Schema-level Security For Multiple Users In One Database
Apr 17, 2007
My developers would like a 'sandbox' database with full ddl and dml permissions, however, they do not want others to read/change/drop their objects. With SQL 2005, can DDL permissions be granted to a user at the schema level? I'd rather not set up a database for each developer.
Locally I develop in SQL server 2005 enterprise. Recently I recreated my db on the server of my hosting company (in sql server 2005 express).I basically recreated the tables and copied the data in it.I now receive the following error when I hit the DB:The 'System.Web.Security.SqlMembershipProvider' requires a database schema compatible with schema version '1'. However, the current database schema is not compatible with this version. You may need to either install a compatible schema with aspnet_regsql.exe (available in the framework installation directory), or upgrade the provider to a newer version.I heard something about running aspnet_regsql.exe, but I dont have that access to the DB. Also I dont know if this command does anything more than creating the membership tables and filling it with some default data...Any other solutions/thought on what this can be?Thanks!
I need to secure a datawarehouse table at the row level based on 1 tomany keys on that table. A user should only see the rows they haveaccess to. I need to be able to figure out which rows they have accessto using a single sql statement and it cannot be dynamic SQL or astored procedure (this is a limitation based on the reporting tool weuse).The conditions can be any combination of "and" and "or" operators. Ihave seen posts (and actually have three of his books) by Joe celkodescribing disjunctive canonical form. If not familiar please clickthe link below.http://groups.google.com/group/comp...db6abcfa6209d2fA rules table in disjunctive canonical form looks like it mightpotentially be a solution, but I can't figure out how to use it acrossmultiple keys.Here ia an example of what I am trying to do including current tablestructures and sample data. I cannot really change the generic_facttable schema, but the security cross reference table can be modified oraditional tables added.CREATE TABLE generic_fact (generic_fact_key int NOT NULL ,salesrep_key int NOT NULL ,product_key int NOT NULL ,customer_key int NOT NULL ,sales_amount decimal(18, 0) NOT NULL ,CONSTRAINT PK_generic_fact PRIMARY KEY(generic_fact_key))GOinsert into generic_fact values(1,1,10,20,45)insert into generic_fact values(2,1,10,21,90)insert into generic_fact values(3,1,11,22,17)insert into generic_fact values(4,2,10,20,32)insert into generic_fact values(5,2,13,25,6)insert into generic_fact values(6,2,12,24,56)insert into generic_fact values(7,3,11,34,75)CREATE TABLE security_cross_reference (cross_ref_key int NOT NULL ,user_key int NOT NULL ,security_type varchar (50) NOT NULL ,security_value int NOT NULL ,security_operator varchar (20) NOT NULL ,CONSTRAINT PK_security_cross_reference PRIMARY KEY(cross_ref_key))GOinsert into security_cross_reference values(1,1,'product',10,'or')insert into security_cross_reference values(2,1,'customer',21,'or')insert into security_cross_reference values(3,2,'customer',20,'and')insert into security_cross_reference values(4,3,'salesrep',3,'and')insert into security_cross_reference values(5,4,'salesrep',1,'and')insert into security_cross_reference values(6,4,'customer',22,'and')insert into security_cross_reference values(7,4,'product',11,'and')So based on the data in the security cross reference tableUser 1 can see sales for customer 21 or product 10(generic_fact table rows that have generic_fact_key values of 1,2,and4)User 2 can see sales for customer 20(generic_fact table rows that have generic_fact_key values of 1 and 4)User 3 can see sales for salesrep 3(generic_fact table rows that have a generic_fact_key value of 7)User 4 can see sales for salesrep 1 and product 11 and customer 22(generic_fact table rows that have a generic_fact_key value of 3)Does anyone have any ideas on the best way to do this?
HiI need to set security for row level but not based on Database user'slogin. It should be based on the user table login. For the particularuser I need to allow only the particular records to access insert,update delete and select.Let me explain clearlyFor example think we are using asp/asp.net websiteEg:www.test.comSo take this is our website and if you try this URL then you will get awindow for Login name and password.For example the Login name is windows user name (Here windows usermeans server windows user and not client) and windows password. So ifyou have login user id you can able to login in our site and we haveanother check. We have our own usertable this table consist all theuser login names and user rights. We will check the windows user whologin in our site has rights in the usertable I mean he is present inthe usertable if he is not present then we will display a message youhave no rights to access this site.If he has login id in our usertable then he allowed viewing ourpages. Still if he has the login id we will check the user who loginhas how much right to access to each page and the records of each tableits all depend on the user rights.So, here I need the row level security. For each and every table weneed to check the corresponding user and executing the record producelot of business logic problem for us.So after the user login we need automatically to set row levelsecurity for all the tables. Based on the user who login.So from there if we try select * from <tablename> then we can only ableto get the allowed records to select, insert, update, delete.Please can some one help how to solve this?Note:For some help you can refer the below URL (See in that they only givenabout the row level and column level security for each database usersnot for our required concept)http://www.microsoft.com/technet/pr...5/multisec.mspxThanks in advanceRams
Is there any way in which I could distinguish a group of Database users from the other users. Say for e.g. store the Database users hierarchically, etc. Adding a Prefix/Suffix to the user name as a distinguish-er will not work in my case. I want to restrict the deletion of these Database users. Even the login with sysadmin or serveradmin rights should not be able to DROP those Database users.
we have an application which lets users connect to production database with windows credentials, They are able access the sql tables too with windows login. I want to restrict them from accessing the sql tables. How do I do that.?I tried a db_deny but that prevented them from accessing the application too.
I have setup a Database Audit Specification as follows:
Audit Action Type: SELECT | Object Class: DATABASE | Object Name: SHOPDB | Principal Name: public
Now, when I perform a SELECT query with a bound parameter such as:
SELECT * FROM myTable WHERE name='queryname'
What I see through the Audit Logs is something like:
SELECT * FROM myTable WHERE name='@1'
I understand that it is by design that we cannot see these parameters throught Database Level Auditing. I would like to know whether it is possible to see these parameters by any other means using
(1) SQL Server Enterprise Edition, (2) SQL Server Standard Edition, or (3) by an external tool.
I am trying to revert back to Windows 7 after upgrading to Windows 10, however it will not let me and the following message occurs: "Remove new accounts.Before you can go back to a previous version of Windows, you'll need to remove any user accounts you added after the most recent upgrade. The accounts need to be completely removed, including their profiles.You created one account (NT SERVICEMSSQLSERVER) Go to Settings> Accounts> Other users to remove these accounts and then try again".However I did not create any new users and there are no other users listed in the Accounts section.
I'm developing an application in ASP.Net that uses SQLServer. The database person in the team wants to have each user have a seperate login to the database so he can tell who has done what changes in the database. Is this a good practice? Or are their performancesecurity issues with this model?
We are trying to setup security on our Sql Server. We are using Integrated Security.
The problem we are having is that we need to have a user belong to multiple groups within one database. The user would have different rights depending upon which group they belonged to.
So far we have not found anyway to accomplish this setup.
I would appreciate any ideas/thoughts on this matter.
I don't know whether this question belong here, but.... In the past I had many customers using the same website each with their own domain name and their own database. To accomplish that, I used MS Access and placed each customers database in separate directories. I steered the customer to the correct directory using their domain name. I am now trying to accomplish the same thing using aspnetdb.mdf and other .mdf database files. I am using the aspnetdb.mdf database for membership, etc. I want the aspnetdb.mdf database file to be unique for each customer. Does anyone know how to accomplish what I was doing with MS Access using aspnetdb.mdf? Is there any way to have multiple web.config files each of which would be dedicated to a particular customer?
I have been using the software, and it has been working fine (on windows user A). Now, I have created another windows user (User B), and would like to use the same software/database. The software launches fine (User B), but cannot access the created SQL database (created with user A)
How do I setup the database to allow access from all users on the same PC?
I have developed a Windows App in VS.NET 2005 which connects to a SQL 2005 Express database.
Now I want to install the app and database on the network and I am getting an error "File 'file_name' is on a network device not supported for database files"
I want to make data changes in read_only database , that's why i must set database read_write. While database is at read_write mode, i want to be sure that no one makes change in database.
For this aim, i write the code below, but i suspect that after setting the database read_write, till the setting database single_user ,is it possible get DML script from another user. Is the code below enough for this operation. Or is there another way?
Reminding: Read_only database can not be set single_user mode. That's why, first you must set database read_write.
The code;
use master alter database xxx set read_write with rollback immediate alter database xxx set single_user with rollback immediate
use xxx update tablexxx set columnxxx=yyy use master alter database xxx set read_only with rollback immediate alter database xxx set multi_user with rollback immediate
Hi I have to questionsproblems I would need help with. First I am creating a three level merge replication. I mean I have a main publisher with its distributor, a subscriber/publisher and also with it's own distributor and lastly a subscriber. I start by creating the relation between subscriber/Publisher and the subscriber and than I move up to the main Publisher and SubscriberPublisher relation. After this second merge I get the following errors and the articles in my SubscriberPublisher are lost...
The merge process could not retrieve article information for publication 'I-Test-Publisher'. (Source: Merge Replication Provider (Agent); Error number: -2147201017)
Cannot insert the value NULL into column 'tablename', table '@tmp_table'; column does not allow nulls. INSERT fails. (Source: DEVSERVER3MSDE (Data source); Error number: 515) ---------------------------------------------------------------------------------------------------------------
Failed to allocate new identity range. (Source: DEVSERVER3MSDE (Data source); Error number: 21197) ---------------------------------------------------------------------------------------------------------------
Secondly
I have set up a two level merge replication with a publisher and a subscriber and had modified the structure of a table in the publisher with sp_repladdcolumn. During the day all was fine I continuously tested it by adding more columns, droping columns and testing the replication itself with data entry, but when I got back the next morning my test table and all other table I presume had lost its data and structure. The conflict table for the corresponding test table had kept it's structure but no data were present since no conflict had occured. This is a recuring problem that some colleagues had. Does anyone have any idea what might cause this problem and why it happenned. Thanx
I have transfered few databases in sql server 2000 to sql server 2005.I was checking after recovering the database
exec sp_change_users_login 'report'
for each database..
Then i found so many orphand users.
From Microsoft web site I Executed stored procedure sp_help_revlogin in 2000 and the result i copied to 2005 and when i executed the orphand users which i wanted for users that didn't help fixing the problem
i used this link to fix orphand users but that didn't help me http://support.microsoft.com/kb/246133 So under users for each database i started deleting orphand users and adding them again..that was helping me...But to delete the users i had to delete the schema and then delete user which was hard as i have so many databases... which worked out fine. But then when i was trying to delete schema's for few they dont get deleted because there where tables with that schema..
And One orphand user was 'dbo' how do i solve this situation.
the databases i am moving is from sql server 2000 to 2005 but they are two different server not to instances
How is the best possible way to fix this...I dont know passwords for users so i want them as they where in 2000 database
I have designed an XML schema in which defines the data structures expected in an xml file that our software will import. This is used to validate the files.The current problem is that the validation passes any correctly formatted xml file that does not contain any of our data structures. Is it possible to put something in the schema that says that at least one instance of our toplevel datatype must be included in the file?. I know using minOccurs="1" but I can only see how to use with a definition of a datatype - not the xml file itself.
Hi guys, We have a scenario where there are about 50 tables in our database and we want to build an intranet web application for users to with the office to access those tables. Users ability to access tables falls into diferent category:
Some users can NOT view some tables at all Some users can ONLY view some tables but not insert/update any field Some users can view and also insert/update some tables (in the same time they might not have view(select) permision on some other tables) Now, what is the right way to implement this. I say we have to have a Role, RolePermission, User, UserPermission inside our database to implement this (something which would look like the Roles and Users inside MSSQL) and we only have one user for our Database (MachineName/ASPUSER) to access the database and all the tables within My colleague says NO, instead of creating all these tables and implement this, we add every user of our application as a Database user inside MSSQL in the Databse Users. All the web application I have seen so far, DNN, CommunityServer, ... the have tables to implement all these and they don't add users inside the MSSQL. Now which way is the way to go with, and what problem might we fall into if we use SQL users, is this possible at all. How can I convince him that we have to make and use our own tables to manage this. Thanks for any help,Mehdi
I have the following Problem: ( not simular to http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=101916 )
In one Table ( Objects ) exists an Id to my internal Security Tables, where the combination of many Features together results in, which Data the user could see. Today, i use only one SQL Account and the Security ist solved in my Application, In an SP is a where Clause generated, every SQL Statement is extended whitch this where clause. This work fine, but everyone with SQL User and PW could see everything this the Query Analyser or Management Studio.
The perfect solition could be: Several Usergroups should have Access to my DB. Only a few Views / SP where execuable for these Usergroups.
The Application calls alway the same View / SP an depending on the Login the Data ist filtered in the right way.
Is ist possible to filter a view with dynamic SQL ?
2.nd Question:
Is it possible to restrict Users / roles depending on the Network IP Address / Network Mask ?
The Security Problem only exists, when Users with VPN are connecting, internal Users always have full access.
I am attempting to create a view only user in Report Manager which can only view and run reports from a single directory. I have the following configured:
Active directory Group: DomainReport Users - Group Scope: Global; Group Type: Security; Member of: <none>
Active directory User: DomainReportUser - Member of: DomainReport Users group
Default web site Reports virtual directory: Directory security: Integrated Windows Authentication only
Default web site ReportServer virtual directory: Directory security: Enable Anonymous Access (user: domainadministrator) & Integrated Windows Authentication
Report Manager
Site Settings->Item-level roles: New role: Report Viewer; view folders and view reports only items selected
ReportFolder(Report Manager folder with reports): Properties->Security: Added DomainReportUser with Report Viewer role
When I go to my Report Manager site (e.g. http://url/reports) I get the Windows security form, in which I enter the DomainReportUser credentials. However, after I log in I have full rights to all folders and functions of Report Manager, as if I logged in as BuiltinAdministrator.
At what level of security is this breaking down? As far as role-based, I believe DomainReportUser should only have access to limited resources of Report Manager when logging on. What is allowing him to have Content Manager control of Report Manager? Is there a better way to set up a "view reports only" user access to Report Manager?
Hey, I have 3 columns in a table Ex: Select Column1,Column2,Column from TableName
No. 1. Person A should have permission to read values only (Column1, Column3 of the table) - 2. Person B, should have permission to read only (Column 2).
Here my question is , I have to write one single stored procedure to statisfy both conditions. Which means, if person A execute this stored procedure , he shoud get only column 1 & 3 values . similarly other person b should get column 2 value. Ex: Column 1 - Empid Column 2 - SSN (Only for Top user display) Column 3 - Join Date Person A & B as a SQL or Windows login
In some our dotabases I can see Schemas created with the same name as Domain User name (domainusername). Schema owner for those schemas is not dbo but the same user as in schema name. How this happens? Is any way to prevent or prohibit this?