July 31, 2002 at 3:39 pm
Recently I setup a bunch of user accounts which use NT groups and assigned appropriate datareader / datawriter rights to the suitable groups.
My problem is that we have a bunch of SPs that users may need to invoke, via legacy VB apps and some passthrough queries.
Am I right in thinking that I must assign execute right to the users that need to run the sps? Or is there another way (appart from using application roles).
Thanks in advance! Thomas.
July 31, 2002 at 5:44 pm
You will need to assign the execute right, but you can create your own role to do this and assign the users to the role. It can be a user role, not an application role.
Steve Jones
August 1, 2002 at 12:53 pm
Is there any advantages to assigning the execute right to a user role versus assigning the execute right to the NT group that I have setup as a login/user?
August 1, 2002 at 1:30 pm
It might. Where the role can save you time and headaches is if another NT group or even an individual user needed rights, and that user, for whatever reason, can't be placed in the NT group in question. With a role, you don't have to reassign permissions all over again. Simply put the new group/user into the role and you are done.
We tend to do that where I work. Even if we suspect a given NT group will be the only group ever to need permissions, we'll still create a group. We'll assign permissions to the group and then make the NT group a role member. It has saved us on a couple of occasions. Your mileage may vary.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
August 1, 2002 at 1:52 pm
You will save headaches as Brian mentioned. ALWAYS use roles and groups. NEVER assign individual users.
Steve Jones
August 1, 2002 at 4:25 pm
Thanks everyone.
Currently we are using NT groups, and creating SQL logins for those groups, but I certainly see the advantage of using SQL roles when you need to add that odd account that requires different rights etc.
Thanks again.
August 1, 2002 at 8:24 pm
Steve is right in that the user of individual user accounts should be avoided. I listed it because though I know it's definitely not a best practice, I've seen it as a fairly common practice.
On the road to the MCSE, I was taught by a senior system administrator that if you need to assign a specific user permissions, at some point later on you may have to specify another user with identical permissions. As a result, save the headache and create the group to start with and give it the permissions. The guy is an MCT now and still teaches his students the same philosophy.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply