SQL Security / windows logins / AD groups
Posted on 2013-06-05
I am wondering what is a solution for this issue I am having in my environment. Currently I have sql servers that host several dbs that are being used by different applications. I grant access via AD groups b/c I do not want to manage access at an individual windows login level due to the number of people who access dbs on servers.
The issue I am having is that if I have a user which I have placed in an AD group, for example, ADGroupA and ADGroupA is given access, for example, to DatabaseA, but that user is also in an AD group called ADGroupB which does not have access to DatabaseA then the user will NOT be able to access DatabaseA UNLESS I give that AD group called ADGroupB access to DatabaseA. However, in reality the ADGroupB should not have access to DatabaseA. This happens all the time b/c we are hosting mulitple dbs that are supporting multiple apps and I have users who support both apps.
I am trying to find a solution around this issue wherein we have users in multiple AD groups, but the AD groups should NOT have access to the same dbs.
I hope this has made sense and if anyone has run into this issue before and knows of a workaround or fix I would really appreciate it.