Use An Existing AD DL Security Group For Security Role

Jun 18, 2007

I want to use an Active Directory security group that is a Distribution List for a new role assignment for an existing report. Can someone tell me if this is possible? I get an error each time I try:














The user or group name <DLName> is not recognized. (rsUnknownUserName)"

View 1 Replies


ADVERTISEMENT

SQL Security :: Running Job As Windows Security Group

Oct 18, 2015

Is there any possibility to schedule SQL job execution as Windows Security Group? I need to run powershell script through SQL job with one of this group member's permissions. 

View 4 Replies View Related

Security Role For SQL Agent Job

Dec 10, 2003

Hi,
Which role we can assign for user other than Sysadmin to able to see and execute all sql agent jobs?.
Thanks,
Ravi

View 7 Replies View Related

SECURITY - Sysadmin Role

Feb 11, 2004

Hi all,

Our SQL2000 server now allows all member of the Windows 2000 local administrators group log in with SysAdmin role.

I only want couple of people with sysadmin role. What should I do
to prevent that. I was told once that I should delete the
BUILTINAdministrator ID and manually add each window login ID
to SQL server. Am I on the right track?

Thank you for your help.

View 1 Replies View Related

Security For Application Role

Sep 4, 2007

We have an application use Approle to read from database. If the client login to windows as administrator or a name that has the administrator rights, the application can get all data. If the client login to windows as a domain user that has limited rights, the application can't get all data.
I run profiler and found that it seems, when application use approle to access a database, the login name is the domain user that log into windows. Is there anybody know what type of right the window login name should have in order to get all data from a database?

Second question, when I log in to window as domainusername( username is not administrator, but has administrator rights). In the profiler, I can see the application use this domainusername access database. However, under sql server login node, I didn't find domainusername. Is this because, the domainusername belongs to buildinadministrator?

Thanks

View 1 Replies View Related

Folder And Role Security Question

May 21, 2008

On our report server I have several folders. I would like to set up security such that a user doesn't see any folders except the "My Reports" folder (I enabled the My Reports site option) and a few other folders I specify. These are a shared folder and the models folder.

Is there a way to create a system level role that by default can't browse any folders except My Reports and ones I specifically grant? I would also like this person to default to having the item level security role of report builder to create reports off of report models.

The only way I have been able to accomplish this so far was to add the user to the the system users site level role and then go to every undesired folder and delete the item level role assignments for the user. It seems odd for the user to have access to every folder then to remove permissions from each folder. Should I create a role with no tasks and then selectively add in the permissions to the desired folders?

I did try creating a new system level role that only had the Execute Report Definitions task assigned and assigned the user exclusively to this role but they could still see all of the folders and their My Reports folder. When I created a new folder the user had been defaulted to item level roles of Browser and Report Builder. I suspect these defaults are what caused the new folder to be visible as soon as I created the folder.

I searched the forum for my question so hopefully I am not causing a re-answer of this question.

Thanks in advance,
Sean

View 3 Replies View Related

Role Based Security Issues

Jan 16, 2007

I am attempting to set up a new user that has only the ability to run reports in the report manager.

I have created a new ActiveDirectory entry for DOMAINReportUser. I have a created a new folder with the reports, and have set this user as a Browser role on this directory, and all reports in the directory.

I have made it throught the security maze to gain access to these reports as this user, but I cannot dynamically run the reports. As the BUILTINAdministrator (content manager), I get a grayed background on the parameters and can run the reports. As this DOMAINReportUser, I get what looks like HTML parameter items, and cannot run a dynamic report. Even if I change the role of this user to Content Manager, I still cannot run a dynamic report.

How do you properly set up a user to be able to dynamically run, and only run, a report in Report Manager, and have this user only see reports in a single folder?

I have been fighting the security issues of creating a RS site and properly setting up access, and have yet to find a single site or person explaining the entire process in any coherant method.

Mark



View 3 Replies View Related

SQL 2012 :: Role Based Server Security

Sep 20, 2015

There is a STIG Check that does not allow grant "Connect SQL" directly to any logins except SQL System and the SA account. My way of resolving this is to do the following:

Step One:
We create a Server Role called SQL_APPLICATIONS – for the application accounts
We create a Server Role called SQL_DBA – for the DBA accounts
and give them direct “Connect SQL’ server permissions. MAKE THE ROLE OWNER = sysadmin (group)

Note: I think that creating a Server Role is only available starting with SQL Server 2012, but not sure. I am using SQL 2012

Step two:
I add the members (Logins - SQL & Windows) – in this case any application accounts and DBA accounts to the new roles respectively

Step three:
I remove the “Connect SQL” Permission from each Login

The first problem i noticed is that the maintenance plans failed with "The owner domainusername of job db_backup does not have server access.I am currently using a test system and wondered If you think I will have trouble with the application connecting when I try and implement on the production systems.

View 3 Replies View Related

Role Based Security And Child Groups

Jun 29, 2007

Hi All,



I have a report running and I am attempting to assign role based security. I added a group to the site level security. The group I added contains child groups. It doesn't seem that report server is looking into the child groups to see if the logged in user is a member of the child group. Is there anyway to get this to work instead of adding all the groups directly? I suspect that report server is using cominterop and cominterop is not traversing the directory tree?



Thanks,

Darren

View 1 Replies View Related

Report Builder Role Based Security

Feb 7, 2006

From Books Online Help:

In the role-based security model that is implemented for Reporting Services, users who are assigned to the Content Manager role can create and edit reports in Report Builder. Local administrators are automatically assigned to this role.


If you want other users to be able to work with a Report Builder report, you must create a role assignment for them that includes the default role "Report Consumer." Alternatively, you can create a custom role definition. As long as the customized role includes the "Consume reports" task, users who are assigned to that role will have sufficient permission to create and modify reports using Report Builder

---------

However, when I try to give a contact those rights, the "Report Builder" link still does not show up for my users. Is there any other place where I can examine the security rights to see why the Report Builder permission is not granted to my users?

View 1 Replies View Related

Analysis :: Security Role Default Member

May 12, 2015

I am setting up some security requirements - the requirement is that team leaders get to view all teams within their division. What I would like it to do when they log onto their dashboard/ssrs report is that it defaults to the team leaders default team (they can still select from other teams if they require).If I can avoid I don't really want another parameter in the report for this.

In my cube I have an attribute under the people dimension (where teams and division also reside) called Fee_Earner_Effective_Flag and where this is set to Y this is their current team.

Under the Role properties security under the Fee_Earner_Effective_Flag attribute I have set the Default member to

[People Primary FeeEarner].[Fee_Earner_Effective_Flag].[Fee Earner Effective Flag].&[Y]

When I then logon as the user and try to access the cube I get the following

Errors in the metadata manager. The '[People Primary Feeearner].[Fee_Earner_Effective_Flag].[Y]' security default member from the '{' attribute returns a result from a different hierarchy.

I have also tried setting the default member in the cube solution and then processing but then the cube failed.

View 3 Replies View Related

Public Role And Guest Security Concern In SQL 2000 SP4

Sep 8, 2006

Hi all,

I have setup a new SQL 2000 SP4 and internal auditor query about revoke permission from Public role and remove guest from all databases.

1. Can I revoke all default permissions (select on system tables in all DBs) from "Public" role? I am concern any error after such action.

2. I found that guest account in DB -- master, tempdb and msdb. According to Microsoft documents. The account should not remove and can't from master and tempdb. How about msdb?

Thanks,

Regards,

Edwin

View 7 Replies View Related

Inheritance Of Security Role In Folder Structure Of Reports

May 16, 2007

Hi,
I have a folder structure of reports like this
Home
|
/
A B

Now, suppose I have created this folder, A first and user, say A_User is given permission to view this folder. I am expecting this user to browse from 'Home' to A folder but as you know to browse folder 'Home' he must also be added to 'Home' folder . So I add him to 'Home' now.

The problem comes when I add new folder B, for user B_User. The moment I add this folder A_User is also added to folder B because of the inheritance of users to child folders.
So user A is able to see both A and B folder....and thats my problem, he is supposed to only A folder and not B

Is there any way to disable this inheritance feature ??
I tried deleting A_User from B with a script using "InheritParentSecurity" method of ReportingService but it says that it can not delete inherited users.

How can I fix the problem ? without need to manually delete users from folders ??/

thanks

prashant

View 3 Replies View Related

Analysis :: DAX - Dynamic Masking Of Information Based On Role Security

Oct 2, 2015

I have a business requirement to build a tabular data model, where I need to mask information of other Agents from a given Agent but I still need to show the overall sales of the given product. 

For eg: IF an Agent is in APAC region he should see APAC region sales and also should be able see the sales of the same product in other region without knowing region specific break down.

For Agent  "Tom" in APAC region, the numbers will look like this
APAC_Sales = 100,000
Other_Sales = 500,000

And if "John" is in NA region, then the number will look like this for him

NA_Sales     = 200,000
Other_Sales = 400,000

I wanted to create "Roles" based on the Region, so all the agents belong to "APAC" region will have same view as Tom and "NA" region agents will have John's view.

View 2 Replies View Related

SQL Security :: Sysadmin Role Not Taking Effect For Windows User?

Aug 11, 2015

My company has a Windows 2008 R2 server which is running SQL Server v11.0.5058.  This server was previously running SQL Server 2008 and was recently upgraded.  Since the upgrade I have noticed that when I connect to this server using SSMS and Windows authentication it seems as though I have a limited user context as I cannot see SQL Agent in the server tree at all and underneath the server security > logins folder I can only see the sa and SQL Server Windows service accounts (there are many more).

If I connect to the server using SSMS and the sa credential then I can see everything I expect to be able to see as a sysadmin.

I tried connecting as sa, then deleting my Windows AD account from the security > logins folder and reading my Windows AD account with the sysadmin role however this yielded the same result, when I connect using Windows authentication I still appear to be in a limited user context.

We have several other SQL 2008 / 2012 servers within our organization and all of them appear to be working fine / none of them exhibit this problem.

View 8 Replies View Related

Implementing DB Security In Existing Server

Mar 25, 2008

Dear Colleagues,

How do I install a Microsoft SQL Server 2005 database application in an existing server in an existing database server and still have the control over it and also restrict the new server Admin user from editing or even opening my DB. Any modification of my database or code should be implemented only by me. Is it possible to remove the Builtin Admin from the server role?? As in my case, there is no need for anyone else to open the DB in Management Studio at all as my VB application does all that is required.

Thanks and best regards,

Peter

View 3 Replies View Related

SQL Security :: How To Create A Low Privilege User And Role For Server Session State

May 26, 2015

An old website I inherited uses sa to connect to SQL SessionState and had the details in the web.config. This is bad for security.The session state database is of -sstype "t" which is defined as:Temporary. Session state data is stored in the SQL Server tempdb database. Stored procedures for managing session state are installed in the SQL Server ASPState database. Data is not persisted if you restart SQL. This is the default.What kind of WIndows user, SQL Login, role and permissions do I need to create to make Session State secure? (Windows Server 2012 and SQL Server 2012 mixed mode authentication, Webfarm).

View 4 Replies View Related

Advice On Security Model For XML Web Services For Many Users In Active Directory Role

Feb 21, 2006

I am working on the security model for an application that will be used by 100s of users with a dedicated SQL 2005 database for this application and access via SQL XML Web Services.

The client has asked to make it "open" during alpha testing such that anyone can access the web services without having to set them up first. Is there a way to do this? The best I can figure is to use mixed mode security and hard code a login and password. Any method using Windows authentication would require that I add every user at a minimum to the database.

In production, all users will have an active directory role specified that determines if they should have access to the web services or not. However, it is my understanding that to use Windows authentication, I would still need to add each individual user at a minimum as a Login to the SQL Server, and under best practices also as database users with permissions granted to the endpoint.

Am I correct in the above, or is there a more efficient way to achieve these results?

Thanks

-L

View 1 Replies View Related

Redoing Security In An Existing Large Environment

Aug 17, 2001

I wish to do a major change on our security profile. Basically, I wish to allow a group of users to do everything but modify objects/change logins/drop-create objects. Is there a quick way to build and apply this model ?

Thanks,

View 1 Replies View Related

SQL Security :: Importing Existing PEM Certificate Into Server

Oct 26, 2015

I must prepare a procedure which should export some data from some DB columns, but these data must be encrypted using the OpenSSL protocol, to be sent to an external recipient.This recipient sent to me a "public" certificate in PEM format, to what I understood (it is a file beginning with the expression "-----BEGIN CERTIFICATE-----", then a long Base64 sequence and then "-----END CERTIFICATE-----").

Then I didn't create the certificate nor I am a certification authority: I just have this public key (or, at least, a file from which I can extract a public key) and I must use it to encrypt data in order to obtain an output which must be analogue to what I can obtain when using this OpenSSL command line instruction:openssl rsautl -encrypt -in CF.txt -out CF.enc -inkey SaniteICF.cer -certin -pkcs

Then the question is: starting from this PEM file and nothing else, can I import it and store an asymmetric key or a certificate in SQL Server and use it to encrypt data to be exported?

View 9 Replies View Related

Analysis :: Show Grand Total When Using SSAS Tabular Role Security Permission

Oct 30, 2015

If user want to see the grand total for a measure with include all members, even though the user has limited access for that member, so how we can do using DAX?For example, let’s say the total revenue for all the divisions in a cube is $15,000. You create a role called “Division A”, and set it up so members of that role can only see the revenue for Division A, which totals $3,000. If you use a front-end tool like Excel to access the cube and use the division hierarchy to see the total revenue, you will see the revenue of $3000 for Division A, but also want to see the Grand Total for the revenue as $15,000How we can achieve above scenerio in tabular model (DAX).

View 3 Replies View Related

Can't Add NT Group Into Security

Jan 24, 2008

Hi there

I got this very weird issue on of our SQL2005 box. For some reason, can't add an NT group. Adding NT user is no issue at all.

It keeps saying:

TITLE: Microsoft SQL Server Management Studio
------------------------------

Create failed for Login 'EEEEEE-SL-SQL-MAX_QRY-DBOWNER'. (Microsoft.SqlServer.Smo)

For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=9.00.3042.00&EvtSrc=Microsoft.SqlServer.Management.Smo.ExceptionTemplates.FailedOperationExceptionText&EvtID=Create+Login&LinkId=20476

------------------------------
ADDITIONAL INFORMATION:

An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)

------------------------------

Windows NT user or group 'EEEEEE-SL-SQL-MAX_QRY-DBOWNER' not found. Check the name again. (Microsoft SQL Server, Error: 15401)

For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=09.00.3042&EvtSrc=MSSQLServer&EvtID=15401&LinkId=20476

------------------------------
BUTTONS:

OK
------------------------------


The SQL Version is SP2 - 9.0.3042. BTW ... I've renamed the actual group name for security purpose.

Thanks

View 4 Replies View Related

SQL 2012 :: Persist Security Info And Integrated Security In Connection String

Dec 4, 2014

I use from sql server 2008. and c#

what is the best connectionstring?

I don't know if i use Persist Security Info and Integrated Security or not?

And if yes then their value must be true or false?

View 1 Replies View Related

ActiveDirectory Group Security

Jun 27, 2007

Hi all



What i want to do - Execute a Stored Procedure when a user log on that is in aActiveDirectory Group.

I want to create a storedprocedure that will be executed when a windows user log on that is part of a specific ADGroup.



I was able to create the ADGroup and add it to logins. I was able to create the procedure with the ADGroup as owner.

The problem is when the user log on, he is not seen as part of the group that has rights on the DB.



Please help

View 1 Replies View Related

Code Access Security Across Multiple Assembly Security Extension

Oct 14, 2005

Hello there I have trying to figure out for days how to enable FullTrust for my Reporting Services security extension.

View 9 Replies View Related

SSRS -- Security Filter And Model Item Security Setting

Jul 31, 2007



Hi,


I have posted this issue for a week, haven't got any reply yet, I posted it again and desperately need your help.


The article http://msdn2.microsoft.com/en-us/library/ms365343.aspx says:
Model Item Security can be set for differnt security filters, but when I use SQL Server Management Studio to set Model Item Security, it seems "Permissions" property surpass "Model Item Security" property. -- My report server is using Custom Authentication.



For example, in "Permissions" property of the model, if I checked "Use these roles for each group or user account" without setting any user or group, no matter what users I added to "Model Item Security" with "Secure individual model items independently for this model" checked, NO one user can see the model on report manager and report builder;

in above situation, if I added "user1" and gave role such as "Browser" role to "user1" in "Permissions" property, if I checked "Secure individual model items independently for this model" in "Model Item Security" property, even I did NOT grant "user1" to root model and any entities under the model, the "user1" is able to access the model and all entities in report builder.



My question is on the same report model, how to set "AdminFilter" (empty security filter) for administrator permissions and set "GeneralFilter" (filtered on UserID) for general user based on their UserID?


The article also says:

"Security filters are always applied, even for users who have Content Manager or Administrator permissions to the model. To allow administrators or other users to see all rows of an entity on which row-level security is defined, you can create an empty security filter (which always returns True) and then use the filter to grant those users access to all the rows."



So I defined 2 filters "GeneralFilter" and "AdminFilter" for "Staff" entity for my report model "SSRSModel", I expect after I deployed the report model, the administrator users use report builder to build reports with all rows available, and the non-admin users can only see rows based on their UserID.



I can only get one result at a time but not both:

either the rows are filtered or not filtered at all, no matter how I set the "SecurityFilter" for the entity: I tried setting both "AdminFilter" and "GeneralFilter" for SecurityFilter at the same time, combination of "DefaultSecurityFilter" and "SecurityFilter", or one at a time.



Your help is highly appreciated!

Desperate developer

View 1 Replies View Related

Sp_attach_db And Security With Windows Group

Nov 12, 2003

Hello,

We use local server windows groups to allow or disallow use of our SQL databases. We are now being asked to move off of our current server. My thoughts are to dettach and attach the database. What is going to happen to all my permissions based on the user groups of our old server? I intend to create the same group names on the new server but they will be newservergroupname as opposed to oldservergroupname. Is it just a case of scripting the database user, roles and object level permissions an manually changing oldserver to newserver?

View 3 Replies View Related

Differance Between Persist Security Info And Integrated Security

Apr 26, 2007

hi i want to know what is the differance between  
Persist Security Info=False;Integrated Security=Yes;

View 1 Replies View Related

Query Users In A Security Group With LDAP

Aug 11, 2004

I have a linked server set up and working correctly. I can create a query to get all the users from active directory with something like this:

SELECT [name], [samaccountname] from OpenQuery( ADSI,
'SELECT name, samaccountname FROM ''LDAP://DC=domain,DC=com'' WHERE objectClass = ''user'' and objectCategory=''Person''')

Now I am trying to select all the users in a specifed security group, but I am not having much luck. What is the best way to get this?

Thanks much.

View 3 Replies View Related

Setup Of Security / Integrated Win Security On Vista

Jul 6, 2007

I have Sql Server Express installed on Vista (service pack 2)

I have Visual Studio 2005 with an application that I'm trying to access it with within a WCF service.



The login ID of the service is added to the database.

The database has remote access turned on.

The ID is granted access to all databases within the server.

The thread is being set with WindowsProvider and the services set their thread to WindowsProvider.

The dataserver is set with using Windows Authentication for security.



When I open my connection to the database, though, it reports the typically useless message that the connection is not allowed and that the server may not allow remote connections.



How to I get past this? I've done everything right.

View 1 Replies View Related

Cannot Connect To Localhost Using Windows Security Group As Login

Feb 19, 2007

I have a test environment set up at home with a small windows server 2003 Active Directory domain. I created a windows security group on the dc and added myself and another user to the group. I then use this group as a login for SQL Server and add the login to the sysadmin server role. This works exactly as I would expect on the Windows Server computer (which is also the Domain Controller) regardless of which computer I use to connect to this Windows Server computer. However, when I set up the exact same login on the local sql server instance of my client laptop running windows xp pro, the I get an error message (Login failed for user MYDOMAINdgolds...) when I attempt to connect to the local instance of SQL server, even though I am able to connect to the instance on the domain controller with no problems using this same client laptop under the same user account. The only way I am able to connect locally on the laptop under this account (which does not have local admin privileges on any box, for testing purposes) is to add the user account separately as a login, rather than as part of a group. I'm curious as to why being a member of a security group that is part of the sysadmin server role does not allow me to connect to the local instance of SQL Server on this client laptop. The windows server computer is running SQL2k5 Enterprise, and the client laptop is running SQL2k5 developer. Any insight into this would be appreciated.

Thanks,

Dave

View 12 Replies View Related

SQL Server Admin 2014 :: Does Security-admin Role Plus Deny Alter Any Login Cancel Each Other Out

Aug 27, 2015

I want to set up a database role so that users can use sp_readerrorlog through SSMS. It does a check on membership in the securityadmin role.

I have tested it and can see you can grant execute on xp_readerrorlog but the SSMS GUI uses sp_readerrorlog.

I thought I could create a user/certificate and add the signature to sp_readerrorlog but it's not permitted (likely because it's not a normal database object).

So the other solution is to add the users to the securityadmin role but then explicitly deny alter any login (best done with a custom server role in 2012+ but otherwise just manually in 2008). I tested this out and it works, I'm not able to alter any logins or increase my own permissions, I also did a check of what's reported from fn_my_permissions(null, null) and it shows minimal permissions like I'd expect.

View 0 Replies View Related

SQL Security :: Replacing Windows Active Directory Group Instead Of Login?

Oct 1, 2015

Current: One common SQL login is being used by SQL DBA on all the servers

New Plan: Creating one windows AD group, adding the DBA's to that group and create as a login with sysadmin server access on all the SQL Server boxes

how to achieve this activity. Creating SQL login is fine but how to change the ownership of various objects, jobs to new login on all servers?

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved