public role for a whole DB

  • Is it possible to assign a "public" status for a database, so that there is no restrictions for any users? how can we check such a status exists for a database?

    Dan

  • Why would you want to do this?

    There is a public role available - it does not have any permissions by default. You could add permissions to this role, but I would not recommend this.

    Giving anyone access to your data is just asking for trouble. Before you know it, someone will be storing proprietary information for the company and everyone will have access. What about credit card numbers and the like?

    In Healthcare - you have to worry about PHI (protected health information). As soon as someone stores any type of information that can identify a patient, you have to put security protocols in place to prevent access. If the public role has full rights - that would not be good.

    Jeffrey Williams
    “We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”

    ― Charles R. Swindoll

    How to post questions to get better answers faster
    Managing Transaction Logs

  • I agree.

    one of the DB is just non-confidential info that the company wants to be in public mode so anyone can have access for PR.

    I believe that status should be that way already, but I just need verify that it is. If not, I need to make sure it has it. How could I do that by code?

  • repent_kog_is_near (3/24/2010)


    I agree.

    one of the DB is just non-confidential info that the company wants to be in public mode so anyone can have access for PR.

    I believe that status should be that way already, but I just need verify that it is. If not, I need to make sure it has it. How could I do that by code?

    Whether it is for PR or not, I would not grant everybody access to the database to do whatever they want. There are reciprocal effects to doing that. The biggest is that you have just exposed your database environment and would make it easier for hackers.

    If it is just for PR, then have static webpages that display the info from the database. The webpages would pull the info via stored proc that simply performs a select against the necessary tables.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • OK. I will make a case for that. Is there a link on standards that you can think that is related to this?

    How can I check if this or any other DBs are kept in a totally public role?

  • I don't know if there are any documents available for that - but I can tell you that best practices are to never open up databases to public roles.

    The application can be public facing and open to the public, but access to the database is always controlled and managed. Whether that application is web based or not - you should always control how the database is accessed.

    If you setup a database this way, be prepared for the system to hang often - run out of space, eat up all of your temp space, etc...

    Sorry, but that is just too risky a situation for me...

    Jeffrey Williams
    “We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”

    ― Charles R. Swindoll

    How to post questions to get better answers faster
    Managing Transaction Logs

  • Jeffrey Williams-493691 (3/24/2010)


    Sorry, but that is just too risky a situation for me...

    Leaving the database wide open is too risky for me as well. I think you will find that most here would advise against the practice of leaving a database wide open like that.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • There is one simple option as well, If you want to distribute all your information publically, do one thing assign the read permission to public role for your database.

    In such case they can access the databases for read only mode and they didn't have permission to update or delete of move something.

    What you say ? .. other expert's Please advice if it's not the correct way.

    Thanks & Regards,

    Nitin Gupta
    SQl Server (7.0,2000,2005) - Sr. DBA
    HCL Technologies, India

  • Jeff & Jason

    You've convinced me; how do you check what is the status in this regard for all the databases, so I Can make sure none are vulnerable by prior setting overlooked?

    Dan

  • There is not a single status to check. You need to perform a security audit of your system and determine what roles and users have what access.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply