I need to load permission definitions from database.
Permission definition provider is in application.contracts and it does not have access to repository.
Where is the best place to load permissions from database on startup?
Related
I am trying to create a secure view, add to my share so that reader account can access it.
My sample code is below:
USE ROLE accountadmin;
create share DEV_SHARE1;
grant usage on database dev_infomart_db to share DEV_SHARE1;
grant usage on schema dev_infomart_db.sch to share DEV_SHARE1;
ALTER SHARE DEV_SHARE1 ADD ACCOUNTS = XXXXXX;
grant reference_usage on database DEV_EDW_DB to share DEV_SHARE1;
GRANT SELECT ON VIEW dev_infomart_db.sch.view1 TO SHARE DEV_SHARE1;
This view dev_infomart_db.sch.view1 is referring to tables/views present in database DEV_EDW_DB.
I referred to this doc from snowflake for sharing data from multiple DBs.
https://docs.snowflake.com/en/user-guide/data-sharing-mutiple-db.html
I have followed steps as provided in link above. I am still getting below error, while sharing my view:
SQL Error [3056] [0A000]: SQL compilation error:
A view or function being shared cannot reference objects from other databases.
Any help would be much appreciated.
This usually happens when a view contains other views, and some of them referencing objects from another database.
You may use the GET_OBJECT_REFERENCES function to list the objects used by the view:
https://docs.snowflake.com/en/sql-reference/functions/get_object_references.html
Make sure that they do not reference the objects on the other databases.
GRANT IMPORTED PRIVILEGES ON DATABASE TO ROLE - This provides read access on 'all' objects in the database to a role, instead how to limit read access to subset of objects on database instead of all objects in database.
I suggest creating VIEWs with appropriate access privileges on the SHARE objects.
I have been searching for articles and SQL script examples that would demonstrate how to securely and conveniently solve one of the most common scenarios - connecting from a .Net Core Entity Framework based web application to an SQL database.
But somehow I could not find any coherent step-by-step guide from a reputable source.
Let's assume the following:
I cannot use integrated Windows auth in the connection string and must use username and password based auth (because hosting on a Linux server and the DB is on a different Windows server)
the web service will need your usual minimum set of permissions - connect to the database, read data, write data, delete data, execute stored procedures
While reading many tutorials, I find there are multiple ways to manage the connection permissions. To avoid this question being too broad, I'll list my current choices as I understand them (please correct me if I'm missing something).
Users and logins:
create a login and a user for the database
create a database-only user without a login (not sure if this is applicable to a web app and connection string, but still it's a feature that I've seen being used)
Assigning permissions:
assign the user to some fixed SQL role (db_datareader, db_datawriter AND also will have to grant EXECUTE permission)
grant all fixed permissions
create a custom role (let's say, db_web_apps) with required permissions
Which choices are better (more secure and easier to manage in general) and recommended by SQL DBAs?
I think every database administrator should have a template script handy for quickly adding a new user with minimum required permissions every time when developers ask for a new connection for their shiny new web app.
If you know a good, reliable tutorial or GitHub / Gist example that explains what and why is being done that way or a script that you yourself have used for years without any issues in production environments, I'll really appreciate if you could share it.
Create a role in the database and assign the required privileges to the role. Don't use the fixed database roles. Instead grant permissions directly to objects, schemas, or the entire database if necessary. Like this:
create role trusted_app_role
grant select, insert, update, delete, execute
on schema::dbo to trusted_app_role
That will grant the role full DML permissions on all the objects in the default dbo schema. So if you have any tables or procedures you don't want the app to have access to, just create them in a different schema, say, admin. This way you never have to fiddle with permissions as you add objects. The fixed database roles predate schema-based permissions, and aren't really needed any more.
For your application's identity, add Active Directory or Azure Active Directory (Azure SQL) identities to this role, or, if you can't, add SQL Users to the role.
If you are on Azure SQL, you should normally use a database user without a login. On SQL Server you can only add "contained database users" if you enable Partial Database Containment. Which you can do, but is incompatible with Change Tracking and Change Data Capture, so it's a tradeoff.
So normally for SQL Server you still create a login and map the user to the login. EG:
create login web_service_user with password = '5X+jeuAB6kmhw85R/AxAg'
create user web_service_user for login web_service_user
And then add that user to your role
alter role trusted_app_role add member web_service_user
I have a vendor who has installed an application database on one of my SQL Server 2012 instances. He has told me that the SQL Auth account used by the application requires DB Data reader, Data writer, DB owner, and sysadmin. This makes no sense to me because sysadmin would not need the other roles. After install I removed sysadmin and the account had data reader and writer. The application stopped working.
So I am looking for some tips and ideas for figuring out the least privilege required for the application user. I see that the database has stored procedures but there aren't any functions, types, assemblies so I would like to just create a role with all of the required grants. DB Owner would be better than sysadmin. I could live with that.
It depends on what the application needs to do. If your application was only reading data, then the datareader role. If it reads and writes to the database, both reader and writer would be good. Note that writing data only includes inserting and updating, not modifying or altering. In most cases, you can assign a series of roles and not provide the login access to commands such as truncating or dropping tables - it's obvious why an application having god powers would be a bad idea.
Here's a list of all the possible roles you can assign and what each of them is for. Hopefully understanding what the application does will help you assign these roles more fluidly.
Predefined database roles
You may need to create your own, but you have access to several predefined database roles:
db_owner: Members have full access.
db_accessadmin: Members can manage Windows groups and SQL Server logins.
db_datareader: Members can read all data.
db_datawriter: Members can add, delete, or modify data in the tables.
db_ddladmin: Members can run dynamic-link library (DLL) statements.
db_securityadmin: Members can modify role membership and manage permissions.
db_bckupoperator: Members can back up the database.
db_denydatareader: Members can’t view data within the database.
db_denydatawriter: Members can’t change or delete data in tables or views.
Fixed roles
The fixed server roles are applied serverwide, and there are several predefined server roles:
SysAdmin: Any member can perform any action on the server.
ServerAdmin: Any member can set configuration options on the server.
SetupAdmin: Any member can manage linked servers and SQL Server startup options and tasks.
Security Admin: Any member can manage server security.
ProcessAdmin: Any member can kill processes running on SQL Server.
DbCreator: Any member can create, alter, drop, and restore databases.
DiskAdmin: Any member can manage SQL Server disk files.
BulkAdmin: Any member can run the bulk insert command.
You can create a database role to be able to execute stored procedures. It'll even show up in the UI when you grant permissions to a login for a specific database:
-- Create a db_executor role
CREATE ROLE db_executor
-- Grant execute rights to the new role
GRANT EXECUTE TO db_executor
I am working in MS SQL Server 2014. I have to send data from a certain DB (call it "DB_old") to an external application. This application reads data from DB_old via a connection that is built with a certain SQL service account. I just discovered that certain columns in tables from DB_old are not allowed to be loaded into this external application. So:
1) I removed this SQL service account's access to DB_old;
2) I created a new DB (call it "DB_new") and views on DB_new that select the permissible columns from DB_old;
3) I granted the SQL service account access to all views on DB_new
I thought that the above would resolve my data exposure problem. However, when I log into SSMS with the given SQL service account (which is successful) and try to run some simple SELECTs against the views on DB_new, I get the following error:
The server principal "SQL_service_account" is not able to access the database "DB_old" under the current security context.
I am not sure how to resolve this seeming ownership chain problem. To be clear, I am the owner of DB_new and all schemas underneath it, but I am not the owner of DB_old or any schemas underneath it. And, I cannot allow SQL_service_account to select any tables under DB_old. And, I cannot build my views on DB_old. They have to be built on DB_new.
What is the best way to resolve this ownership chain problem?