Re: Permissions
From: Vince (nmvkPLEASERMVTHIS_at_vsnl.net)
Date: 09/29/04
- Next message: Alejandro Mesa: "RE: Can I do this with a single SELECT...?"
- Previous message: Allen Davidson: "Re: Resetting DTS password"
- In reply to: Tibor Karaszi: "Re: Permissions"
- Next in thread: Tibor Karaszi: "Re: Permissions"
- Reply: Tibor Karaszi: "Re: Permissions"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 29 Sep 2004 20:09:00 +0800
"Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> wrote in
message news:uUb2QAhpEHA.3464@TK2MSFTNGP14.phx.gbl...
> > Thanks Tibor.
>
> You're welcome. :-)
>
> > I run all services under the SQLSERVICE account, which is a
> > domain admin account.
>
> OK, but why a *domain* admin?
okay, obviously my understanding of logins isn't good! I have been thinking
that a SQL Service Account login *must* be a domain Admin login! A local
Admin should do?
>
>
> > The funny part is that, the database must be managed
> > by an Admin and he should not be able to see the contents!
>
> When you say Admin, do you mean an administrator in SQL server or Windows?
>
I meant a SQL Server Admin. Now, that's me. However, I should also not have
access to the Salary column of the HR table. Basically, the HR guys do not
want anybody, and I mean anybody, to access the HR table except for
themselves. If it is on a SQL Server, then the Admin (who is obviously not a
HR dude) cannot also see the column, but he should be able to manage
everything else like job scheduling, backups and so on on the SQL Server! I
guess I have to read more on SQL logins, but since a HR dude can NEVER
become a SA and a SA can always take control of the table at his will, what
good does this do to justify the HR guys' needs? Frankly, if their intention
is to hide stuff from the admins, Excel password protection sounds better.
> You really need to spend a few hours learning how Logins, users and
permissions are handled in SQL
> Server. Then you also need to understand how this relate to Windows
accounts. This is a too large
> topic to communicate in some newsgroups postings, especially as it is well
documented in Books
> Online. Check, for instance, "Administrating SQL Server", "Managing
Security".
I agree!! I am gonna have to take some time off to do some reading. I'll hit
MSDN first. Thanks again Tibor!
> --
> Tibor Karaszi, SQL Server MVP
> http://www.karaszi.com/sqlserver/default.asp
> http://www.solidqualitylearning.com/
>
>
> "Vince" <nmvkPLEASERMVTHIS@vsnl.net> wrote in message
> news:%23BP$tDcpEHA.3688@TK2MSFTNGP09.phx.gbl...
> > Thanks Tibor. I run all services under the SQLSERVICE account, which is
a
> > domain admin account. The funny part is that, the database must be
managed
> > by an Admin and he should not be able to see the contents! May be I can
> > create another group called Priveleged, add one Admin there and allow
him
> > exclusive access. The HR guys should be okay with this. Is it possible
to
> > password protect a table? (This will give the HR dudes an Excel sort of
> > secure feeling)
> >
> > Vince
> >
> > "Tibor Karaszi" <tibor_please.no.email_karaszi@hotmail.nomail.com> wrote
in
> > message news:eCFpUITpEHA.324@TK2MSFTNGP11.phx.gbl...
> > > You can remove the Administrators group from the Windows logins. Just
be
> > cautious with the local
> > > system account (physically named NT AUTHORITY\SYSTEM), as some
services
> > running as this might be
> > > logging in to your SQL Server.
> > >
> > > --
> > > Tibor Karaszi, SQL Server MVP
> > > http://www.karaszi.com/sqlserver/default.asp
> > > http://www.solidqualitylearning.com/
> > >
> > >
> > > "Vince" <sdsad@fsd.com> wrote in message
> > news:%238MVlFSpEHA.648@tk2msftngp13.phx.gbl...
> > > > I guess, I'll just tell the HR dudes that even the Excel password
can be
> > > > cracked. I'll add that "everything possible is being done" to ensure
> > > > privacy. Reminds me of some signature that somebody often uses in
these
> > > > newsgroups "Your code today will hunt your future". Oh, well!
> > > > Thanks Uri.
> > > >
> > > > Vince
> > > > "Uri Dimant" <urid@iscar.co.il> wrote in message
> > > > news:Oe8HF4RpEHA.744@TK2MSFTNGP10.phx.gbl...
> > > > > Vince
> > > > > I think if the user is a sysadmin you cannot prevent from access
the
> > > > table.
> > > > >
> > > > >
> > > > >
> > > > > "Vince" <sdsad@fsd.com> wrote in message
> > > > > news:%23kTzOjPpEHA.2764@TK2MSFTNGP11.phx.gbl...
> > > > > > This is a little confusing.
> > > > > >
> > > > > > I have a table which has all the employee details like Name,
Salary
> > and
> > > > > blah
> > > > > > blah. This table is supposed to be accessed only by the HR
> > department.
> > > > Of
> > > > > > course, I gave permissions only to the HR department but there
are
> > many
> > > > > > domain administrators (including me) who can access the SQL
Server
> > (As
> > > > > Local
> > > > > > administrator). Earlier, the HR department was using a password
> > > > protected
> > > > > > Excel file for which, obviously, only they knew the password.
So, my
> > > > > > question is, how can I get only the HR people to access the
table
> > and
> > > > not
> > > > > > even domain administrators. Isn't it a fact that the Domain
> > > > Administrator
> > > > > > (also SA) can always assume control over the table at a later
stage.
> > I
> > > > > have
> > > > > > to convince the HR dudes that the SQL Server table is treated as
> > > > > > confidentially as their Excel file. I haven't done something
like
> > this
> > > > > > (where I have to deny permission to myself as well!!) before.
How
> > should
> > > > I
> > > > > > go about this?
> > > > > >
> > > > > > Thanks a lot.
> > > > > > Vince
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Alejandro Mesa: "RE: Can I do this with a single SELECT...?"
- Previous message: Allen Davidson: "Re: Resetting DTS password"
- In reply to: Tibor Karaszi: "Re: Permissions"
- Next in thread: Tibor Karaszi: "Re: Permissions"
- Reply: Tibor Karaszi: "Re: Permissions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
