Windows AD Groups Question

  • We want to introduce Integrated Security and use Windows Groups to simplify some things in our SQL Server access. I believe I understand how this works, but I want to verify that the following scenario will work in the way that I understand it:

    GroupA will be assigned to the db_datareader role in a given database.

    GroupB will be assigned both db_datareader and db_datawriter role in the same database.

    A couple of users will be part of both groups because the groups are used for file access as well that is unrelated to sql server. I want to verify that the users who are members of both groups will still be able to make changes to the data. As I understand it, they should as long as no DENY command has been used on GroupA which would prevent making changes to the data.

    Thanks,



    Del Lee

  • Del Lee (3/25/2013)


    We want to introduce Integrated Security and use Windows Groups to simplify some things in our SQL Server access. I believe I understand how this works, but I want to verify that the following scenario will work in the way that I understand it:

    GroupA will be assigned to the db_datareader role in a given database.

    GroupB will be assigned both db_datareader and db_datawriter role in the same database.

    A couple of users will be part of both groups because the groups are used for file access as well that is unrelated to sql server. I want to verify that the users who are members of both groups will still be able to make changes to the data. As I understand it, they should as long as no DENY command has been used on GroupA which would prevent making changes to the data.

    Thanks,

    You are correct, the user will have the permissions granted to both Roles if they are a member of both Groups. It's a good idea not to overlap permissions like this however, since it make it more difficult to troubleshoot. Consider removing db_datareader permissions from GroupB and just adding all Windows Users that need reader and writer permissions to both Windows Groups as needed, or leave things as is with the Group permissions but only add each Windows User to one of the other Group, and never both.

    On a side note, the use of db_datareader and db_datawriter are red flags for me. The use of them tells me there is a string potential for violating the idea of only granting 'least privilege.' If it is a non-production environment and this is for QA or Development personnel to have access to do some work then I am a little more lenient but for production I avoid adding anyone to those Database Roles.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply