SSIS And Security - Questions

Mar 15, 2007

Hello,

I realize that I am confused about SSIS and security.

In BIDS, I work on and modify my packages. That part I understand. Then, I want to build my project, then deploy to SQL Server 2005. I know how to do that too (for the most part, please see below):

My confusion arises around the "Protection Level" options in the package properties. Right now I have everything set to "EncryptSensitiveWithUserKey". My understanding is that I need to change this in order to run my packages from SQL Server jobs, because only the creator of the package can currently run the job.

So my question is, since I want to deploy to SQL Server, don't I want to change the "Protection Level" to "ServerStorage"?

However, it will not let me change the protection level to ServerStorage. It says "The protection level, ServerStorage, cannot be used when saving to this destination"... presumably because it is attempting to save to the file system.

However, even when I built out my packages and saved to SQL Server, I could not change the protection level either.

Which is why I am really confused... Once you save your packages to SQL Server, how do you make changes to the packages, so that the changes are reflected in the packages stored on SQL Server?

There is some concept I am not understanding here.

Thanks for any help

View 8 Replies


ADVERTISEMENT

Security Questions.

Oct 10, 2006

SQL2K SP4

The apps that connect to my SQL DB's (for internet use) use SQL
authentication (the app login so to speak). Anyways, a Java developer showed
me that he built into his app a way to retrieve that app login and password
from SQL Server. Obviously I wasn't very happy about this. So my questions:

1; Does anyone know if the same thing can be done using .NET code?
2; I've heard of a method using .Net Web Services (WS) for using WINNT
authentication even for internet apps. It would be that the app calls a WS,
that WS the passes in WIINT authentication to the DB and all is good. Has
anyone else out there used this type of security? Is there a link you can
provide?
3; If number 2 is implemented, does it then eliminate the possibility of
apps being able to retieve the sensitive information?

TIA, ChrisR

View 9 Replies View Related

Security Gurus - Questions For You

Sep 25, 2006

I want to create an MS Access front-end for my SQL database.
I want to create user accounts with passwords for each user.
Should I change SQL Server to "MIXED authentication mode" (SQL Server authentication and Windows authentication) ?

********************************************
*** Thank you very much in advanced, security gurus ***
********************************************

View 5 Replies View Related

SQL Server Security - Questions

Sep 25, 2006

I have created logins and user accounts in SQL Server.
How come, when I open SQL Server, it did not prompt for passwords ?
How can I make it to do so ?


********************************************
*** Thank you very much in advance, security gurus ***
********************************************

View 2 Replies View Related

Dialog Security Questions

Aug 10, 2006

Hi Remus

Thank you for the email reply.

However i am still not 100% clear, dialog security with certificates when there are hundreds of remote services seems a bit complicated.

I have a few more questions.

1. you said "When sending the first message (any direction), we look up the 'best' certificate for each user"

My inititor sevice is owned by dbo, i have created certificates only for named users not dbo, how would this work?

2. I am going to try settin gup this again, but at the central service i will create a seprate user for each remote service, authorize the remote certificate for this user and use this user in the remote service binding for that remote service, is this correct or am i still doing somehting wrong?

3. How does all of this relate to the endpoint security, i ahve the same scenario, 1 pricipal id with all remote certificates authorized for it for the endpoint? I have no idea how i would have to setup different user for each remote servcie as far as the endpoint goes as there is no remote service binding to dictate which user to use ?

I will keep try and experimenting maybe i will get it right sooner or later.

Thank You

View 6 Replies View Related

More Custom Security Questions

Jun 25, 2007

Still working on custom security
Since I can't get a name of file (path) from within CheckAccess method it becomes somewhat useless. Is there a way to maybe overload GetPermissions or Policies methods? Or maybe CreateReport method so that I can include some custom code there? Is there an example of something like that?

I wish the catalog tree was transparent to Authentication extension, I don't see a point in acl for a custom extension, all I want is names and I can build on top of that. Something along the lines -




Code Snippet

public bool CheckAccess(...file...)
{
string[] permissions ;
permissions = server.GetPermissions(file);
...
Maybe I am missing something simple and I can tie everything to a security descriptor but I don't see how I can if there is no information such as name, date, modified by name and so on. All we get is principal name which is not very useful since I don't use built-in security names.

Thanks

View 2 Replies View Related

Several 2005 Security Questions

May 28, 2008

I am an Oracle DBA who inherited SQL Server administration. I have been to some 2005 training and I've been supporting several DB's for a while now but I still have some nagging security questions and would appreciate some help.

1) I needed to grant execute on a specific procedure but when I drilled down, I found that it already had execute in the EFFECTIVE PERMISSIONS. I would like to know how to tell where it got this permission from. I did some digging and found that execute appears to have been granted to the schema itself. I didn't know you could do that. Would this result in the effective permission that I observed?

2) I am trying to audit the permissions on existing principles. In Management Studio I drilled down and found permissions under Security and under Server Properties. There are also more permissions under Database Properties and Security and still more assigned at the specific object level. Where can I go or what can I query to see ALL the permissions a principle has been granted across the entire server?

3) If I grant a principle CONTROL to a schema does that also automatically confer DDL rights to said schema or would additional privs be required to perform DDL?

Thanks in advance,
Roger Westbrook

View 1 Replies View Related

Basic Security Questions

Sep 5, 2006

Hi,

I am new to SQL 2005, can someone give me some details instructions about how to do below two tasks:


All my developers are in a window domain user group, I need to grant dbo privileges to that domain group so then can do the their development work. The rule is all objects they create need to be owned by dbo not by there ID. ( I can€™t do it because I got €ś The €śDeafult_Schema clause cannot be used with a windows group€?)
Same as above but this time they only need select permission on tables nothing else.

Many thanks.

PC

View 1 Replies View Related

Security Patch/Service Pack Questions

Sep 17, 2007

<!--[if !supportLists]--><!--[endif]-->

I posted this question before, and got a response about Windows Update. However, I work in a larger corp. and need to know if there are any other answers to this? We use a patch client that rolls out patches and service packs after we have tested them in our environment. What can we do to stay as up to date as possible for security patches?



How are security patches for SQL Server Express made available (e.g., as separate distributions or bundled into other Microsoft patch distribution mechanisms)? Are there specific procedures that I need to put in place to ensure that it gets patched on end user machines?



-Kyle

View 1 Replies View Related

Custom Security Extension - Authorization Questions Using Forms Authentication

Nov 9, 2007

Greetings. I have developed our own custom security extension, implemented forms based authentication, and can authenticate from report manager, report server and sql studio. So far so good.

However, when it comes to Authorization, i'm unclear in a few areas and would appreciate if someone could help me out with the following questions. It should be noted that in the code I have granted an administrator user full access to all operations and permissions, and then tested against both an administrator user and a normal user.


IAuthorizationExtension.GetPermissions summary says

"Returns the set of permissions granted a specific user for an item in the report server database."

Inparticular, the secDesc parameter is supposed to contain the security descriptor associated with the item.

However, with our extension this parameter is always null, even if I have already granted access for a user, which is confirmed through logging in CreateSecurityDescriptor.

Through the report manager or sql studio I can see that the permissions have been created, so I can't understand why I never see them in the GetPermissions method? This then (seems to) flow through to the various CheckAccess methods, where the users are authenticated, but are not authorized to perform any operations. i.e. in report manager a user has no folders or reports available.


Is RS authorization designed around the concept that the details will always be stored in it's own database?

Ideally, we'd like to have the various roles, users and function authorizations defined in our own security framework. This is working great for the authentication aspect of the extension, but unless there is a mechanism which exposes the details of the particular authorization process (e.g. the name of the folder being viewed or report being run), then I can't see a way we can implement it. Unless i'm missing something fundamental of course!


Using Report Builder as the Administrator user (or any other user), I can see no data models available, even though I have created them via Report Manager, and I get the following exception trying to open up the list of reports:

System.Web.Services.Protocols.SoapException: The permissions granted to user '' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user '' are insufficient for performing this operation. at Microsoft.ReportingServices.Library.ListChildrenAction.PerformActionNow() at Microsoft.ReportingServices.Library.RSSoapAction.Execute() at Microsoft.ReportingServices.WebServer.ReportingService2005.ListChildren(String Item, Boolean Recursive, CatalogItem[]& CatalogItems)

I have implemented a report server proxy (inherited from ReportService2005) as per the example, to pass through the authorization cookie. Any clues as to what could be wrong?

Finally, I suspect part of my problem may be in assignment of users to System Roles ("System Administrator" and "System User"), I'm not sure if these are meant only for Windows Authentication? I can see no way of assigning these roles to any of my users using Forms Authentication.

Thanks for any help or advice you can give!

View 25 Replies View Related

SSIS Questions

Mar 4, 2008

Hi all,Can you please share some interview questions that can be expected on SSIS 2005?

View 8 Replies View Related

SSIS ETL Questions

Mar 23, 2007

I am using SAS Dataset and loading in to SQL server 2005.Now i want to delete columns which have 0 values and null values.Can anyone guide me how to do this?thank you.

View 3 Replies View Related

Converting DTS To SSIS - 2 Questions

Apr 11, 2008

Hi,

I was wondering if anyone know how to do Dynamic Properties Tasks in SSIS? And, does anyone know how to create a global database in SSIS so I won't have to change all of the database names in my package? I'm sorry, I'm new to SSIS and I'm just really frustrated. Thank you.

View 2 Replies View Related

Questions On SSIS Tool.

Sep 28, 2007



I have some questions on SSIS tool I tried to read many docs to understand SSIS.

Now I am looking forward for below questions.

How to use SSIS for :

1. How to Export data from SQL Server 2005 in to Access database using SSIS?

2. How to Import data from Access .mdb file to SQL Server 2005 database using SSIS?

3. How to Import Oracle10g data in to SQL Server 2005 databvase using SSIS?

4. How to Import Oracle10g Data to Access file using SSIS?

5. How to Import SQL Server 2000 data in to SQL Server 2005?

It will be great to have step by step explanation.
Thanks in advance.

View 1 Replies View Related

SSIS Boolean Questions

Oct 24, 2006

Please write YES/NO against point number in your answer i.e. for example:

1) YES, 2) YES, 3) NO, 4) YES etc.

We have source SQL Server 200 databases in one instance and target SQL Server 2005 in another instance both being on different windows 2000 server systems.

Target OLAP DB design is derived from source OLTP.

Most master & transaction tables are as is but some target tables are a result of merging source tables.

We need to do SSIS packages based migration using data flow task based on column mapping & queries using Business Intelligence Development Studio (BIDS). There are no transformations required.

1) Can I group packages under project into sub-groups i.e. super packages?

2) Can I execute a set of packages together which are logically/physically grouped?

3) Can we execute set of ordered packages/individual packages from command line and even
stored procedure?

4) Can we maintain transaction integrity across the entire set of ordered packages we execute?

5) Can we send a mail to mail id(s) in case of events like OnError etc.

6) Can we schedule the packages?

7) Does SSIS provide via BIDS a way to compare data in source with target to decide what got
inserted/deleted/updated and based on that do the necessary?

8) Can SSIS packages be developed including code for data encryption?

9) Can we pass parameters to packages that get called from stored procedure?

10) Can we call stored procedure/function in SSIS package?

View 5 Replies View Related

SSIS Related Questions

Nov 7, 2006

0) We are migrating data from SQL Server 2000 OLTP design to SQL Server 2005 OLAP design.

1) We have an data flow task SSIS package.

2) We managed to send a mail with various variables & their values in subject or body of mail.

3) How do we send mail with details of Error/Warning using OnError/OnWarning events?

4) Can we have bad tables i.e where records which failed to migrate get inserted into. If yes, what are the steps to implement this.

5) Can we have a mix of in-built & custom logging. Is logging provider necessary to do logging. What logging provider to use?

6) Where are the errors that come during build, deploy, install and execute stored? Is there a log file(s) & what it their location?

7) Please post links if that is better.

View 3 Replies View Related

Some Basic SSIS Questions

Jan 18, 2008

I have been working with SSIS and find myself stopped on what seem like very basic tasks.

Am I right in thinking that, if you want to import a flat file into a SQL datatable, in most PC based systems, that you have to manually cast EVERY SINGLE COLUMN to unicode string, if you don't want to get the 'cannot convert between unicode and non-unicode string data types'? I mean, this is surely a VERY COMMON task, taking a CR/LF delimited ASCII file and dumping it into a database tables? What if you have 50 fields to import?

Am I the only one who finds it very difficult to cast a string from a textfile to a date format? At this point, I always just dump the date to a 8 character string and save it that way, and use a SQL view to cast it to a date. At least SQL Server can do 'basic date conversions'. Is there any way to freeze execution and find out what data was provided to a derived column, if you're trying to do some substring operations and hodge together a date? I couldn't find any. I usually put a extra column in a datatable and plunk some data there to find out 'what it looked like', how else can you debug an SSIS program?

Is there a planned service pack or update to SSIS that will make this more usable? Does Microsoft ever intend to implement an UPSERT type module? Or a File Move operation that handles directories that fill up with log files, each of which have to be added to a datatable and then moved to an archive directory (surely, another very common task - I figured out how to accomplish this but it is far from intuitive, the way it currently works). Sorry for grumbling, but honestly, I find turnaround time to develop a very simple import program is RIDICULOUS. It's quicker to write a COBOL program to issue a bunch of formatted SQL UPDATE statements than using this application.

View 19 Replies View Related

SSIS Interview Questions.

Nov 27, 2006

Could some of the expert(s) list interview questions that might come up when applying for ETL/SSIS developer I or II positions.

Thanks

View 39 Replies View Related

SSIS DTC Transaction's HOT Questions

Dec 8, 2006

I am using SSIS with Transaction, and I met a lot of questions as below:

1.IF DTC doesn't support ADO.NET Connection?

Please check the ADO.net Connection's property, it has a property named like: DTCTrancactionSupport. But it's always set to False and unable to edit.

IF the answer is NO, HOW could I bound all my Tasks into one Transaction? You know, I have some Tasks with SQL connection, and I have also some Script Tasks, witch need the ADO.net connection.

2.IF DTC required to run in both the Destination Server and the Source Server?

I have a Dataflow Task, and take some data from a table in a Source Server to a Destination Server. The DTC doesn't run on the Source Server. I found the Dataflow Task hangs when I use the SSIS Transaction(just set the Task's transactionOpion to Required, Only one Task in the Package).

3.IF DTC doesn't support RetainSameConnection?

Many people say that. Really?

4.When a DTC transaction is running, if the table in it could not be modified by process outside of the transaction? For example, a package with a DTC transaction, and there is a SQL Task inside, when it is running, could I modified the same table's data manually(in the Sql Sever Management Studio)?

View 10 Replies View Related

Couple Of Basic SSIS Questions

Dec 4, 2007

Hello all, this is my first post, I have a couple of basic questions regarding the use of SSIS. I have used SSIS for a couple of years for on off table loads but never implemented production jobs with it so please bear with these questions.

1. When making scripts that connect to one or more databases, is there a way to store the userid and password somewhere besides embedded within the package, such as a web.config file, this would make routine password changes much more manageble.

I guess it was only one question but any help would be greatly appreciated.

Thanks.

View 1 Replies View Related

Where Is The Forum For DTS -&&> SSIS Migration Questions?

Jan 29, 2008

I have a question regarding a DTS (SQL server 2000 package) to SSIS (SQL SERVER 2005 package) migration.

which is the best forum to post my question ?

View 1 Replies View Related

Simple Vb / Ssis Data Type Questions

Mar 27, 2007

I have a some raw data in a string that looks like



'1989'



I need that to become numeric 19.89



if I define a type double for rawAmount



and do this:



rawAmount = CInt(iRest.Substring(41, 4))

Row.amount2 = rawAmount / 100



where row.amount2 is a type double precision float from my script component task output, I get:



19.899999999999999



what output should i use in this data flow component to get 19.89.



thanks.





View 3 Replies View Related

Newbie Questions About SSIS Script Components And Data Streams

May 10, 2007

The following is a list of questions that I have not been able to obtain concrete answers. I am probably missing something:
1) ReadWriteVariables -- can the updated value for a ReadWriteVariable be accessed within the same data flow? It appears not as I think the PostExecute() fires at the completion of the data flow not the end of the Script Component. Secondarily, the Script Component is a non-blocking transformation so the component does not "see" the end of the pipeline prior to sending data down stream.

2) Record Count -- Because of #1 above, How could you calculate a record count for a data stream? It does not appear that one can calculate the number of records for a data stream within a data flow and then access the count from within the same data flow.

3) FinishOutputs() -- Is the concept of FinishOutputs() applicable to Script Component Destinations? Asked another way, is FinishOutputs() executed at the end of the data stream regardless of whether there are "real" outputs for the component? I can create a "Dummy" output to create FinishOutputs() but is this ok?

4) Script Component -- It appears that the Script Component Source, Transformation or Destination are really defined based on the columns defined in "Inputs and Outputs". Can you convert an Source script component to a transformation script component by simply adding an Output?

Sorry for these basic questions but I am not getting it completely. As you can tell...

View 12 Replies View Related

SSIS Package Security

Mar 21, 2006

In DTS we had an Owner password and User Password. The User pasword allowed someone to run and schedule the package, but not edit the contents. Owner allowed full /designer access.

I like the two levels of password security. What is the equivalent of this in SSIS? I can only seem to get ProtectionLevel security to work with a single password that seems to be required to run, deploy and execute. Looks like an all or nothing proposition unless i am missing something.

View 4 Replies View Related

Using SSIS Security Features

Apr 22, 2007

I have simple package and trying to use the security feature of ssis. I set the protection level as "EncryptSensitiveWithPassword" and also specify the password. But it doesn't prompts me for the password. Can anybody help me in that?

View 1 Replies View Related

Problem With Security SSIS Agent Job

Jul 19, 2007

Hi,


i have a problem when i schedule an agent on the sql server and i log off the sql server ,

the agent failed with this msg' in the event viewr :

Login failed for user 'sa'. [CLIENT: <local machine>].



the account that run the SQL AGENT is NT AUTHORITYNETWORKSERVICE.



i guess the problem is there but i can't find how to resolve it?



i'll be happy for any help.



10X.

View 1 Replies View Related

Security Requirements For Running SSIS

Mar 29, 2006

Can someone tell me what are the security watchouts there are in running SSIS or the SQL Server Agent? I am having trouble running a job on a package that runs fine through Integration Services. The only difference seems to be that SQL Server Agent is running the job on the schedule.

Does SQL Server Agent need to have certain rights?

Do I need to be part of a certain group besides Admin?

Does the package need to have a particular security for someone to run the job?



I was finally able to get the package set but now I can't schedule the thing to work.

View 1 Replies View Related

Execution Of SSIS Package - Security Issues

Aug 31, 2006

Hi all,

I am currently trying to execute my first SSIS package and am having a lot of trouble with (what i believe to be) SQL security. During the development of the package i was testing all my connection managers with the sa account. Now that i have deployed the package i want to use another account with less privelages so that my setup is more secure. I have created a new login which maps to both the database my SSIS package is using and also to the msdb database. I have created a schema and user in each of these databases which i had initially set with minimal rights. This caused certain parts of my package to fail. I then set up the login with a sysadmin server role which worked no problem at all. Finnally i then gave the schema for the user full rights and removed the sysadmin server role. once again the package fail. Surely i can't only be able to run the SSIS package with an account that has a sysadmin role?

Can anyone tell me if i am doing something wrong. The SQL server 2005 security model is so frustrating to get to grips with.

Many thanks in advance,

Grant

View 1 Replies View Related

SSIS Checkpoint Files Security Threat

Apr 24, 2007

Is it possible to store SSIS checkpoint files in database rather than file system?

View 1 Replies View Related

Ssis Security Short Coming, Major Issues

Jan 6, 2006

Hello,

I feel like ssis encryption model has a serious flaw. Especially when linked to SQL Agent jobs.

I have posted and others have posted messages about this. Something is plain wrong with ssis encryption keys and password protection. Also, you do not have the choice not to protect the packages. In my case, protecting packages is completely useless.

Here is the story.

After this post

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=131340&SiteID=1&mode=1

I created config files for al my packages connections passswords.

Now, by our IT Policy, I had to change again my password and of course, all packages now return multiple errors when I open them.

Hopefully, the config file did its job and the packages are ran anyways by SQL Agent, however, having to manually retype and resave all packages not to have the errors is just a plain hassle. Not to speak about people not using the config files and the correct "Run As" sql agent account.

I stress the fact that in a real world production environment all packages are driven by SQL Agent jobs and MUST run automatically.

Here is the error I get after opening a package after changing my password:

Error 1 Error loading Constants05.dtsx: Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B "Key not valid for use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available.   c:projectsssis packagesssis constantsConstants05.dtsx 1 1 

So Why is'nt this key automatically adjusted after Windows NT Domain password Change?

How can I refresh the key, not to have to reype all the packages connections passwords and rebuilding, Checkin-in again all the stuff?

I do not think the solution is "Use an application account which password never changes when you create your ssis packages" however at this time, this is the only solution I can think of.

How do you guys deal with this problem?

I still do not understand the ssis security model I feel it is diconnected from the reality and unpracticable in a production environment like mine.

Thanks

Philippe

View 17 Replies View Related

Calling SSIS Package From Web Service - Security Issue

Nov 15, 2006

I am trying to call a SSIS package from a web service hosted on the same machine as the package file is sitting. All that the package does is a simple Execute SQL task with one datasource connection.

I have set impersonation as true. When I run the package from the web service on the virual port (through Visual studio IDE) it runs fine.

http://localhost:4609/WebServiceRunSSIS/LaunchSSISPackageServiceCS.asmx

In the above case I don't think impersonation means anything coz it runs successfully even when there is no impersonation set!

I then run the same service (asmx page) from the browser after making it a web service on my machine

http://localhost/WebServiceRunSSIS/LaunchSSISPackageServiceCS.asmx

I get an error indicating package failure.

I have enabled logging in SSIS. The package log indicates the following:

Failed to acquire connection "APNetDS". Connection may not be configured correctly or you may not have the right permissions on this connection.

Effectively, my web service impersonated account (which is my admin account) is not being authenticated for any of the db connection (uses windows integrated authentication) and I find that odd. To impersonate, I have set the Impersonation to true in the web.config file. The authentication mode is windows.

Please tell me what bit of security I am missing? In case if it helps, the database connection is to my local database and hence should not deny access to my own account. And yes, I think my impoersonation is working because when I debug, the user.identity shows my user id.

Thank you,

Sumeet

View 9 Replies View Related

Using System.Web.Security.Membership.DeleteUser In SSIS Package Script Component

Dec 4, 2007



Hi

I have to import a list of users and then add them to my Sql database via .NET framework APIs
Now the following code works from within my web application but I cannot get it to run in an ssis transormation script.

Has anyone got experience with this requirement in an SSIS package script?





Code Block

Public Overrides Sub Input0_ProcessInputRow(ByVal Row As Input0Buffer)


Static users As New System.Collections.Hashtable

Dim password As String = String.Empty


If (Not users.ContainsKey(GetUserCode(Row.UserID))) Then



users.Add(GetUserCode(Row.UserID), GetUserName(Row.FullName))


'create a random password

password = System.Web.Security.Membership.GeneratePassword(7, 1)


Try


'insert new user

System.Web.Security.Membership.DeleteUser(GetUserCode(Row.UserID))

System.Web.Security.Membership.CreateUser(GetUserCode(Row.UserID), password)


'link roles to new user

System.Web.Security.Roles.AddUserToRole(GetUserCode(Row.UserID), "MANAGE_SCORECARD")






Catch ex As Exception


System.Windows.Forms.MessageBox.Show(ex.Message)

End Try

End If

End Sub

View 5 Replies View Related

SQL 2012 :: Persist Security Info And Integrated Security In Connection String

Dec 4, 2014

I use from sql server 2008. and c#

what is the best connectionstring?

I don't know if i use Persist Security Info and Integrated Security or not?

And if yes then their value must be true or false?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved