Apologies in advance for the long post, I am trying to be as clear as possible. Is there a way to disable a user / Windows AD group accessing a database via SQL Server Management Studio (SSMS)?
I have an desktop application that uses a SQL Server 2005 database. The application runs as the user logged onto the machine (unfortunately we can't change that otherwise this would be simple). The database is permissioned with groups (but it would apply to users as well) to give access to the appropriate schemas and objects that the user requires. The users have (and need) the ability to select, insert, update and delete data to complete their process.
The application carries out a series of validation and auditing steps on the user input to ensure they are entering decent data (and for some additional business processing). A user could open SSMS and make these changes through the query editor avoiding the application completely which is what we are trying to avoid. What I am looking for is a way to stop the users updating the database through any tool other than the application provided.
I have found a couple of similar posts (including How to disable SQL Server Management Studio for a user) but these don't quite cover this issue as they work on restricting user access or using different logins.
The only solution I can think of at the moment is to have a set of tables where the user data goes initially and then another process picks this up, runs the application processes on and then puts the data into the master / source tables. Then I could restrict user access to the master tables.
This appears to be a good scenario for an application role.
Related
I'm making an Access database which will be used by multiple people, but I want to make it so that only certain people can edit,add,delete certain tables or fields so data isn't accidentally changed wrongly, and so the data is read-only to the people who don't have permission to edit. Is there any way to do this? Could I even just have access to certain tables or forms password protected?
Access used to have its own security model using an MDW file, but that went away sometime ago. So the short answer is "no". If you are able to introduce SQL Server into the equation, you could store the tables in SQL (or the free version SQL Express). SQL Server offers the security model you need, and you would then link the tables from SQL Server (ODBC) to Access. In this model, SQL Server is managing your data, and Access is your "front end". Once linked, access forms, reports, etc. really don't distinguish between local or attached tables, so all of your same Access skills apply. You can export the tables from Access to SQL using the export feature within Access, and choose ODBC. I'm not sure if you're comfortable doing this, but it's really not all that difficult.
If you do use SQL Server (or Express) you would configure the users and permissions on the tables themselves, using SQL Sever Management Studio. If a user that did not have update permissions, for example, tried to update a row from an Access form, Access would fire the statement at SQL Server which would return a permission error. You could also use SQL Security to implement Windows Authentication, and assign permission to network users. When the statements were fired at SQL Server, they would be authorized based on the users login (when they logged into the network). There would be no need for them to login again.
If you decide to go this way, let me know and I can guide you through it.
Microsoft recommends using Windows authentication when connecting a Windows application to an SQL server database.
http://msdn.microsoft.com/en-us/library/89211k9b.aspx
I understand this to mean that the database must have a user with enough permissions to manipulate data and that user links to the currently logged in Windows user. If this is true, how do I prevent the user from bypassing the application and simply modifying data directly in the database?
It seems like I am stuck between using Windows Authentication and potentially allowing users to modify data directly in the database, or attempting to hide the connection string password somewhere so only the app can modify this data.
If you're that concerned about it, you can implement a logon trigger on the server that for certain people (e.g. members of a certain Windows group), they can't log in unless the application name has a certain value. Note that this is weak security since it's pretty easy to set the application name (even in SSMS). It can/will slow down the logon process, though. So keep that in mind if that's a concern for you.
Alternatively, you can have your application authenticate to and interact with an application server, after which the application server connects to and interacts with the database. The application server can run as a service account, to which you'd grant the permissions you need. This way, the end users' accounts aren't in the database to do raw DML against the db.
But I agree with the other answer here: stored procedures are the classic answer to this question.
It is possible to create stored procedures / views etc and only allow the user permission on those. This prevents the user from accessing the database structure directly, and you maintain control over what the user can do (via creating the functionality in the stored procedures / views). If using windows credentials, I think that this would be the best solution.
This site explains how to grant there permission on stored procedures.
http://msdn.microsoft.com/en-us/library/ms345484.aspx
Here is the list of options, for posterity:
Windows authentication only
Pros: simple, No secret to hide.
Cons: user can easily modify data bypassing your app
Password in connection string
Pros: simple, prevents user meddling in your db's.
Cons: have to hide a password yourself, which is always the worst option.
Sprocs access
Create sprocs to access your data, grant access only to those sprocs. No one but the dbo can alter tables.
Pros: Tightest control over what both the user and the application can do to the data
Cons: Higher coupling of database and application; more expensive than the first 2 options.
Proxy
Create a second executable, whether a web or a windows service, with which your GUI application communicates. The 2nd executable can run with different, securely hidden credentials (IIS, Windows Services).
Pros: Decoupled database and executable, securely hidden secrets.
Cons: By far the most expensive solution.
I'm writing an inventory/payroll system, and I'm storing all the records on a remote server running SQL Server 2005 on Windows Server 2008 R2. I was wondering how I could start writing forms(very basic) in MS-ACCESS 2010 to upload things to the database. I just want to test it out to make sure that once I implement the entire database, things will work smoothly and without error. I want to figure out how to just make a single form that will be connected to the database, right now the form will just be a simple single text input with a submit button, that will be uploading barcodes(strings not images).
If I need to clarify anything, please just ask.
Thanks in advance for any help
Microsoft has tons of useful "Getting Started" articles.
This one explains how to connect to SQL Server: http://office.microsoft.com/en-us/access-help/import-or-link-access-to-sql-server-data-HA010341762.aspx
This one covers all sorts of forms: http://office.microsoft.com/en-us/access-help/CH010369205.aspx
Go there, you will find a lot that can help you with whatever you are going to do.
Make sure you have the SQL Client driver installed on the workstation where you'll be using MS Access. You can download it here (look for sqlcnli).
The simplest way to get started is to build an ODBC DSN. Access can then link to your SQL Server tables using that DSN. How to Create a DSN
In Access, Go to the "External Data" option and choose ODBC. Locate your DSN and then select which tables you want Access to be linked to.
After your linked tables are showing up in the tables list, click on one of the tables, go to the Create tab (2007, not sure about 2010) and choose Form. This should automatically create a form for you using the table you had selected when you clicked the Form button. There's no need to write code or add buttons to this form. The default form can do all CRUD operations as long as permissions for all CRUD have been granted to the username you used when you created your DSN.
Some developers prefer to use ADO (code only, no linked tables or form wizards) or Pass Through Queries to access SQL Server from Access. I can't really tell you what you should be using because it depends on so many different factors including (but not limited to) size of project, amount of records, skill level, personal preferences, etc.
i am in a multi-user environment
i am using access as a front end connecting to sql server database. i am allowing users to edit only one table in sql server.
i dont want to continue using access to edit a sql-server table.
can someone recommend another tool to do this?
The Access 2007 runtime and the Access 2010 runtime is free for the download from Microsofts website. Of course you'd want to purchase Access licenses for power users who want to create their own queries usually for export to Excel.
Either Access or Excel are almost certainly the simplest solutions available that meet your requirements, when you consider both the simplicity of the user interface itself and the simplicity of implementing, deploying, and maintaining the solution for the users. Creating even a simple web page isn't nearly so simple – you'll need to setup a web server, configure user security, develop the web page, etc.
Use SSMS -- Sql Server Management Studio.
Update
Found a near duplicate #SU: Less daunting front end for SQL Server
Update 2
Try to use Microsoft ASP.NET Dynamic Data. And a tutorial on YouTube, of course.
Sounds like you need to give CRUD access to a table in a SQL Server database.
Suggest making a simple page - use ASP.NET Dynamic Data. Watch this video to get started with ASP.NET Dynamic Data.
Failing that, provision the user with Microsoft Access.
setup a new user in SQL Server, and give it permissions on that table only.
setup Access to read, update, create and delete that table. Use the credentials of the user in the bullet above. This will ensure they can't mess anything else up.
Only bring that table into the user's view.
If you pull down a copy of visual studio express you could build a single screen application that allows editing a table with just drag and drop from the server explorer. No coding needed unless you're looking to add some more advanced logic.
Alternatively you could just use Access to also build a one screen front end - with that as the start up form to your Access DB your users wouldn't even know they're in Access.
Edit:
Assuming you're in a windows domain - put all your users in to a security group and then grant this group access to the SQL Server. Only grant the group permissions on the specific objects that they need to edit.
Create a blank Access DB.
Link your SQL Server table in to the Access DB - e.g. in 2007 the option is in the External Data ribbon > more... > ODBC database.
Once you have the table linked create a form to edit the data by doing Create > more > Form Wizard.
This allows you to pick the exact columns you want them to edit, pick a layout etc.
From here the options are really only limited by how much effort you want to put in but it's a good start in contrast to direct table access.
I believe it's still in Beta but you might want to also take a look at WebMatrix.
What's a good way to manage and maintain SQL Server logins, server roles, and individual access rights across multiple databases that exist in multiple environments? What are your best practices?
Some info about my situation:
SQL Server 2005
We have N amount of "client" databases with identical schemas (in theory, at least)
We have a central "admin" database that references each client database and can hold configuration values
This "admin/client" pattern is duplicated across multiple environments (dev/qa/stage/prod)
Some users, like testers, need different rights based on evironment
We frequently have to pull client db backups from one environment to restore on another for development or testing purposes
We keep our stored procedures and scripts in source control and deploy in a build cycle
Right now my organization is chaotic and we don't follow good security practices. We have no formal DBA. However, if we got any more complex it would be a constant hassle to maintain it all the time. I could see migrating to a new server or recovering from disaster being extremely time consuming if we where to attempt configuring it directly through the management studio IDE.
First, to make restoring a database to a different server easier, make sure that your logins all have the same SID on all of your servers by using the sp_help_revlogin stored procedure from Microsoft to script the login on the first server you create it on and then use the script to create the login on your other servers. This keeps the database user mapped to the login correctly when you restore the database.
Having different permissions at the database level depending on the environment is going to be a hassle to a point no matter how you role this out. I have a stored procedure in master that gets called on my Dev Server as a part of my restore process that performs the additional GRANT's on the database to give the developers access to make changes. That's the best I have been able to come up with to solve similar problems.
A way to make the rights easier would be to create rolls in the database called Dev, QA, Test, Prod and grant the correct rights to those roles. Then as you restore the databases to each environment just drop the developers in the correct role.
We use active directory groups and enforce windows authenticated logins. From within SQL Server we can then define access based on the AD group the user is in by creating a single SQL Server login per AD group. Not sure if this is any better or worse than DB roles, but it means the roles are managed outside each database.
Propagating access to databases is then either a manual operation or a short SQL script to ensure the logins in the database point to a valid SQL Server login (which in turn is an AD group).
Generally this works well for the general case. We can use DB roles then to assign the builtin roles (e.g, db_datareader) to each AD group
Rarely someone needs some specific access to a database outside this model. We either end up opening it up to the group as a whole if it's not going to be invasive or critical or we'll end up creating a per-user account that has to be managed separately. We endevour to keep these to an absolute minimum, and clean them up every now and then so they're not abused/forgotten about.