Post reply

Permission nightmare or not?

  • April 12, 2010 at 5:03 pm

    #217741

    I work with a dev who would lke the following permissions on several databses, on different servers (sql 2000, sql 2005, sql 2008). Is his request a reasonable one would it open a security nightmare?

    >>>

    Read-only access to see data from any table

    Ability to display estimated execution plan of a query

    Ability to include actual estimated plan of a query

    Ability to create/modify and see the SQL code of a "View"

    Ability to view the sQL code of a "Stored procedure"

    >>>

    Barkingdog

  • April 13, 2010 at 1:10 am

    #1150514

    Give user access (can be a windows or sql user)the public permission as public.Check in the properties then permissions.

  • April 13, 2010 at 8:26 am

    #1150754

    sandy_1006 (4/13/2010)

    Give user access (can be a windows or sql user)the public permission as public.Check in the properties then permissions.

    Try to avoid assigning any permissions to public. That's a worst practice.

    K. Brian Kelley
    @kbriankelley

  • April 13, 2010 at 8:31 am

    #1150760

    Barkingdog (4/12/2010)

    I work with a dev who would lke the following permissions on several databses, on different servers (sql 2000, sql 2005, sql 2008). Is his request a reasonable one would it open a security nightmare?

    >>>

    Read-only access to see data from any table

    Ability to display estimated execution plan of a query

    Ability to include actual estimated plan of a query

    Ability to create/modify and see the SQL code of a "View"

    Ability to view the sQL code of a "Stored procedure"

    >>>

    Barkingdog

    You didn't indicate whether these are development or production SQL Servers. Ultimately, it's not the call of the developer. It's the call of whoever owns the data with respect to the first request. Estimated and actual execution plan isn't as big a deal unless the queries themselves can contain sensitive data (which is always possible). Create/Modify a view... not in production. Your change control should prohibit such. See the SQL code of a stored procedure? Typically not a big deal, but not typically something you see in production, either.

    K. Brian Kelley
    @kbriankelley

  • April 13, 2010 at 9:34 am

    #1150816

    Barkingdog (4/12/2010)

    I work with a dev who would lke the following permissions on several databses, on different servers (sql 2000, sql 2005, sql 2008). Is his request a reasonable one would it open a security nightmare?

    >>>

    Read-only access to see data from any table

    Ability to display estimated execution plan of a query

    Ability to include actual estimated plan of a query

    Ability to create/modify and see the SQL code of a "View"

    Ability to view the sQL code of a "Stored procedure"

    >>>

    Barkingdog

    I'd be okay with this on a dev server... but not a production one.

    Wayne
    Microsoft Certified Master: SQL Server 2008
    Author - SQL Server T-SQL Recipes

    If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
    Links:
    For better assistance in answering your questions
    Performance Problems
    Common date/time routines
    Understanding and Using APPLY Part 1 & Part 2

  • April 13, 2010 at 6:24 pm

    #1151088

    I agree with Wayne. I am fine with development being a sandbox for the developers - so long as proper checks and constraints are in place to pass code up to QA and Prod.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply