I am transitioning a project from Advantage Database Server to MS SQL server. In Advantage, you can password protect an individual table, which is also encrypted. As such, you cannot open, view, update, etc. the table without the password. I place my project's registration information in this table, so I don't want any user to be able to look at its contents.
I cannot find a similar function in SQL server. Encrypting the data is insufficient. So my question is: is there a way to password protect a table in SQL Server.
In SQL server you can link various access roles to the users. These roles can be applied to tables, views, stored procedures etc. The best thing to do is to create views on the database, and let the users access specific views, rather than giving permissions on all DB objects.
Alternatively, you can deny permissions on a specific table to a user or a role.
Here are two articles on MSDN that will get you started:
GRANT Object Permissions
DENY Object Permissions
Related
I need to restore the database from a different environment where different logins are used but I want to keep permission to this database for already existing login on this server.
Now, after restoring my login on the targeted server it lost mapping for this database (and owner role)
I want to restore everything inside the database and same time I don't want to map the database and add owner role to the login.
Is it even possible?
I've tried different ways of restore - deleting before restore, as well as delete but not to close existing connections. The result is the same, I need to map new restored DB again and add the owner role.
Normally database users have to be mapped to instance logins to work, but if you want to make your DB more instance independent and control your database from the inside of it then the solution for you would be a Contained Databases.
From MS BOL:
A contained database is a database that is isolated from other
databases and from the instance of SQL Server that hosts the database.
SQL Server 2017 helps user to isolate their database from the instance
in 4 ways.
Much of the metadata that describes a database is maintained in the database. (In addition to, or instead of, maintaining metadata in the
master database.)
All metadata are defined using the same collation.
User authentication can be performed by the database, reducing the databases dependency on the logins of the instance of SQL Server.
The SQL Server environment (DMV's, XEvents, etc.) reports and can act upon containment information.
I am new to SQL Server database and I am struggling to figure out the access issue for one of the user on a particular view. I don't want to expose any of my base tables.
The scenario is: I have 3 databases, DB one, two and three
Database one has 2 base tables
Database two has one view on top of those tables (tables in database one)
Database three has one view which is on top of the view of database two
Database three is our data warehouse. So, I would like to know if I give select permission on only database three's view, will that suffice?
The catch is I don't want to expose any of my base tables in database one
If I grant select permission to user1 on datawarehouse view (view in database three) and deny all the permissions to the base tables (in database 1), then is it possible?
Thanks
Ownership chaining allows access to data via the view without permissions on the underlying tables as long as all objects are owned by the same security principal. There is no need for an explicit GRANT or DENY on the indirectly used objects with an unbroken ownership chain since permissions are checked only on the directly access view. The object owner is typically inherited from the schema owner.
To allow ownership chaining to extend across multiple database:
The DB_CHAINING database option must be ON for the databases involved.
The user must be able to use the databases (have a user account in each database with CONNECT permissions), although only permissions on directly accessed objects are needed.
In the case of dbo-owned objects, the databases must be owned by the same login (AUTHORIZATION) since the dbo schema owner is the database owner. For other schemas, the schema owner must map to the same login.
DB_CHAINING should be enabled only when you fully trust highly-privileged users (those with permissions to create database objects).
I am connecting to a database using mail merge in MS Word to access a group of tables. Half the tables are under schema_1 and half are under schema_2.
Currently, once I have connected to the database I can see all the tables listed, when I only want to be able to see the tables under schema_1. Nothing from schema_2.
I'm using sql server management studio 2005, and have a user set up whose details I must input to gain access to the database from MS Word.
Many dbas feel that schema based security is the optimal approach to managing SQL Server security. You can assign permissions through statements such as:
Grant read On Schema::[schemaz] To [userx]
revoke read on Schema::[schemab] To [userx]
You may find this article interesting:
https://www.simple-talk.com/sql/sql-training/schema-based-access-control-for-sql-server-databases/
I am new to SQL server and now I have a database with thousands of tables stored. I want to replicate this database and pass this replica to other vendors, but for security concern, I would like to mask all the fields in the tables. The vendors don't really care about what has stored in the table but they do care about the structures or distributions about the tables.
The idea is to copy the current database and do masking then. But I don't know if SQL server has provided this technique to simplify the process. Appreciate it for any comments or suggestions!
Just deny view definition permission to the user who will access the database using the below query :-
USE master
GO
DENY VIEW ANY DEFINITION TO User1
Once you deny this permission to User1, all objects such as table,SP,view etc will be hidden in the database and at the sametime user1 will be able to do whatever he wants if he knows the object.
This will mask the all objects from the user.
I have MS Access as a front end and PostgreSQL as back end for my database. So I set up the database in PostgreSQL and linked the tables to MS Access using the ODBC drivers. Everything works great, I can update the tables in MS Access and the record will appear in Postgres database.
Since I can still see the linked tables in MS Access, I feel like it is possible for some users to go in and manually modify the tables without filling out proper forms. Is it possible to HIDE the tables or lock the tables so that Access users cannot modify the raw data at all? If not, what can I do to secure the integrity of the database.
Thanks!
I would recommend looking at Postgres privileges as a way to lock the tables down.
In short, you could have your backend run as one user that has full access permissions on the tables in question, and when the users login to the app, they would be connected to Postgres using a user whose privileges are considerably more locked down (say, read only if you just want to be able to do SELECTs to surface data).
For example, you could run the following SQL against your Postgres server:
REVOKE ALL ON accounts FROM joe;
GRANT SELECT ON accounts TO joe;
Which would first remove all privileges from the user joe for the table accounts, and then allow only SELECT priveleges for that table.
You could do something similar for all the tables you wish to lock down. You'll also need to do the same for the sequences used by those tables.
You may wish to create a special readonly user which has only read access across the board, and use those credentials to surface the Postgres data for the users to access.
When you need to alter data, your backend could specifically use a power user of sorts which has much greater access.
Here's a link which details creating a readonly Postgres user (for purposes of backups in this case, but the general concept and the SQL commands should apply (just ignore the stuff about pg_dump).
If you aren't concerned about users' ability to modify the data in those tables via the up other than in the ways that are authorized, but are only concerned about them using, say, psql to go in and update them, then you probably don't need a readonly user, but can simply lock the tables down and have the backend use that user with sufficient access.