Security Need Thoughts: Ease Of Admin And Granularity

Oct 3, 2005

I like the new gig a lot. Real busy, smart folks and I have been in high demand since 5 minutes after my butt hit the chair. I already have code in production.

Anyhow, we have a security situation on the sql servers I pointed out on my first day. So they want me to roll everything over to Windows Authentication and give the developers and report writers more restricted rights inside SQL Server. So they have NT Groups for different kinds of users and all of that jazz and I layed on the typical stuff about using NT groups vs individual accounts and ease of admin vs granularity of control. Well the boss came back and said he wants ease of admin and granularity of control over security. So, does anyone have any fresh thinking on turning my eitheror into an AND.

View 5 Replies


ADVERTISEMENT

SQL Server Admin 2014 :: Does Security-admin Role Plus Deny Alter Any Login Cancel Each Other Out

Aug 27, 2015

I want to set up a database role so that users can use sp_readerrorlog through SSMS. It does a check on membership in the securityadmin role.

I have tested it and can see you can grant execute on xp_readerrorlog but the SSMS GUI uses sp_readerrorlog.

I thought I could create a user/certificate and add the signature to sp_readerrorlog but it's not permitted (likely because it's not a normal database object).

So the other solution is to add the users to the securityadmin role but then explicitly deny alter any login (best done with a custom server role in 2012+ but otherwise just manually in 2008). I tested this out and it works, I'm not able to alter any logins or increase my own permissions, I also did a check of what's reported from fn_my_permissions(null, null) and it shows minimal permissions like I'd expect.

View 0 Replies View Related

Set My Mind At Ease On EXISTS

Aug 16, 2006

SELECT
[List1].[TITLE],
[List1].[FORENAME],
[List1].[SURNAME],
[List1].[JOB]
FROM List1
WHERE EXISTS(
SELECT [List2].[forename] FROM [List2]
WHERE [List2].[forename] = [List1].[FORENAME]
AND [List2].[surname] = [List1].[SURNAME]
AND [List2].[email] = [List1].[EMAIL]
)


I am on the right track here, aren't I?

That query will.. sort of... loop through List1, get the "current" records firstname, surname and email, and then go and see if there's any single record in List2 that contains exactly that combination of values in those fields. It's a stupid question but I'm not the brightest of sparks and BOL leaves me even more confused. I'm just worried in case it's going "well, record 34 matches the current firstname and record 96 matches the current email, so EXISTS returns true".

Assuming I've got it right, though - many of the records that I know to be duplicates have a NULL email address. And the query above seems to be automatically removing them. If there's a record in both List1 and List2 with identical firstname and surname, and both have NULL email addresses - should the query above pick it up? If not, how can I include those records?

View 9 Replies View Related

Security - Admin Access

Mar 22, 2007

How do I grant admin access to a windows account withou having them a part of the administrators group...

I need to give a user access to every report on the server and the ability to administrate the application side of the server but I cannot give them Administrative access to the machine as a whole. I added the user to the system administrators role in team services but this did not allow here to see all the reports. How does she get access to all the reports without being in the Windows local Administrators group?



Thanks

Chris

View 2 Replies View Related

Security Admin On A Server With NO Public Permissions

Sep 21, 2005

I am working with a SQLServer installation where all public permissionshave been revoked from the system.I currently hold the securityadmin and sysadmin roles to perform mylogicall access control work (creating logins and adding users todatabases and changing group memberships.)There has been a question as to whether or not I need the sysadmin roleto do my job, so we tried an experiment in dropping the sysadmin rolefrom my id.With no public permissions, I see no user information on the server,which really limits my ability to do the job.Has anyone ever worked with a super-locked-down server without thesysadmin role for doing security admin work?What I'm looking for is hopefully SQL to perform the access privilegesneeded for the security admin role by itself.Thanks in advance!

View 2 Replies View Related

SQL Security :: Domain Admin Users Cannot Login

Jun 12, 2015

Is SQL Server sensitive to Domain group name? Like "Domain Admin"?

I have user that belong to "myDomainDomain Admin" group. Group is in SQL as sysadmin but user cannot login using domain credentials. When I move that user to a different domain group which that group is in SQL again as sysadmin my user is able to login. 

Environment: SQL 2008 Standard Edition. 

View 12 Replies View Related

SQL Server Admin 2014 :: PowerShell Security Error

Jul 16, 2015

I have a SQL Server 2014 instance running on a SQL Server 2008 R2 server. The server is not clustered, it is just a stand alone SQL Server. The syspolicy_ purge_history job fails every now and then with the error message: "A job step received an error at line 1 in a PowerShell script. The corresponding line is 'import-module SQLPS -DisableNameChecking'. Correct the script and reschedule the job. The error information returned by PowerShell is: 'Access to the path 'PowerShell_CommandAnalysis_Lock' is denied. '. Process Exit Code -1. The step failed."

Google isn't bringing up much besides the whole"If this is a clustered server make sure you have the right server name in the command" answer, which isn't the case here. Some days this job fails and some days it succeeds. I have checked out task scheduler to see if there were any conflicts there, found nothing. Nothing in the event viewer either.

View 2 Replies View Related

Does Security Admin Have Access To Create Logins Using Sp_addlogin

May 31, 2007

i have an asp.net web application that uses SQL2000 backend. any users login to the application using a proper SQL login. so each user has unique logins

One of the roles within the application is to allow the user to create new logins for the application which inturn creates a SQL login. for this i have been using the following special sp's within an application specific sp:-

EXEC sp_addlogin @strUsername, null, 'WEA_MIS', @loginlang
EXEC sp_grantdbaccess @strUsername, @strUsername
EXEC sp_addrolemember @strRole, @strUsername
EXEC sp_password NULL, @strPassword, @strUsername




the only way ican get this to run is if the user executing the sp is a member of sys admin, ideally i dont want to be giving anyone access to sys admin. i thought security admin would allow me to do the above but it doesnt. Is there any other ways or ideas to get around this problem

Cheers,
Craig

View 5 Replies View Related

SQL Server Admin 2014 :: How Does Security Works Between Availability Groups

May 21, 2014

how does security works between availability groups.

ex if i create an object and grant permissions to a user will that be replicated to secondary replica .

View 4 Replies View Related

SQL Server Admin 2014 :: Any Kind Of Security Risks For Enabling CLR?

Jan 21, 2015

SSISDB 2014 - Enabling CLR - Is there are kind of security risks for enabling CLR when creating SSISDB?

View 0 Replies View Related

Index Granularity

Oct 4, 2006

Hi,

I was looking at the new index locking granularity option available in 2005. I did not understand in what case can this be a performance enhancement. Has anybody looked into this ?

View 5 Replies View Related

Time Dimension According To Different Granularity

May 29, 2008

Hi,
I got inventory fact table. For the past two weeks, I got on a daily level; beyond that, weekly level, and beyond that monthly. I need to tie it all in to the time dimension of course €“ and the problem is, how do I do it on different granularity?
As far as time dimension, tn the datamart, I got tables dim_date with key column date_id (int) , and correspondingly dim_week with week_id(int) and dim_month with month_id(int).

What I€™ve done so far, is created a time dimension from dim_date table (meaning granularity=daily) and simply tied in all the inventory €“ daily, weekly, monthly, on the day level (it all has date_id field in it, even the weekly and the monthly. Its simply the day of the end of week or end of month) I didn€™t tie anything to dim_week and dim_month.
Does that makes sense? The result is kind of strange. I cant upload an image here, but€¦ well it seems ok, I got year, week (€˜GL Week€™) and then €¦ this is the annoying thing: why am I getting a €˜date€™ column, when I only want it by week or by month? I can€™t make that column disappear (e.g when in time hierarchy I only group by month, still a €˜day€™ column will be there, and will show 4 days€¦ the 4 €˜end of week€™ that comes from €˜date_id€™.)
How do I make it go away??

Thanks for reading : ) I know it€™s a bit long

View 1 Replies View Related

Sum At A Lower Level Of Granularity

May 19, 2008

Hi all,
I have a big problem with the design and the queries of a couple of tables. I have to calculate the weighted average of the number of days between an invoice and the sum of its payments (rateal payments), weighting this number with the invoice's amount, and only when the sum of the invoice's payments equal invoice amount.
I have designed two FactTables to accomplish this:

Example:
data in the fist table (FactInvoice) looks like this:

CustomerId, InvoiceDate, InvoiceNumber, InvoiceAmount
1234567 2008-03-10 123 1000.00
1234567 2008-04-10 150 2000.00

and data in the second one (FactPayments) looks as below:


CustomerId, PaymentDate, InvoiceNumber, PaymentsAmount
1234567 2008-03-10 123 500
1234567 2008-03-15 123 500
1234567 2008-04-20 150 800
1234567 2008-04-23 150 1200




Let's suppose that I'm querying the cube for the customer 1234567, at the date 2008-05-01. I need to sum the payments for the first invoice multiplicating it for the count of days elapsed, then divide the number by the InvoiceAmount (or PaymentsAmount, is the same) : (0 days * 500‚¬ + 5 days * 500‚¬ + 10 days * 800‚¬ + 13 days * 1200)/3000‚¬ = 8,7 days of weighted average to cash an invoice.

How can I do this with Analisys Services ? Is it too complicated ? Here, in the southern Italy, the problem of customer's debit is heavily felt, and total like this are really important!
Any help or suggestion will be really appreciated.

Marco

View 13 Replies View Related

Lock Granularity And Performance Issues

Jun 9, 2008

Hi I have a few things to clear up and I hope i can find some answers in here.
I have an application written in C# using COM+ components
This application is intended to support a few hundred users at the same time and each action user leads to a few updates on several tables.
The problem is that 2 or more users might do this thing the same time meaning that each users should update rows that "belong" the other users .
I rely on the appearance of deadlocks in order to keep the data consistent, so only one of the users should be able to have this action completed, the transactions for the other concurrent users should abort.
Basically the results would be the same no matter which user will complete the transaction so the only issue is to have only one action completed. So far so good, it seems that I have no problems and that the data is consistent.

Now the reason why I'm here would be that lately i see that the number of deadlocks has increased considerably and there should be no reason for this to happen; the situations when the users would modify each others data are somehow rare and I should see a few hundred deadlocks daily
So what i think is that SQL might increases the lock granularity to table or page instead of using row locks(I am not sure it's just a wild guess)
From what I've read, sql starts with default row lock and it might increase it when necessary.

And now finally the question: can I force sql to use only row lock? and if yes are there any risks involved? Is sql capable to maintain only this kind of lock and still be able to manage the transactions correctly?
And another question, how do deadlock decrease overall performance?

View 1 Replies View Related

Budget On Different Granularity In Organization Hierarchy (which Is SCD)

May 27, 2008

Hi everyone

I am struggling with adding budget numbers to a cube. The main reason being that the budget is *not* on the finest granularity (employee) with regard to the organization hierarchy but on a coarser one (team).


The organization hierarchy is a "flat" (not parent-child) hierarchy that looks about like that:

employee -> team -> teamgroup -> region -> country


As mentioned I now have budget numbers that are defined on the team-level (not on the employee level as "regular" measures). I would know assume that I could put the budget data into its own table and "link" it with the organization through the "team" attribute. I would do that on the "dimesion usage"-tab.

The problem with this approach is that the organization is changing (SCD type 2). This essentially means that by linking to the "team" attribute the aggregation of the budget data on higher levels of the organization hierarchy can be ambiguous (at least that is what I understand).

Example organization table:



Code Snippet
surrKey busKey empName teamId teamGroupId regionId countryId ... scdStuff
1 1 Raphael 1 1 1 1 ...
2 2 Jeanne 2 2 1 1 ...
3 3 George 3 3 1 1 ...
4 2 Jeanne 2 3 1 1 ...



That would mean that on some point in time team 2 (consisting of one employee, Jeanne) moved from teamgroup 2 to teamgroup 3. Just for the sake of a simple example.

Now, what am I to do with my budget data in this situation? I cannot link it to the teamId, because teamId = 2 for example cannot specify if the value should be aggregated into teamgroup 2 or teamgroup3...


I have a feeling that this got something to do with the design of the organization-table but I am unsure about what the actual problem is. Any hint, pointer or solution would be appreciated. If the question is unclear, please let me know and I will try to clarify.


Kind regards
scherand

View 3 Replies View Related

Analysis :: What Is The Meaning Of Granularity In SSAS

May 6, 2015

I wanted to know the meaning of Granlatiy of Fact  with some example.

View 3 Replies View Related

What Are Your Thoughts?

Aug 20, 2007

 For intranet development, our DBAs are asking web developers to use fixed domain NT ID accounts
instead of SQL accounts to connect to backend databases in all web applications. We are: Windows XP workstations in a 2003 Active Directory Topology.

I don’t think that this is a
good idea (I could say more:) but I have found very little to no information on this subject. So I ask you guys... What are your thoughts? Why or why not?  

 

 

View 7 Replies View Related

DB Design Thoughts??

Jul 23, 2005

Hi,I'm in the process of designing a DB (typical management system DB; 2transaction tables and about 5 look-up ones )for one of the departmentsin our company. The user wants this DB and thusly the client (forms,reports..etc.) solely for his department. However, I do expect soonafter deployment that other users want similar DBs and clients,therefore, facing problem of integrating such DBs, if companymanagement wants to implement it as enterprise DB. My question (may beyou could also tell me about other groups specialized in these kind ofissues), how should I create such DB? Should I create extra look-uptable for departments and have each one with its own ID and link it tothe main transaction oneMTIA,Grawsha

View 3 Replies View Related

GROUP BY Speed Up Query On Data That Is Already At Lowest Granularity?

Jul 9, 2015

I have just been running a query which I was planning on improving by removing a redundant GROUP BY (there are about 20 columns, and one of the columns returned is atomic, so will mean that the "group by" will never manage to group any of the data) but when I modified the query to remove the grouping, this actually seems to slow the query, and I can't see why this would be the case.

Both queries return the same number of rows (69000), as I expected, and looking at the query plan, then they look nearly identical, other than at the start, there is a "stream aggregate" and "sort" being performed. The estimated data size is 64MB for the non-grouped query (runs in 6 min 41 secs), vs 53MB for the aggregated query (runs in 5 min 31 secs), and the estimated row size is smaller when aggregated.

Can rationalise this? In my mind, the data that is being pulled is identical, plus there is extra computation for doing an unnecessary aggregation, so the aggregated query should be unquestionably slower, but the database engine has other ideas; it seems to be able to work more quickly when it needs to do unnecessary work :) Perhaps something to do with an inefficient query plan for the non-aggregated query? I would have thought looking at the actual execution plan might have made this apparent, but both plans look very similar.

Edit: More information, the "group by" query had two aggregations on it, a count of one of the columns, and an average of another one. I changed this so that it was just "1" instead of the count, and for the average, I changed it to be the expression within the average aggregate, since the aggregation effectively does not do anything.

View 2 Replies View Related

Thoughts About The Smart Way To A Task

Jul 20, 2005

I'm still a database newbie so I would like to solicit thoughts aboutthe smartest way to do something in sqlserver.My company has a web application that we customize for each client.We can do this because everything is database driven. We havedatabase tables that contain our HTML and database tables as well assome standard tables for each database. We have an in house app thatlets us tweak both of these things and creates a new web site anddatabase tailored to each project.Each of these sites has a table that stores a schedule are clientsuse.The records in this schedule table change when information in othercustom generated tables change.My company currently uses a legacy foxpro app to update the scheduletable.The foxpro app contacts sqlserver, reads a table with a list of tablesand scheduling information to check, checks each of those items andupdates the schedule table.I would like to lose the foxpro app.At first thought.........as a database newbie.......putting triggersin each of the tables to update the schedule when something changesseems the way to go.However, since we change a part of the schema ( we have an app thatgenerates the database tables unique to each client ) for each clientI would like a scheme that would not involve having to create adifferent trigger for each new table.I would also like something that updates in real time. Right now thefoxpro app is executed once a day.I was thinking of making a large stored procedure and putting anidentical call to that procedure in each table.Each table would have the same trigger in it that would get fired whenthe record was altered. It would call the stored procedure withrelevent arguments to update the schedule.Does this sound like a smart way to solve this problem or am I notthinking "database enough"?Any thoughts are welcome.I would like to build a better solutionSteve

View 1 Replies View Related

Thoughts On Asynchronous Operations With SLQ Ce

Jan 3, 2007

I noticed that the current SLQCe driver does not offer support for the APM(Asynchronous Programming Model). Are there any plans to do this in the future? In light of the lack of APM functionality doe anyone have any ideas or thoughts on how async operations could be done, or if they are even needed in the context of applications that use SQL Ce

View 4 Replies View Related

Red Gate - Thoughts, Experiences...

May 2, 2008



Currently evaluating Red Gate SQL tools targetting SQL Server 2005 Express.

Specifically
- SQL Compare
- SQL Packager
- Dependency Tracker

This is the first tool of this kind that I've evaluated and must say I'm impressed. It looks like it will save me hours of writing scripts.

Any of you guys have any thoughts, recommendations, etc to share? Alternate tools?

Most appreciated in advance, thanks.

View 1 Replies View Related

SQL Security :: Domain Migration Altered SA Or Domain Admin Access To DBs

Jun 19, 2015

we recently migrated from our in-house domain to the Enterprise domain. Everything went smooth except for the fact that I can no longer accept my dBs using my SA or my domain admin account. There is only 1 account I can get into the management studio with but it has no admin privileges, so I can't make any  password changes or add accounts. I don't have a test environment so kind of hesitant to experiment with our production system.

View 6 Replies View Related

Analysis :: Linking Multiple Fact Table At Different Granularity To Same Dimensions

Jul 15, 2015

I am modelling two fact tables of Actuals and Budget which are at different granularity, Actuals are at day, customer and product sub category level. Budgets are at month, Region and Product category level.

Month, Region and Product Category is present in Date, Region and Product Category dimension respectively. I have only three dimensions as Customer, Product and Date. Linking those dimensions to Actual Fact table is not an issue, what is the best way and options are there to link budget fact table to those three dimensions.

View 2 Replies View Related

Need Some Thoughts On An Emerging Trend With SharePoint

Dec 17, 2007

I was hoping to elicit some feedback on a trend I am seeing in the Portal market, and specifically with SharePoint development.

If you are not familiar with SharePoint, there is a data table abstraction within SharePoint called a "List". Lists are used for storing data (duh!). However, they are built using the SharePoint front end, and the data entered into all lists is stored in a few tables in the SharePoint content database.

What I am seeing happening is SharePoint gurus reccomending AGAINST storing your relational data within database tables, and within SharePoint lists instead. I am not sold on this approach, and it actually makes me think we are taking a step backwards with regards to persistent data storage and best practices.

- Lists cannot be natively related to one another, however they support "lookups"
- Anyone can create a list...and repeat the same data all over the enterprise.
- Lists are maintained in two tables within the SharePoint content database using meta-data patterns.
- Portals contain a multitude of sites. Users and portal admins can create lists all over the place, thus spreading related data over a wide swath of the enterprise.

Is it just me, or are SharePoint pundits absolutely CRAZY to be recommending persistent data storage using lists? I see nothing but problems arising from this approach.

I apologize beforehand if you have not worked with SharePoint and Lists, as this post may not make much sense to you. ;)

View 2 Replies View Related

Thoughts On ALTER Vs. DROP & CREATE.

Nov 8, 2006

Thought I should post in the newbie forum for a while, instead. :-)

I have a couple of scripts that I've generated that drop a couple of system stored procedures and recreate them. I'm not sure why I did it in the first place, but I think it was that it wouldn't let me run an ALTER statement on them. Specifically, I'm now looking at sp_add_operator. I changed it to a 500 character email field instead of whatever it was (100, I think.)

/* Explanation: Why did I do that? SQL Mail is prohibited here, so I'm using CDO_Sysmail to email myself and the developers if a job fails. The list of people to email is determined by the owner of the database, who is also an operator in SQL. I get the list of emails from the email field of the operator properties. Hence, I need a bigger email field. Yes, I now know it would most likely be better to create an ADMIN database on each server for this kind of stuff. (Thanks to Tara for that blogged suggestion.) */

While I will probably go back to the default stored procedure, this got me to thinking: when would it be better to use an ALTER statement on a SProc rather than to do a DROP and CREATE?

Your thoughts, oh SQL gurus?

View 12 Replies View Related

HELP - Selection Of Development Software? Thoughts??

Jul 20, 2005

Folks, I have a quick question that I would very much appreciate somefeedback on. We are a not for profit charity organization that has decidedto develop a software in-house to manage our volunteers. We have SQL andthat makes the most sense from a database solution but we have some issuessurrounding the choice of the development language. Some have suggested100% java while others say Visual Basic. The head of our team has suggestedwe do it in Cold Fusion since this will be an internet based application andI guess I would very much like some feedback on that choice. We have about 5organizations that we will tie into this system with about 5000 userslogging in once per month.Any suggestions or comments would be greatly appreciated.CheersWade

View 4 Replies View Related

Data Import - Your Thoughts Appreciated

May 10, 2007

I have a database with a dozen or so tables. No table constraints. Logic is all in stored procedures.



I have several Excel spreadsheets of data to import into the database, one speadsheet to a table. Each spreadsheet has additional data(columns) that each table has no interest in and should be ignored.



I would appreciate your thoughts on methods and best practices for loading this data to the database.



I am about to investigate SQL Server 2005 Express handling of XML. I am familiar with XML and XSL conversions and it seems to me that XSL conversion of Excel data to XML gives me a lot of flexibility prior to database import for shaping the data.



In short, importing data to the database from an XML source.



I am not famliar with SQL Server's XML capability and would appreciate thoughts on this while I look into it.



And of course alternate ways that I am overlooking.



Thanks

View 4 Replies View Related

Thoughts On Whether The SSIS (service/agent) Is Really Necessary?

Jul 12, 2007

I just learned I can deploy and schedule jobs to run SSIS packages (via job/sqlagent) without the Integration Service (agent) itself actually running alongside (or on) the server. (Double-click on manifest, deploy IS package to server, create job/job step to run IS package, watch it run even when integration service is completely disabled)



Other than convenient viewing, configuring, and RMC running w/in SQL Server Mgmt Studio 2005, why then do I need the integration service running on a production box at all? When do I really need the IS service itself?



In our (finance) world only (a) an act of God or (b) a DBA can touch production databases/servers. Allowing anyone to connect to yet another service - in this case, an integration service - to meddle w/ a package would be a no no, so...



1) Could I trouble someone for a concrete, critical reason why the DBA should enable it on a production server. Speed? Caching? Peace of mind knowing everything is piled onto and neatly running on the server?



2) On a more minor note, if I'm deploying a package to be housed solely w/in MSDB, is there anyway to prevent the prompt of a file location during deployment, i.e. the creation of an empty directory that would otherwise hold package dependencies if I were running it as a file?



We'd like to deploy only to MSDB (I know all the pros/cons w/r/t saving dtsxs to files v. msdb) and keep deployments clean (read: all in one place). DR is via SAN-to-SAN replication with, among other things, msdb cleanly getting replicated. We would very much like to avoid having to worry about (more) file/directories sitting out on a server share to be replicated to DR (it seems the default is to allow deployments to directories on the SQL server instance itself..ugh) Any architectural insights on this would be appreciated.



Kind Regards,

Jim





View 3 Replies View Related

Thoughts/patterns For The Following Use Case Related To Service Broker Dialog Network Connection

Dec 29, 2006

Hi,

I would appreciate any thoughts/ideas on the following use case for the distributed service broker application we plan to migrate from our existing proprietary tcp based message protocol using database tables for reliability.

There are two ssb services running in separate sql server instances, each on a different server machine. For simplicity, let us assume the ssb endpoint names are SSBA, SSBB. SSBB is the Initiator of the Dialog while SSBA is the Target. Now the requirement is that if the underlying network communication between the two ssb endpoints(SSBA and SSBB) is broken or if the critical service SSBB is down, then processing of any incoming message into SSBA's queue from a third service broker service (say SSBEXPR) running within a SqlExpress instance should be delayed until SSBB is alive and network communication between SSBA and SSBB is established. In our existing implementation (wherein SSBA, SSBB and SSBEXPR are windows services) we use a combination of TCP socket disconnects and Heartbeat messages between SSBA and SSBB to determine the health of network connection and that of the SSBB service.

Now my understanding of how the underlying network connection for a ssb dialog works is that if there is no activity on a dialog for a certain amount of time then the underlying network connection is closed. Is there a way to specify the amount of time to say infinite value or something and thus change this behavior? My other question is how can one query the underlying network connection (i.e. a row from sys.dm_broker_connections) associated with a particular conversation? If none of this is possible, then any other patterns/ideas/approach is welcome.

Thanks,









View 8 Replies View Related

SQL 2012 :: Persist Security Info And Integrated Security In Connection String

Dec 4, 2014

I use from sql server 2008. and c#

what is the best connectionstring?

I don't know if i use Persist Security Info and Integrated Security or not?

And if yes then their value must be true or false?

View 1 Replies View Related

Code Access Security Across Multiple Assembly Security Extension

Oct 14, 2005

Hello there I have trying to figure out for days how to enable FullTrust for my Reporting Services security extension.

View 9 Replies View Related

SSRS -- Security Filter And Model Item Security Setting

Jul 31, 2007



Hi,


I have posted this issue for a week, haven't got any reply yet, I posted it again and desperately need your help.


The article http://msdn2.microsoft.com/en-us/library/ms365343.aspx says:
Model Item Security can be set for differnt security filters, but when I use SQL Server Management Studio to set Model Item Security, it seems "Permissions" property surpass "Model Item Security" property. -- My report server is using Custom Authentication.



For example, in "Permissions" property of the model, if I checked "Use these roles for each group or user account" without setting any user or group, no matter what users I added to "Model Item Security" with "Secure individual model items independently for this model" checked, NO one user can see the model on report manager and report builder;

in above situation, if I added "user1" and gave role such as "Browser" role to "user1" in "Permissions" property, if I checked "Secure individual model items independently for this model" in "Model Item Security" property, even I did NOT grant "user1" to root model and any entities under the model, the "user1" is able to access the model and all entities in report builder.



My question is on the same report model, how to set "AdminFilter" (empty security filter) for administrator permissions and set "GeneralFilter" (filtered on UserID) for general user based on their UserID?


The article also says:

"Security filters are always applied, even for users who have Content Manager or Administrator permissions to the model. To allow administrators or other users to see all rows of an entity on which row-level security is defined, you can create an empty security filter (which always returns True) and then use the filter to grant those users access to all the rows."



So I defined 2 filters "GeneralFilter" and "AdminFilter" for "Staff" entity for my report model "SSRSModel", I expect after I deployed the report model, the administrator users use report builder to build reports with all rows available, and the non-admin users can only see rows based on their UserID.



I can only get one result at a time but not both:

either the rows are filtered or not filtered at all, no matter how I set the "SecurityFilter" for the entity: I tried setting both "AdminFilter" and "GeneralFilter" for SecurityFilter at the same time, combination of "DefaultSecurityFilter" and "SecurityFilter", or one at a time.



Your help is highly appreciated!

Desperate developer

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved