Re: Database Security
From: news@news.com
Date: 02/19/03
- Next message: Atif Chowhan: "login fail !!!!!"
- Previous message: news@news.com: "Re: Read only Permission and possibility to make views"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: <news@news.com> Date: Tue, 18 Feb 2003 20:50:58 -0800
Sue, do you get a check from microsoft for that suggestion?
The real problem here is with job security - use a real scheduler - in fact,
windows task scheduler will give you better granularity of control than
agent- but task scheduler pretty much stinks too. - Most third party
scheduling packages have better production control ability than sql agent or
task scheduler.
"Sue Hoegemeier" <Sue_H@nomail.please> wrote in message
news:hanfdu49vgucl305ppiu86qbp97vcb38s3@4ax.com...
> A general response - an owner of a job can run a job that
> they own without being a sysadmin. Non-sysadmins can view
> and run their jobs only.
> When a non-sysadmin executes a job, it will execute under
> the security context of the Proxy Account. You don't have to
> allow CmdExec and ActiveX jobs to be run non-sysadmin
> accounts, it's a property of SQL Agent so that can be
> restricted. I'm not sure if CmdExec or ActiveX script steps
> are required in the jobs or not but it's just something to
> consider.
> If it becomes very complicated and difficult to maintain
> security with different owners and the access they need, you
> may want to consider using multiple instances. This feature
> was added to address some of these types of issues.
>
> -Sue
>
> On Sun, 5 May 2002 23:45:54 -0700, "Andy Jordan"
> <jordanac@telkom.co.za> wrote:
>
> >Greetings from South Africa,
> >
> >Background
> >This is about the third time that I have posted this
> >question, so here goes again. I have a server with windows
> >2000 server as the OS with SQL server 2000 Enterprise
> >edition. Fire-walled and intranet based. Using mixed mode
> >for logins.
> > I have just moved over from Access development to SQL
> >server development so keep your replies detailed.
> >I have 12 databases that require a lot of manual
> >intervention when it comes to jobs. (FYI , pulling data
> >from 30 legacy systems) These often fail and the owner of
> >the database must take action. The 12 databases have 8
> >owners and each owner’s data it confidential.
> >
> >Problem
> >I want to give each owner the rights to create and run
> >jobs for THEIR databases and not give them sysadmin
> >logins. Sysadmin logins give Server rights. This will be a
> >security breach as I have already stated.
> >If I create a proxy account on SQL Server Agent to allow
> >non sysadmin to run jobs I believe that this again opens
> >the server to abuse with CmdExec.
> >
> >Question
> >How can I provide each owner with rights to their database
> >to schedule and run jobs without opening my server to
> >abuse.
> >
> >
>
- Next message: Atif Chowhan: "login fail !!!!!"
- Previous message: news@news.com: "Re: Read only Permission and possibility to make views"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
