Help setting appropriate permissions


we have 3 applications each on different website need interact set of 3 databases varied permission , need make sure set permissions correctly.  we’ve identified 3 levels of permission/accessibility , have separated websites 3 separate integrated app pools.  each integrated app pool has own automatically-created windows account , allows use windows authentication access sql server greater security , convenience.  windows accounts follows:

usersite – read access 2 live databases , write log.

testsite – version of live data applications, on test website staging upgrades; needs have read/write permission.

maintenancesite – used internally perform backup/restoration various test sites.  needs able backup sites , restore test sites.  we’re assuming when restore live data test system keeps permissions source , not destination permissions.  is correct?  if so, best way automate changing permissions after restore?

permissions want live databases:  (are these correct fixed database roles accomplish our goals?)

-          usersite: datareader, datawriter, db_owner

-          testsite: none

-          maintenancesite: bkupoperator, datareader

permissions want test databases:

-          usersite: none

-          testsite: datareader, datawriter, db_owner

-          maintenancesite: datareader, datawriter, db_owner

are there server roles need app pools?  i’ve given sysadmin server role maintenancesite can perform restores.  my goal assign enough permission accomplish our goals yet still protect data.  suggestions?

using sql server 2012 , iis 7.5

yes, when restore database, database permissions retained. server-level permissions of course not retained, did not seem had of them in list, save sysadmin maintenancesite.

i can't appropriate permissions you, since don't know application, business requirements etc. don't seeing db_owner on list, , think should make review of whether needed. run applications restricted permissions. if there vulnerability due sql injection or else, intruder limited in can do.

maintenancesite should not need sysadmin restores. long database exists, db_owner sufficient. if database not exist, app pool needs have create database permission or member of dbcreator server role.

erland sommarskog, sql server mvp, esquel@sommarskog.se


SQL Server  >  SQL Server Security



Comments

Post a Comment

Popular posts from this blog

Conditional formatting a graph vertical axis in SSRS 2012 charts

Image
hi, i have situation want color label on vertical axis of graph depending on condition. when values positive color black , when negative color red. i tried following condition but not working.   =iif(fields!myfield.value < 0 , "red", "black") i know there few threads mentioning feature not supported in ssrs 2008 wanted know if adddressed in ssrs 2012 or later? thanks , regards, oliver d'mello hi oliver, according description, want use expression specify different color axis labels based on values in chart. as tested in our environment, when apply condition in expression give dynamic color axis labels, color setting applies labels based on condition. issue happens in both sql server 2012 , 2014. please refer screenshots below: in scenario, recommend submit issue microsoft connect @ link https://connect.microsoft.com/sqlserver/feedback . connect site serve connecting point between , microsoft, , large community , microsoft intera
Read more

Register with Power BI failed

hi all, i've running local report server , want configure power bi integration. sign in azure active directory , registering power bi clientapp validated, fails following error: microsoft.reportingservices.wmiprovider.wmiproviderexception: unknown error has occurred in wmi provider. error code 80131500  ---> system.exception: exception of type 'system.exception' thrown.    --- end of inner exception stack trace ---    at microsoft.reportingservices.wmiprovider.rswmiadmin.throwonerror(managementbaseobject mo)    at microsoft.reportingservices.wmiprovider.rswmiadmin.savepowerbiinformation(string clientid, string clientsecret, string appobjectid, string tenantname, string tenantid, string resourceurl, string authurl, string tokenurl, string redirecturls)    at reportservicesconfigui.wmiprovider.rsreportserveradmin.savepowerbiinformation(powerbiappconfiguration appconfig) i tried sql server agent solution  ( https://social.msdn.microsoft.com/forums/en-us/58
Read more

SQL server replication error Cannot find the dbo or user defined function........

hi there, i ran problem while deploying sql 2008 transactional replication between 2 servers lets assume server , b. actually created  both distributor , publisher on server , after created subscriber pointed server b, launch replication monitor , found big red cross. when click on tab "distributor subscriber history" error says "cannot find either column "dbo" or user defined-function or aggregate "dbo.ufnleadingzeros", or name ambiguous". can body regarding issue. regards, ishuv hi, you need compare data , others reseved, index size, unused should not compared. differs. here server - data - 87896 kb server b - data - 78152 kb server data size includes publication tables, can't compare directly. need check article article know exact data size. SQL Server  > 
Read more