March 19, 2012 at 4:08 pm
Hi everyone,
I’ve a list of tables where I’ll have to apply the column level permissions. As of now, all the users have permissions to select the Creditcard column. There are only few service accounts that need to have read access to this column and denied for rest of the users.
Could someone tell me how could I accomplish this? Reports need to run everyday, so I’m little nervous if this breaks something else.
Thank you.
March 19, 2012 at 4:30 pm
Hi,
Is it service accounts or few users?
If its service accounts, y would u provide passwords of the service account to the users (Security risk).
If it's users (in multiple numbers) u can create a group and assign the group with the read access on the columns needed.
Thanks
March 19, 2012 at 4:32 pm
Not fully aware of your situation, but have you considered creating a view(s) on those table(s), a view that does NOT contain the credit card column. That way you can allow everyone to use the view, but NOT access the table itself. Those that can see the credit card column grant them privileges on the table, for all others deny them access to the table, but allow them access the view.
March 20, 2012 at 8:01 am
Please tell me you are not storing credit card numbers. From your description it sounds like you are, and even more scary they may not be encrypted. :w00t:
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
March 20, 2012 at 8:53 am
Please correct me if I'm wrong--
I'll get an AD group created then I'll get the 3 service accounts added to the AD group. I'll give read permissions to this group to view the credit card column and deny rest of the groups from viewing this column.
My question is-- these 3 service accounts belong to other groups as well. If I deny rest of the groups from viewing this column but allowing only 1 group to view this column. Doesn't sound logical to me but will this really work?
March 20, 2012 at 8:59 am
that wont work either as if they are part of group1 which has been granted, then also part of group2 which has been denied, then the DENY will take preference so they wont be able to select.
are the card details stored in plain text in the db?
March 20, 2012 at 9:55 am
Hi,
http://sqldbatask.blogspot.com/2011/12/how-to-grant-update-permission-to.html
Hope,You will get some idea to proceed
Thanks
Kumar
Regards,
Kumar
March 22, 2012 at 2:38 am
i'm still interested to know if the card details are stored in the DB in clear text on this one
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply