Welcome to dbForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Secure schema or view?

  
   Database Forums (Home) -> Security RSS
Next:  SSIS validation errors during database copy  
Author Message
zeon

External


Since: Feb 15, 2008
Posts: 1



(Msg. 1) Posted: Fri Feb 15, 2008 6:05 am
Post subject: Secure schema or view?
Archived from groups: microsoft>public>sqlserver>security (more info?)
We have one database with multiple schemas.
Different departments have their own schema, which only they should be able
to read/write.
We also have 1 reference data schema that all users of the database should
have read access
What is the best way to secure the data?
Proposed Method 1 (which I've been trying to do):
1. Define groups to the database with datareader and datawriter permissions
to the database
2. Create views on the tables.
3. Grant the appropriate AD groups read/write to the views
4. Deny public access to the underlying tables
Issue with this method is what is the best way to keep departments from
reading another department's schema without having
to specify them by name in a DENY SELECT statement - this would have to be
done every time we add a new group to the database.

Proposed Method 2: (based on postings in this forum)
1. Define groups to the database with datareader and datawriter
2. Change the owner of the departmental schemas to an AD group that contains
only the users that should have access to the data in that schema
For the reference schema, grant select to public
Remove all grants and deny's that were previously done on the views and tables
Will this method provide adequate protection?

 >> Stay informed about: Secure schema or view? 
Back to top
Login to vote
Erland Sommarskog2

External


Since: May 30, 2004
Posts: 1649



(Msg. 2) Posted: Fri Feb 15, 2008 3:29 pm
Post subject: Re: Secure schema or view? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
zeon (zeon@discussions.microsoft.com) writes:
> We have one database with multiple schemas.
> Different departments have their own schema, which only they should be
> able to read/write.
> We also have 1 reference data schema that all users of the database should
> have read access
> What is the best way to secure the data?

I would create one role per deparment schema, and then grant
INSERT, DELETE, UPDATE and SELECT one that schema to the respective role.
I would also make sure that no one is a member of db_datareader/writer.

If the departments are permitted to create objects in their respective
schema, the roles needs permission for that too. It would also be a good
idea to make the role the owner of the schema, as by default the schema
owner, owns the obejcts created in the schema.

Grant access to all roles (or public) on the reference schema.


--
Erland Sommarskog, SQL Server MVP, esquel RemoveThis @sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

 >> Stay informed about: Secure schema or view? 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Establishing secure encrypted link between linked servers - Hi everyone - hoping someone can help me. I am wanting to send data from our local sql server residing within the corporate intranet, across to a remote sql server. I have set them up as linked servers using both the sp_addlinkedserver and..

Schema Sharing - Hello all, I have an database in SQL Server 2005 and this database is maintained (table changes & procedures) by 2 groups of people. So, what I did is, created an new schema and also created an generic sql server account and assigned the schema I....

"dbo" schema permissions question. - I have some ASP.NET 2.0 code executing SqlDependency.Start(connectionstring) to a SQL 2005 database and I am getting the following error: System.Data.SqlClient.SqlException: The specified schema name "dbo" either does not exist or you do not h...

Security Schema Questions - I have a sql05 instance and a Windows Group called developers I want the developers to be able to alter databases. So I Created a server login for the windows Developer Group Created a User Mapping for the model Database Added Database role membershi...

Schema Users and permissions - I'm fairly new to MS-SQL administration but have been a DBA for Mainframe DB's and for Oracle over many years. My problem is in trying to establish a secure development environment whereby each user has their own schema which they have full control an...
   Database Forums (Home) -> Security All times are: Pacific Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]