Improve company productivity with a Business Account.Sign Up

x
?
Solved

SQL Security / windows logins / AD groups

Posted on 2013-06-05
3
Medium Priority
?
163 Views
Last Modified: 2013-06-11
I am wondering what is a solution for this issue I am having in my environment.  Currently I have sql servers that host several dbs that are being used by different applications.  I grant access via AD groups b/c I do  not want to manage access at an individual windows login level due to the number of people who access dbs on servers.

The issue I am having is that if I have a user which I have placed in an AD group, for example, ADGroupA and ADGroupA  is given access, for example, to DatabaseA, but that user is also in an AD group called  ADGroupB which does not have access to DatabaseA then the user will NOT be able to access DatabaseA UNLESS I give that AD group called ADGroupB access to DatabaseA.  However, in reality the ADGroupB should not have access to DatabaseA.  This happens all the time  b/c we are hosting mulitple dbs that are supporting multiple apps and I have users who support both apps.

I am trying to find a solution around this issue wherein we have users in multiple AD groups, but the AD groups should NOT have access to the same dbs.

I hope this has made sense and if anyone has run into this issue before and knows of a workaround or fix I would really appreciate it.
0
Comment
Question by:jwa082276
  • 2
3 Comments
 
LVL 4

Expert Comment

by:MrC63
ID: 39224274
This is the "triple state" syndrome.  Members of Group A must have access to certain databases, and members of Group B must have access to certain other databases.

The trick is that there are some members who should have access to both sets of databases.  So now you need a Group C, which would then be granted access to both Group A and Group B databases.

Essentially, you need a third A/D group, because you actually have three options: A, B, or Both (C) -- hence the term triple state.

The nice part is that it's easy to assign or remove a person, via A/D, into one of the three groups depending on what they should have access to.  In future, you may have to develop additional groups to accommodate further database restrictions.
0
 

Author Comment

by:jwa082276
ID: 39224413
So, do you feel that having a third AD group is really the only way around this?
0
 
LVL 4

Accepted Solution

by:
MrC63 earned 2000 total points
ID: 39224627
Yes.  

Your only other option is to place a specific user in Group A (or perhaps Group B), and then manually assign this person with specific access levels where appropriate.  You've already acknowledged, and I fully agree, that this is not efficient.

The solution is to create one, or possibly even more than one, A/D groups.  Assign the appropriate SQL access to each group, and then add the users to one or more of the appropriate groups.

In future you may find that you need to create 4 or 5 groups (or more), but with the proper group definitions you would simpler control user access by placing a user in, e.g. 2 of the 5 groups to provide the appropriate access.  If the groups and group access are defined properly, it's much easier to assign a person to a group than it is to go through a list of SQL databases.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this article I will describe the Backup & Restore method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…
Stellar Phoenix SQL Database Repair software easily fixes the suspect mode issue of SQL Server database. It is a simple process to bring the database from suspect mode to normal mode. Check out the video and fix the SQL database suspect mode problem.

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question