September 2, 2008 at 1:16 pm
Hey all,
At my former company we had a custom home brewed application that would allow our operations team to grant access to servers via groups. The great thing about this application was that it allowed for timed or permanent access, audit trail and approval methods.
I'm trying to implement something similar at my new job and coming up short trying to find a solid 3rd party vendor application. More or less what I do is create 6 NT groups per server. 2 for server (admin, power user) and 4 for SQL (admin, captain, power user, reader). Once the groups are created I have a custom procedure running off a central management SQL server to push out all the logins, users and roles. From the group perspective, the process is solid.
I am just trying to find a replacement front end app to be able to easily grant/revoke access to these groups per server on a timed/permanent basis with an audit trail (simply logging to a table is fine).
If this made sense, anyone know of a decent product out there to demo?
Thanks
September 2, 2008 at 1:42 pm
Hey Adam,
Familiar with the structure that you have laid out but have never seen a tool like that. Maybe you should consider writing something? π Might sell...
Alternatively, if you have the global groups names accordingly you should be able to use vbscript to do this directly and to log that into a table for audit purposes. I have seen some solutions that allow for the ops teams to put new users in an excel file and it processes from there and others that put neat front-ends on them, but ultimately it was alwayd done through some vbscript method. I know that the MS Scripting guys have some examples out there.
David
@SQLTentmakerβHe is no fool who gives what he cannot keep to gain that which he cannot loseβ - Jim Elliot
September 2, 2008 at 2:56 pm
Yeah I could most definitely do something like that in VBScript, but the purpose behind this is to have a quick and easy way (GUI) for non technical people to use. While yeah the excel concept would work and not be difficult, I'd prefer something with a bit more functionality. I am a SQL/VBScript guy, slowly learning power shell ... I've written one C# application (database maintenance) and it's just not for me. I wouldn't even know where to begin with making a GUI.
I've been trying to get my buddy to publish and sell this application as I've never seen anything quite like it. It is a truly awesome application and I don't know If I'll ever find a replacement for it.
September 2, 2008 at 3:30 pm
Yeah, sorry that I don't have any other suggestions. Hopefully someone else will.
Totally understand the whole SQL / VBScript aspect as well. I don't know if I could code outside of that. I too have an app that I have been hoping to get written for a while but can't seem to find someone to write the major part of it and I don't have time to learn C## or something of a similar nature. :hehe:
David
@SQLTentmakerβHe is no fool who gives what he cannot keep to gain that which he cannot loseβ - Jim Elliot
September 16, 2008 at 6:32 am
Well, I've been talking with ScriptLogic for the past couple weeks and while they have a great tool for this type of thing, they don't have the logic to remove users from a group after a certain amount of time.
Bringing this back in hopes of catching someone's attention that has done something similar to this.
Thanks
September 16, 2008 at 7:21 am
I don't know of any tools that allow you to set an expiration date on MSSQL role membership, but it would seem more logical to do all of this at the Active Directory level.
AD role memberships do not have expiration dates, but they could be expanded with a custom field to do so. It's an interesting idea.
September 16, 2008 at 7:33 am
Michael Earl (9/16/2008)
I don't know of any tools that allow you to set an expiration date on MSSQL role membership, but it would seem more logical to do all of this at the Active Directory level.AD role memberships do not have expiration dates, but they could be expanded with a custom field to do so. It's an interesting idea.
I am talking about AD groups ... yeah, unfortunately there is no expiration property in AD. We accomplished this simply by witting the AD command into a table and checking it periodically. We simply had an addition field if the member was to be removed from a group after a certain threshold. Worked like a champ.
I'm talking to Quest now to see what they can offer.
September 17, 2008 at 6:50 am
Well, as to creating a simple GUI, Access has the ease of development, AND, it has the means to use the same code as VBScript in terms of accessing the AD objects necessary. It would still have to rely on manual checking of expiration dates, but that doesn't have to be much more than clicking on a command button. I would think that's the easiest way to get back to where you use to be, without expending on any 3rd party products OR having to spend an enormous effort on development.
Steve
(aka smunson)
:):):)
Steve (aka sgmunson) π π π
Rent Servers for Income (picks and shovels strategy)
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply