June 30, 2014 at 10:02 am
Hello, as I have said before, I am not good at security setting.
I created a new database "Finance"
Currently the security for the database has:
dbo
guest
INFORMATION_SCHEMA
sys
the finance windows group (db_datareader and db_datawriter)
the executive windows group (db_datareader and db_datawriter)
I believe they will be accessing this via Excel.
My questions:
- What do I need to do with the Microsoft logins?
- Do I need to give the DBA (me) any permissions to mange the database? (I do not need to see the data but may need to create/modify tables)
Am I going down the correct path?
Thank you,
djj
June 30, 2014 at 10:58 am
As long as you have db_owner permission in the database, you can do whatever you like. And if you are sysadmin on server level, you are db_owner on database level.
Exactly what you should do with the plain logins is difficult to tell with knowledge of the requirements. db_datareader/writer means that they can read and write to any table, but not change the schema. It is not unreasonable, but there may be business rules that says that not all users should see all data. Or be able to update all data.
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]
June 30, 2014 at 11:06 am
Thank you for the reply.
Sorry I was not clear, what I meant by Microsoft logins is the dbo, quest, INFORMATION_SCHEMA, and sys. Do I need to deny permissions on any of these?
For the group permissions, I think the read / write should do it. I may need execute in the future but I know how to handle that.
June 30, 2014 at 1:00 pm
They are not logins. They are schemas, and for legacy reasons they are also database users. dbo is dbo, the overall almighty in the database and you can't do anything about that. guest is by default disabled, and you should let it remain so. You can forget about sys and INFORMATION_SCHEMA as database users.
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]
June 30, 2014 at 1:03 pm
Erland Sommarskog (6/30/2014)
They are not logins. They are schemas, and for legacy reasons they are also database users. dbo is dbo, the overall almighty in the database and you can't do anything about that. guest is by default disabled, and you should let it remain so. You can forget about sys and INFORMATION_SCHEMA as database users.
Thank you Erland. I will ignore those then. Now I need to learn how to synchronize data between Excel and SQL, but that is another thread. 🙂
Thanks again,
djj
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply