Setting up SQLServer with XA Drivers contains a step where you must assign users to the role called "SqlJDBCXAUser"; this can be done using "sp_addrolemember" sproc and undone using the "sp_droprolemember".
Is there a way of checking whether a particular user has been assigned that role ?
Or (better): a way of just listing ALL users assigned to use the specific role here ?
You can use IS_MEMBER
See the manual here - http://msdn.microsoft.com/en-us/library/ms186271.aspx
To list members, use sp_helprolemember or see How to list role members in SQL Server 2008 R2
Related
I'm trying to enable access to team leaders of salary information through PowerBI, but encrypt this data from other users and the DBAs. Users denied access to this column data should still be able to execute the query but only see encrypted characters for the salary information.
I'm using SQL Server 2016.
I have tested the new 'Always Encrypted' functionality, and this works perfectly... but with the exception that I'm unable to pass the 'column encryption setting=enabled' parameter to the PowerBI connection string. By all accounts PowerBI does not support this functionality at present.
I am currently testing the use of column encryption via the use of Column Level encryption and Symmetric Keys, but the problem with this is that I am hard coding the OPEN SYMMETRIC KEY SymmetricKey1 & DECRYPTION BY CERTIFICATE Certificate1 code into the SQL and if users do not have access then an error causes SQL to fail when tested by a user.
I'm new to certificates and encryption and I'm currently on a steep learning curve... so go easy on me.
Thanks
Unfortunately, AE is the only existing built-in solution that can prevent unauthorized access by any user, including DBAs/sysadmins.
Dynamic data masking protects against regular users. The sample provided above is easily side-stepped by any user with admin level access.
Column level encryption generally does not protect against users with admin level permissions either. A DB owner or sysadmin can always open the key or replace it. There are workarounds to this via ekm but nothing scalable or usable in your scenario.
Rogue admins is one of the use cases Always Encrypted was designed to address so it is the right solution. It is something the PowerBI team needs to implement so if the feature is important to you, suggest you add your vote and comments to their feedback forum:
https://ideas.powerbi.com/forums/265200-power-bi-ideas/suggestions/14732184-sql-server-2016-always-encription-features
you can use dynamic data masking.
Dynamic data masking works by masking column output to users,who don't have permissions .Below examples have been tested on 2016 based on demo provided here :Exploring SQL Server 2016 Dynamic Data Masking – Part One - Creating a Table that uses Dynamic Data Masking
--create a table
CREATE TABLE ClientInfo
(ClientID int IDENTITY,
FirstName varchar(65),
LastName varchar(65),
PhoneNum bigint
MASKED WITH (FUNCTION = 'default()'),
EmailAddr varchar(100)
MASKED WITH (FUNCTION = 'email()'),
CreditCardNum varchar(19) MASKED
WITH (FUNCTION = 'partial(0,"XXXX-XXXX-XXXX-",4)'),
BirthDT date MASKED
WITH (FUNCTION = 'default()'));
INSERT Clientinfo (FirstName, LastName, PhoneNum, EmailAddr,CreditCardNum,BirthDT) VALUES
('George', 'Washington', 5555814441,
'GeorgeW#datanbasejournal.com', '0123-4567-8901-2345','02/22/1732'),
('Thomas', 'Jefferson', 5559841298,
'ThomasJ#datanbasejournal.com', '9999-9999-9999-9999', '04/13/1743'),
('Abraham', 'Lincoln', 5554070123,
'AbrahamL#datanbasejournal.com','0000-1111-2222-3333', '02/12/1809');
Now try to just select and see the data ,since you are an admin ,you will be see all data
select * from clientinfo
now try to restrict permissions to users for whom ,you want to restrict viewing
CREATE USER user1 WITHOUT LOGIN;
GRANT SELECT ON ClientInfo TO user1;
now lets try to execute as this user
EXECUTE AS USER = 'AppReader';
SELECT * FROM ClientInfo;
REVERT;
executing above query ,will not show all data and will be masked differently based on masked functions.See below screenshot
To provide access to users,you can use below query
CREATE USER AppAdmin WITHOUT LOGIN;
GRANT SELECT ON ClientInfo TO AppAdmin;
GRANT UNMASK TO AppAdmin;
In our web application we want to use DB2 row level access control to control who can view what. Each table would contain a column named userId which contain the user id. We want log-in users be able to see only row's usereId column with theirs id. I have seen db2 permission examples using DB2 session_id or user, for example taking DB2 given Banking example :
CREATE PERMISSION EXAMPLEBANKING.IN_TELLER_ROW_ACCESS
ON EXAMPLEBANKING.CUSTOMER FOR ROWS WHERE BRANCH in (
SELECT HOME_BRANCH FROM EXAMPLEBANKING.INTERNAL_INFO WHERE EMP_ID = SESSION_USER
)
ENFORCED FOR ALL ACCESS
ENABLE;
Our table gets updated dynamically hence we don't know what row get added or deleted hence we don't know what are all the user Id in the table.
At any given time, different user would log-on to the web to view information retrieve from the tables, the permission declaration above only take SESSION_USER as the input, can I change it to something like Java function parameter where one can pass arbitrary id to the permission? If not then how do I handle different log-in users at arbitrary time? Or do I just keep changing SESSION_USER dynamically as new user login (using "db2 set" ??)? If so then is this the best practice for this kind use case?
Thanks in advance.
Since the user ID in question is application-provided, not originating from the database, using SESSION_USER, which equals to the DB2 authorization ID, would not be appropriate. Instead you might use the CLIENT_USERID variable, as described here.
This might become a little tricky if you use connection pooling in your application, as the variable must be set each time after obtaining a connection from the pool and reset before returning it to the pool.
Check out Trusted Contexts, this is exactly why they exist. The linked article is fairly old (you can use trusted contexts with PHP, ruby, etc. now).
Executing the following sql:
USE [WSS_Content]
EXEC sp_helplogins
returns two result sets, and within the second resultset I get several rows but one in particular which looks like this:
LoginName DBName UserName UserOrAlias
DEMO\SPUser SharePoint_Config SharePoint_Shell_Access MemberOf
This is as expected, and what I want to see. However executing the following sql:
EXEC sp_helprole 'SharePoint_Shell_Access'
gives me an error which says: 'SharePoint_Shell_Access' is not a role. But it is! I can see that it is from SQL Server Management Studio and it even shows me the role's members from right there.
Ideally what I'm trying to accomplish is to be able to use this:
SELECT IS_MEMBER('SharePoint_Shell_Access')
but of course, this returns null because it also thinks that is not a valid role when it most definitely is. What gives, and how do I best query to see if a given user (or the current user) is a member of this custom database role?
I am running SQL Server 2008 R2.
As it turns out, sp_helplogins returns results across all databases. Which is why that role was showing up when it shouldn't have if it were limited to the current db like I previously thought.
For whatever reason I just didn't notice that and thought that entry was applicable to the WSS_Content. Instead it was from the SharePoint_Config database. The error was correct after all and there was no role by that name on the database where I was looking. I was just getting it confused.
Is there something in SQL Server similar to USE (to switch databases) that can control the owner prefix that is used for tables?
For example, we have an application that insists on creating tables "theServiceAccount.TheTableName" ; What we really want is to force it to put the table names under dbo... so "dbo.TheTableName" . We don't have a good way to change the SQL that the application runs (it is vended), other than a hook when it starts up that allows us to run some SQL. So it would be great if we could run a sql at that point which would make subsequent create table (or other operations) default to dbo instead of the service account being used.
I do realize that the create table syntax allows one to specify the owner, but that doesn't seem to be an option at this point. From what I can tell, the SQL this application generates never specifies the owner; it just has the table name in the SQL it runs.
Thanks!
In 2005, by default each user has their own default schema, unless specified.
This should do what you need:
USE databasename
ALTER USER theServiceAccount WITH DEFAULT_SCHEMA = dbo
You can also change this via SSMS by looking at the user properties and changing the default schema
I believe you can do this by creating a user with the default schema you want and then using the EXECUTE AS statement (see http://msdn.microsoft.com/en-us/library/ms181362.aspx)
In your example you could create a user (or use dbo, not advised) called 'specialDBO' that has their default schema set to dbo. Then you have something like this:
USE [myfabdb];
EXECUTE AS USER = 'speicalDBO';
... blah blah blah...
REVERT;
Remember, you can't have the USE statement after the EXECUTE AS statement.
Is there any way that we can Hide Store Procedures in SQL Server from users?
For SQL Server 2005 and above, don't give them permissions. Then, "Metadata visibility" means it's not visible and not runnable. It makes no sense to want to hide them but give them permissions.
Note: db_owners and syadmins will always see them.
Otherwise your only option is to encrypt the stored procedure as mentioned (which is easily defeated using free tools).
You can encrypt the text of the stored procedure, if that is what you mean.
CREATE PROCEDURE my_procedure
WITH ENCRYPTION
AS
BEGIN
SELECT *
FROM my_table
END
The encryption is not unbreakable, but at least it is a first line of defence.