Re: Database Security
From: Andy Jordan (jordanac@telkom.co.za)
Date: 05/10/02
- Next message: Andrew J. Kelly: "Re: Data Transformation Services"
- Previous message: Mark: "Data Transformation Services"
- In reply to: Sue Hoegemeier: "Re: Database Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Andy Jordan" <jordanac@telkom.co.za> Date: Fri, 10 May 2002 01:42:16 -0700
Thanks Sue ,
I have searched extensively for a solution for this type
of set-up and I have gone the route of giving the db owners
the rights to execute jobs with the proxy account.
It would be very nice to have a login account of a super
user at database level and not server. I'll add it to my
wish list.
>-----Original Message-----
>A general response - an owner of a job can run a job that
>they own without being a sysadmin. Non-sysadmins can view
>and run their jobs only.
>When a non-sysadmin executes a job, it will execute under
>the security context of the Proxy Account. You don't have
to
>allow CmdExec and ActiveX jobs to be run non-sysadmin
>accounts, it's a property of SQL Agent so that can be
>restricted. I'm not sure if CmdExec or ActiveX script
steps
>are required in the jobs or not but it's just something to
>consider.
>If it becomes very complicated and difficult to maintain
>security with different owners and the access they need,
you
>may want to consider using multiple instances. This
feature
>was added to address some of these types of issues.
>
>-Sue
>
>On Sun, 5 May 2002 23:45:54 -0700, "Andy Jordan"
><jordanac@telkom.co.za> wrote:
>
>>Greetings from South Africa,
>>
>>Background
>>This is about the third time that I have posted this
>>question, so here goes again. I have a server with
windows
>>2000 server as the OS with SQL server 2000 Enterprise
>>edition. Fire-walled and intranet based. Using mixed
mode
>>for logins.
>> I have just moved over from Access development to SQL
>>server development so keep your replies detailed.
>>I have 12 databases that require a lot of manual
>>intervention when it comes to jobs. (FYI , pulling data
>>from 30 legacy systems) These often fail and the owner
of
>>the database must take action. The 12 databases have 8
>>owners and each owner’s data it confidential.
>>
>>Problem
>>I want to give each owner the rights to create and run
>>jobs for THEIR databases and not give them sysadmin
>>logins. Sysadmin logins give Server rights. This will be
a
>>security breach as I have already stated.
>>If I create a proxy account on SQL Server Agent to
allow
>>non sysadmin to run jobs I believe that this again opens
>>the server to abuse with CmdExec.
>>
>>Question
>>How can I provide each owner with rights to their
database
>>to schedule and run jobs without opening my server to
>>abuse.
>>
>>
>
>.
>
- Next message: Andrew J. Kelly: "Re: Data Transformation Services"
- Previous message: Mark: "Data Transformation Services"
- In reply to: Sue Hoegemeier: "Re: Database Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
