Active Directory and Integrated security
From: Paul Schlieper (Paul.Schlieper_at_communication.gc.ca)
Date: 05/21/03
- Next message: Manu: "Exception_access_Violation"
- Previous message: Jasper Smith: "Re: Trouble accessing SQLserver from another computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 May 2003 09:46:22 -0700
Hi,
Newbie, as far as Windows Authentication and AD go.
Here's what I would like to do. If it is a) feasible, and
b) makes sense, then can you point me at a How To?
Here we go:
We have 3 classes of users (Agent, Sup, Admin).
Users, independant of class, need access to 1 or more DBs,
but only the DBs that are specified for their project.
So, we would have NT groups like DB1_Agents, DB1_Sups,
DB2_Agents, DB2_Sups, etc...
Then, I suppose, for ease of management, I would have
other NT groups called Server_Agents, Server_Sups, etc...
so when DB2's project closes, I just remove the DB2 groups
from the Server_xxx groups (more to the point, the network
team does this, and the DBA never needs to get involved).
Question 1: Is it possible to register the DBs in Active
Directory, and assign the users (in groups) to the DBs in
AD? i.e., DB1_xxx groups have AD permissions to the DB1 AD
object (and since they don't have permission to DB2, they
could never see or retrieve from DB2).
Question 2: Will SUSER_SNAME() return the name of the
user, no matter how many intervening groups he/she is a
member of?
If I have not been clear, please let me know. I really
don't want to manage users/logins/passwords anymore.
Thanks,
Paul
- Next message: Manu: "Exception_access_Violation"
- Previous message: Jasper Smith: "Re: Trouble accessing SQLserver from another computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
