August 29, 2002 at 8:28 am
HI. I wanted to get some feedback on which method is best or preferred when it comes to giving permissions. Should I give permissions directly to NT groups or should I put individual users in ROLES in sql server and then give the permissions to the roles. I've read good things about using the groups and using roles. I envision ALOT of NT groups being defined just for sql server depending on the permissions needed for the application. We are just starting to put vb applications in production going against sql server so i'm trying to set up a standard. Any suggestions or comments?
Thanks, juanita
August 29, 2002 at 8:32 am
Hey,
My personal choice would be to have both NT Groups and Roles! Basically if we have a bunch of users who do the same task, then we put them into a NT group and assign network permissions. When this group needs access to SQL Server, I create a role and add the group into the role.
The great thing about Roles is that, whether you have Groups or induviduals, all you need to do is add/remove users/NT Groups from the role and thats it...No adding/removing permissions for all users.
Clive Strong
August 29, 2002 at 8:36 am
Completely agree with Clive. If you assign against an NT group and another NT group needs the same rights, you're redoing all the work. It's the same concept behind putting users in groups and assigning rights to groups.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
August 29, 2002 at 9:03 am
Thank you. So for example,if we have a VB app and it has 4 roles that are needed, and assuming there is more than one person in each role, I would have 4 NT groups defined to the network so I can in turn put then in the correct roles?
I know it won't be as simple as 1 NT group being defined but I want to make sure I'm on the same wave length as yall...
Juanita
August 29, 2002 at 9:07 am
You got it.
We have lots of NT Groups around the company. We also have different roles within applications.
So you may have an Admin NT Group, a user NT Group. Add these into an Admin Role & User Role and your ready to go.
Another nice point of using Roles is that there is no user maintenence within SQL Server. Should an employee start/move position or leave, the NT Administrators update the NT Group and this is reflected in SQL Server.
Clive Strong
August 29, 2002 at 10:29 am
Okay, what if the application's security is more intricate. an example:
One application that accesses two tables, lets call them Employee_Information and Payroll_Information.
There are 4 people who use this application: Peter, Paul, John, Mary.
Peter has all permissions to both tables.
Paul may update, delete, insert and select on the Employee_Information table and he may select on the Payroll_Information table.
John may update, delete, insert and select on the Payroll_Information table and he may update and select on the Employee_Information table.
Mary can select on the Employee_Information and the Payroll_Information.
Would groups not be used here since they are all doing different functions? And would this require 4 different roles?
I'm sorry to be so basic, I just know that it can get more complicated.
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply