I have an intranet application that uses Active Directory to handle access and roles. This all works well.
Within my application there is a Customer database. Each Customer can have multiple categories with a member of staff assigned to each of them. With this in mind to help cut down on the number of queries to Active Directory I thought it would be easier to have a copy of my Active Directory users and some of their details in my database so I can create navigation properties between my models.
Can anyone suggest a method to replicate some of the fields from Active Directory into my SQL Server database? I only need Firstname, Surname, EmployeeID, Email, etc.
It would be useful if this ran hourly/daily.
Related
I am creating an ASP.NET MVC site that can be accessed by an Active Directory group. The basic functionality of the site is:
User can navigate to many different pages which display data from different tables in the SQL Server
User can search by any column in each table on the site to display corresponding records
User can create/delete/edit previously stored records from the connected SQL Server tables
I want to create a main page for the site that is personalized for each user in Active Directory. I was hoping to display previous changes to the database (i.e records added or edited) as well as the user's previous search history so that they can click on a link and it takes them to a results table that they have accessed before.
I have looked into logging the user's activity, but so far all I can find information on is logging errors/bugs that different users experience on the site. I want to log the user's searches/database changes.
Does anyone have advice on how I can do this? I was thinking about adding a table for storing this information in the SQL Server database, but I am unsure how this would work for separation by different users. For example, if User A searches for "xyz" and User B searches for "Abc", when User A relaunches the site, the previous search history should only show "xyz"
EDIT: another question I thought of, if I were to create a table that follows this basic format:
Where the User column is a foreign column connecting to the Active Directory user (i.e. 3 -> John Smith and 7 -> Jane Doe), is it possible to connect a foreign key column representing which user made the changes in the site to an Active Directory group? That way if John Smith made a change in the site, when he logs in, any data that corresponds to only him is displayed?
When you create a new user through the UI, it will retrieve all details from Active Directory once you've entered a user name (job title, phone, email etc..) which is great but it only seems to work when the user name is changed in the UI.
I'm importing >100 users into a new CRM system, how can I trigger this synchronisation across all of them in bulk? Without browsing through 100 user records and making minor tweaks to the user name field.
The following command line tool can be used for updating all out of sync users with the newest data from Active Directory:
Update CRM 2011 Users From AD Tool
It is not clear if the tool would also work for CRM 2015.
You could make a program that reads all CRM users and then do a search in the AD to see what has been changed to update the CRM. I have written a service that does that once when a customer wanted to have a synch with the AD, that ran once every six hours or so.
As a part of database security I have different access for every user(same as schema in Oracle). Now I want to add these users as Oracle Application Express(Apex) users.
When I try to create new users, APEX does not provide me the ability to have database users as APEX users itself.
Essentially I have three users - STUDENT,TEACHER AND UNIVERSITY.
UNIVERSITY has two table - STUDENT_INFO and TEACHER_INFO
STUDENT DB User is not allowed to view info of TEACHER_INFO and similarly TEACHER DB User is not allowed to view info of STUDENT_INFO.
I wanted to show this information through APEX rather than sqlplus. hence I need STUDENT User to login into the APEX and try to access UNIVERSITY.TEACHER_INFO and UNIVERSITY.STUDENT_INFO to show the difference. How can I add these users as APEX Users if I already have admin privileges to APEX.
First of, APEX users are not database users. Apex users are pseudo users that have schema grants by the Apex administration area.
I am assuming here that you are not trying to create an authentication scheme in Apex, totally different subject.
If you create a workspace in Apex that has access to all 3 schemas (which is no problem). You create a single admin (again pseudo apex user) with full control.
That admin can create other users inside the adminstration->users interface. There he can grant access to all, none or subset of the schemas. Define them as application users, developers (which you want, so they can log into apex) or admins (do not want)
I took this from the internet. Notice the accessible schemas field., There you define it.
As I understand, you want to get access to tables in SQL Workshop?
First you need to know, that oracle database users and oracle APEX users are different things. After creating APEX users you need to go to Administration and find there menu for managing workspaces. I have no APEX now besides account at apex.oracle.com (administration functions there restricted), and don't remember exact names of menus. You need to give that users access to workspace (if necessary), and after that define, which database SCHEMAs this workspace can use (it is also in workspace management section). It can use one SCHEMA by default and other SCHEMAs can be added later. After adding SHEMAs UNIVERSITY and STUDENT you will get access to their objects in SQL Workshop.
Link to documentation: https://docs.oracle.com/cd/B28359_01/appdev.111/b32258/adm_wrkspc.htm#BABDEBHA
My team has a service deployed internally, and part of this service is a list of client accounts stored in a sql table. SSRS is hosted on another server and we have integration jobs which [will eventually] pull these client accounts (along with additional info) from our 3 production environments to this SSRS database.
Also on this SSRS database, I’m creating a new table that will be a mapping of domain accounts and client accounts. I need this table so I can filter my report based on which client accounts the logged on user is allowed to see.
Pretty simple so far.
The next requirement of this is that I need to restrict access to the report itself. I understand I could normally use a security group to do this, but that would result in two separate locations to manage permissions for one resource and this is what I want to avoid.
The solution I’m looking into is to create a security extension to validate the logged in user against the database, allowing them access to the folder/report if they exist in the table. Once in, I can then use that same table again to filter their results.
What I’m not sure of is 1) if this is the best solution and 2) can I use a security extension for just MY portion of the site. There are many other users and reports on this site that I don’t deal with and don’t want to conflict with those.
Could you fill the DB table automatically from AD? Then you can use the standard windows security, but still only do the administration in Active Directory.
link text
You could set up an internal report parameter, called something like UserID, and set its default value to be the non-queried expression =User!UserID . (This user ID can be selected from the list of globals in the Edit Expression dialog.)
You could then add a cartesian/cross join to your users table in your query, with a selection condition based on your internal report parameter - eg. ...and UserTable.ID = #UserID . This would ensure that no records were returned if an unauthorised user was running the report.
Note that the User!UserID field will only return the user for interactively-run reports - in scheduled reports, this will be the account for the scheduling service.
Can't you restrict access to the report by using a security group (either in it's own folder or report level permissions). Use windows authentication in your datasource connection and filter you report retrieving your username using the sql function ORIGINAL_LOGIN?
I'm trying to set up security for my application for users. I am not sure about my logic. Is the following possible:
I want to create 1 login for 'all users' in Active Directory. Then I want an admin (in the program self) to choose which user is in which server role (e.g. marketing, sales, ...). Then I want to give those roles permissions to the tables in the database.
Some questions about this:
Is this safe? The admin of the program has to be db owner?
Is it possible to list the users by name, instead of the login 'All users', the admin has to be able to place a user in a role after it is created in Ad.
I use the function SUSER_NAME(), will this return the current user or the groupname 'All Users'
If this isn't the right way to make security, please send me in the right direction.
Thanx!
Part of the best solution already lies in your desire to use the Active Directory to authenticate your users. Let it authorise your users as well. Marketing isn't just a database role that specifies access to your tables. It's a department of your company with file shares, mailing lists as well as a role to play in your application. Get your domain admin to make an AD group called Marketing and let them add and remove people as appropriate. Likewise for the Sales department and other departments who touch your database.
When that is done, add the MYDOMAIN\Marketing group as a login on your server and as a user in your database. It will behave more or less like the roles you've described so you can still go ahead and create the roles, add that domain group to the role and grant to the role or grant to that user directly since it identifies a group of people. This also gives you the chance to reconsider your role definitions. Are they really about Marketing people and Sales people or are they CustomerEditor, CustomerViewer, ProfitAndLossViewer roles?
User and group management is a standard function of AD administration; let them do what they do best. It probably doesn't need to feature too strongly in your solution unless you get very poor service from the domain admins, in which case, why use your AD to manage your users?
This very small change will probably free up a lot of your dev time and release you from reinventing a user management facility that already exists and is easy to use.
Good luck!
here's what i would do:
create two roles on the database, one users, one admin. then create two security groups in ad, SQL.App.Admin, SQL.App.Users (replace app with whatever your app name is). I would then assign those groups to the roles in the database. after that you can drop users and/or security groups into those two groups.