Solved

SQL Database Access Control

Posted on 2016-09-20
9
59 Views
Last Modified: 2016-11-05
I want to setup such a databse access control mechanism so that anyone in the team patches anything in live should be captured as to who patched what.

Currently there is no control in place and team shares DBO user credentials for database patching which can not be changed since it is used by application.

How can I restrict team from using dbo account for database log in and if someone does that how an alert can be setup or any other ways to handle that?

Re patches, one way I thought is to create Stored Procs for common / usual database patches, give execute rights to Stored procs to individual's windows login by removing updayes rights of their windows login so that they can update whatever SP allow them to patch?

Can I take the access control forward by restricting  dbo usage and giving SP access to team or is there any other better way to hadle this area?

My organisation is very much concerned about the anonymous patching impacting business operations. Please advice?
0
Comment
Question by:A D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 40

Assisted Solution

by:lcohan
lcohan earned 500 total points
ID: 41807674
"anyone in the team patches anything in live should be captured as to who patched what."
If by "patching" you refer to making DDL changes to your SQL Database(s) then you need indeed to  create logins for each user instead of sharing the same login to connect/make changes and also different database roles so you could manage who does what at the database role level and then you just add users/logins to that particular role. So simply said you grant SELECT, INSERT, DELETE, EXEC, ETC... to that role and add users to it.

See more here about that security model.
https://msdn.microsoft.com/en-us/library/ms189121.aspx

Also, now that you have separate logins hitting your database you have a nice SQL built in report called "Schema change History" accessible via SSMS - right click the database, select Reports, Standard reports then "Schema change History" and you will see who changed what .
1
 

Author Comment

by:A D
ID: 41807698
Hi,

I meant database patches related to application data. E.g. patching a value in customer table.

Users already have Select, Update, Create etc rights to thier respective windows authentication as per thier roles but since dbo password which is used by application is known to users, no one logs in with thier own windows login to ssms, instead they use dbo account  (sql authentication) and patch the database values.
0
 

Author Comment

by:A D
ID: 41808194
Users already have Select, Update, Create etc. rights to their respective windows authentication as per their roles but since dbo password which is used by application is known to the users, no one logs in with their own windows login to ssms, instead they use dbo account  (sql authentication) and patch the database values.

Can anyone suggest more solutions for this?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 40

Accepted Solution

by:
lcohan earned 500 total points
ID: 41809093
"since dbo password which is used by application is known to the users, no one logs in with their own windows login to ssms, instead they use dbo account  (sql authentication) and patch the database values. "

Hmmmm....in that case in my opinion there are 2 major issues:

1. A application should not have DDL rights into a database but DML rights so only SELECT,INSERT,UPDATE,DELETE, and EXEC should be granted to that ID

2. The password for the APP role must be changed/encrypted/hidden from developers so they will have to use their own ID to connect and modify database objects right?

I mean there's no magic possible in an environment without security where everybody IS and knows the SA password or DBO as you name it.
1
 

Author Comment

by:A D
ID: 41810799
1. A application should not have DDL rights into a database but DML rights so only SELECT,INSERT,UPDATE,DELETE, and EXEC should be granted to that ID

Even if DML rights are granted still there is no way we have to capture who executed Update statement on business tables due to lack of / limited access control.

2. The password for the APP role must be changed/encrypted/hidden from developers so they will have to use their own ID to connect and modify database objects right?


The change has been suggested but in that will take some time as it would be big piece of work which needs to be rolled out in planned manner and still solves only one issue. Other issues about the access control / audit etc. still remains open. Bringing an Identity and Access control management tool into picture is an option but I don't know if organization will approve the cost for it.

Below is high level plan which is prepared until we fix these issues permanently. Any views, please?

1 - Identify the simple data patches service team uses to fix the known issues and list them.
2 - convert the simple data patch scripts into Stored Procedures.
3 - Provide execute access to team on the Stored Procedures.
4 - Keep manual watch on usage of DBO account.
5 - All other infrequent data patches should go to Technical Leads (Senior Peers) after placing them to central location. Technical Leads to assess the patches, suggest modifications (if required) and execute the patches in live.
6 - Team to update the incident details by mentioning about the Data Patches and send back the incident with all other required details.
0
 

Author Comment

by:A D
ID: 41818219
I have been provided an option of bringing Access Management Tool in place to resolve this issue in long term.

Any expert comments on which Access Management tool or which module of the tool may resolve this issue in cost effective way?
0
 

Author Comment

by:A D
ID: 41870301
Hi

Somehow above plan is not entirely possible practically. We are still lacking with Database auditing and with our current application and database configuration not able to control the process of Database patching.

Is there any way to configure SQL client tool (SSMS) in such a way that support team users won't be able to choose SQL authentication option and can only get the option of Windows authentication only when logging into Database instance?

Is it possible without changing mode of authentication or SQL logins setup at server side?
0
 
LVL 40

Expert Comment

by:lcohan
ID: 41872519
There is NO way unfortunately to do what you are requesting:

<<
to configure SQL client tool (SSMS) in such a way that support team users won't be able to choose SQL authentication option and can only get the option of Windows authentication only when logging into Database instance?

Is it possible without changing mode of authentication or SQL logins setup at server side?
>>

without making suggested changes.
1

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how the fundamental information of how to create a table.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question