL Server service and the SQL Agent service to comply with the security best practices for SQL Server 2005. Specifically, I created two new network accounts. One account runs the SQL Server service, the other runs the SQL Agent service.
View 1 Replies View RelatedHi All,
I have a report running and I am attempting to assign role based security. I added a group to the site level security. The group I added contains child groups. It doesn't seem that report server is looking into the child groups to see if the logged in user is a member of the child group. Is there anyway to get this to work instead of adding all the groups directly? I suspect that report server is using cominterop and cominterop is not traversing the directory tree?
Thanks,
Darren
I have multiple security groups for which I would like to print off the
different table rights associated. Is there a quick and easy way to
accomplish this? Thanks, Craig.
It appears that I have a machine where the SQL Server 2005 Security groups were deleted, now I am unable to change account settings in configuration manager ( I get a WMI provider error ). Is there any way to recreate these security groups without uninstalling and reinstalling SQL Server?
View 3 Replies View Relatedhow does security works between availability groups.
ex if i create an object and grant permissions to a user will that be replicated to secondary replica .
Hi all,
Looking at BOL for temp tables help, I discover that a local temp table (I want to only have life within my stored proc) SHOULD be visible to all (child) stored procs called by the papa stored proc.
However, the following code works just peachy when I use a GLOBAL temp table (i.e., ##MyTempTbl) but fails when I use a local temp table (i.e., #MyTempTable). Through trial and error, and careful weeding efforts, I know that the error I get on the local version is coming from the xp_sendmail call. The error I get is: ODBC error 208 (42S02) Invalid object name '#MyTempTbl'.
Here is the code that works:SET NOCOUNT ON
CREATE TABLE ##MyTempTbl (SeqNo int identity, MyWords varchar(1000))
INSERT ##MyTempTbl values ('Put your long message here.')
INSERT ##MyTempTbl values ('Put your second long message here.')
INSERT ##MyTempTbl values ('put your really, really LONG message (yeah, every guy says his message is the longest...whatever!')
DECLARE @cmd varchar(256)
DECLARE @LargestEventSize int
DECLARE @Width int, @Msg varchar(128)
SELECT @LargestEventSize = Max(Len(MyWords))
FROM ##MyTempTbl
SET @cmd = 'SELECT Cast(MyWords AS varchar(' +
CONVERT(varchar(5), @LargestEventSize) +
')) FROM ##MyTempTbl order by SeqNo'
SET @Width = @LargestEventSize + 1
SET @Msg = 'Here is the junk you asked about' + CHAR(13) + '----------------------------'
EXECUTE Master.dbo.xp_sendmail
'YoMama@WhoKnows.com',
@query = @cmd,
@no_header= 'TRUE',
@width = @Width,
@dbuse = 'MyDB',
@subject='none of your darn business',
@message= @Msg
DROP TABLE ##MyTempTbl
The only thing I change to make it fail is the table name, change it from ##MyTempTbl to #MyTempTbl, and it dashes the email hopes of the stored procedure upon the jagged rocks of electronic despair.
Any insight anyone? Or is BOL just full of...well..."stuff"?
My replication is not working. I was able to create a transactional replication successfully. However, when i tried starting the agent on the snapshot, it wouldn't work. I figure that it was because my agent service login is different from that of the subscriber. my publisher and distributor is on local user whereas my subsciber sql services use our global login.
Thank you in advance. Good day!
I have one domoain in the forest. The domain level is set to Windows 2000 native mode and forest level is set to mixed mode. My SQL server 2005 server joined to this domain. I added a brand new domain local group and add a normal user account to this domain local group. I login to the SQL server 2005 server and make a query "SELECT * FROM sys.login_token". I cannot see my domain local group in sys.login_token. However, if I add my account to a global group, I can see it there.
Then, I setup another forest. This time, I have domain level set to Windows 2003 mode and forest level is set to Windows 2003 native mode. I do the same testing. This time, I can see my domain local group in sys.login_token.
Why does SQL server 2005 has this limitation? Is it a bug?
We have a weird issue with one of our computers.
We have a SQL 2005 server that is running our website and is accessed by our staff to run some applications (VB and Access 2003). The SQL 2005 server is at an off-site datacenter, so all access is via VPN.
We have one individual who is recieves the The Local Security Authority Cannot Be Contacted error whenever we try to create an ODBC connection to the SQL server. If the user is in our office, his computer connects fine, when he connects via an IPSEC VPN (we have tried various connections DSL, Cable and EVDO as well as Starbucks) he gets the same error. The error is sporadic, though recently it appears 80-90 percent of the time.
More info
When he is connected to the VPN, he can ping the SQL and exchange servers, as well as any of our other servers.
The issue started when he got a new computer. The computer is less than a year old, was mine previously. Hard drive was wiped and reloaded with XP Pro, 2.6 GHz, 2 GB RAM, 100GB hard drive with 70% free space.
When he connects to the VPN, he loses access to the exchange server, when he is not connected to the VPN, he accesses exchange via Outlook 2003 via RPC over HTTPS without an issue. When he disconects from the VPN, his connection to exchange is returned.
Any help or pointing in the right direction would be greatly appreciated.
Thanks
Wayne
This is regarding general protection of a database hosted on a network. I am developing a database application for my college library using VB.NET, that will reside on a network.
For some reasons, I did not want to hardcode the Database location in the application. Instead, when a user logs in, he can choose the database location using a folder browser control, if the location has changed.
Now, I realize that for this, I have to put the database in a shared folder, which makes it quite vulnerable. Having pondered over the problem for sometime, a solution that comes to my mind is to place a Text file in the same shared folder that always contains the correct path of the database. When a user chooses that folder, I will read the actual path of the database from the text file, and move the database to a non-shared folder.
I haven't yet implemented this approach, but felt it better to consult someone before. So, would this approach work, and is it a good idea.
For information purposes, I consider it important to mention that the database is in MS Access. I know this is not a place for discussing it, but this is a general security concern. So, I thought
people would not mind answering it....
I have verified that the following services ARE running.SQL Server (SQLEXPRESS)SQL Server Browser SQL Server VSS Writer.This one however will not start ... For some reason it starts then automatically turns off.SQL Server Agent (SQLEXPRESS).When I try to connect using my <machine name>/instance and Windows Authentication I get the following error ...
"A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) (Microsoft SQL Server)".The connection specified in the "Connect to Server" box was working perfectly fine before I upgraded. I thought it might have been my Norton 360 Premier but I uninstalled it.I AM having issues with the adapter frequently dropping the internet connection but I just disconnect and reconnect and that resolves itself.The other technique I tried was to replace the server name with the IP address ... <192.168.0.22>/Instance ... This actually seemed to find the SQL Server but rejected the Windows Authentication ...
"Login failed. The login is from an untrusted domain and cannot be used with Windows authentication." I have several databases on here and would hate to have to reinstall SQL Server and manually hook them back up.
We would like to use the SQL Server 2005 Express at our customers.
But now we have to meet the local security settings of the PC.
What is happening with the database users password (e.g. sa) when the "Maximum password age" in the "local security settings" for the password policy is to >0 (e.g. 30 days)?
Because this cause a frequently change of the passwords at the customers!!!!!!
Hi Remus,
I am experiencing the same problem, and I can't get the easy fix to work. I drop and create the DB's in between tests, so it is not related to having an old certificate in the DB, as in the case of Tilfried.
The situation is as follows:
DB1 owned by login1, has a user for login2; this DB is for the initiator
DB2 owned by login2, has a user for login1; this DB hosts the target
Both DB's have TRUSTWORTHY flag set to ON
Error in sys.transmission_queue: 'Error 916, State 3: The server principal "Login1" is not able to access the database "DB2" under the current security context.
Going on a limp, I decide to add a remote service binding in DB1, binding the user for Login2 to the target service, even though BOL explicitly states that this is only required for cross-server communications. This does change the situation - I still get an error, but a new message is sys.transmission_queue: "Dialog security is unavailable for this covnersation because there is no certificate bound to the database principal (Id: 5). Either create a certificate for the principal, or specify ENCRYPTION = OFF when beginning the conversation." I already know that the first option works, but I wanted to get the simple solution running. As for the second option, I doublechecked and the initiating procedure DOES already specify ENCRYPTION = OFF in the BEGIN DIALOG CONVERSATION command. My theory is that the remote service binding somehow forces SB to use encryption, but (a) that is not stated in the error message, and (b) if so, then how to get the messages sent over to the target service without using the binding?
==> EDIT: Just saw that you confirmed this theory in your last reply to Tlifried. So I am indeed back to having to find out how to get this to work without remote service binding - it should be possible, but how???
BTW, SELECT @@VERSION shows that I'm on build 3054, in case it matters.
Between all the errors in BOL and less than helpfull error messages produced by SB, I feel like I'm slowly losing my sanity. Please help!
Best regards,
Hugo Kornelis
I have a new SQL 2005 (SP2) Reporting Services server to which I've just upgraded and deployed some SSRS 2000 reports.
I have a subreport that contains a matrix with two groups. The report data seems to be inexplicably repeating the data for the first row in the group for all rows in the group. Example:
ID1
ID2
DisplayData
1
1
A
1
2
B
1
3
C
2
1
A
2
2
B
2
3
C
Parent group is on ID1, child group is on ID2, report would show:
1
1
A
2
A
3
A
2
1
A
2
A
3
A
Is this a matrix bug in 2005 SP2, or do I need to do something differently? I can no longer pull a comparison version from an SSRS 2000 server to verify, but I believe it was working as expected before...
We have a 64-bit VM server running SQL Server 2005. The SQL Server on this particular VM server has 6 local instances installed. On the Management Studio logon screen I can type the full name of the local instance and connect to it, however if I press the drop down in the Server name field, choose Browse and select the Local Servers tab there is nothing listed under Database Engines.
Any idea why the 6 local instances don't show up under Database Engines? This is preventing me from installing a vendor application because their installer looks for local SQL Server instances on this server, but if SQL Server won't even show the local instances then the installer doesn't see them either.
Any help is greatly appreciated.
Thanks,
Craig
I am facing a problem in connecting to the local database with server name as (local).
I have installed SQL Server 2005 in my machine. When I try to connect to the SQL server with the server name as SUNILKUMAR I am able to connect but when I try to connect to the same server with the server name as (local) I am not able to connect. SUNILKUMAR is my machine name and SQL server is running locally.
if anyone can help me what is the problem in this case it is highly appriciated.