?
Solved

MS SQL Security, DBO vs User objects

Posted on 2007-08-09
4
Medium Priority
?
1,151 Views
Last Modified: 2012-05-05
We've been having a debate here at work about security in MS SQL.  

One of the managers here is asking us to modify the database and application to drop the objects (tables, stored procs) created by the database admin (sa) and prefixed DBO and to re-create the same objects using the user created to access them (so they are prefixed with the user.

We've been arguing on this as my view on this is that not only there is no gain in security, this causes actually a breech, because this user can actually drop objects.

I'm not a SQL Guru, but here is what I would do:

Create a user that would be DBO of the database.  This user creates objects, sets permissions.
Create a user that accesses the DBO (datareader, datawriter).  Can execute stored procs and use views.

Tell me what you think, if it's worth arguing with this manager or let go and accept what the manager wants, modify the app code and DB stored procs.

Thanks
Marc
0
Comment
Question by:csbintra
  • 2
4 Comments
 
LVL 23

Assisted Solution

by:Jens Fiederer
Jens Fiederer earned 750 total points
ID: 19663063
It really depends on what ELSE is in the database.

If your team is the only one that maintains that database, dbo access for one or more of you might be acceptable.  

It the database contains (or WILL contain) the work of OTHER teams to which you are not supposed to have access, allowing your team to have DBO is obviously a problem.
0
 

Author Comment

by:csbintra
ID: 19663120
I'm sorry, I might not be very clear on the issue.

Actually, the issue or question is:  Is it safer to use objects created by the application user accessing the db (user.tblTable), or to use objects created by DBO (dbo.tblTable) and accessed by an app user with data_reader/data_writer permissions...

Thanks in advance,
Marc
0
 
LVL 23

Assisted Solution

by:Jens Fiederer
Jens Fiederer earned 750 total points
ID: 19663205
There is nothing generally unsafe about objects created by DBO accessed by an app user with data_reader/data_writer permissions...

If there is any security-related issue that suggest a preference for user created objects, it is MUCH more likely to relate to table maintenance issues (and who needs to get DBO) than it is to relate to table access during the normal running of the application.
0
 
LVL 70

Accepted Solution

by:
Scott Pletcher earned 750 total points
ID: 19664709
One big disadvantage of having a custom owner is that the owner must be specified by everyone who is not the specific owner using the object.  Also, you will have to do multiple GRANTs of authority, since every time the owner changes, the ownership chain is broken, and SQL starts checking all permissions again.

From an administrative and maintenance standpoint, it's much easier to use 'dbo' as the owner.

>>  to drop the objects (tables, stored procs) created by the database admin (sa) and prefixed DBO and to re-create the same objects using the user created to access them (so they are prefixed with the user. <<
You can use sp_changeobjectowner instead, you don't have to drop and re-create the objects.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Microsoft Access has a limit of 255 columns in a single table; SQL Server allows tables with over 255 columns, but reading that data is not necessarily simple.  The final solution for this task involved creating a custom text parser and then reading…
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question