Re: Conflicting AD groups
- From: "Rick Byham, \(MSFT\)" <rickbyh@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 4 May 2009 09:51:11 -0700
Permissions are aggregates. So if a Windows User1 is a member of GroupA and GroupB and SQL Server creates a login for both GroupA and GroupB, the User1 will be able to connect and will have the permissions of both. There will be some unpredictability. If GroupA has a default database of Northwind and GroupB has a default database of AdventureWorks, then who knows what the default database of User1 will be. (I just tested with local groups and it was Northwind. Probably because it's listed first in the permissions list, but I wouldn't bet on it.)
And as always, DENY's override the aggregated GRANT's. So if GroupA has permission on object XYZ and GroupB is denied permission on object XYZ then User1 will be denied.
--
Rick Byham (MSFT), SQL Server Books Online
This posting is provided "AS IS" with no warranties, and confers no rights.
"JRStern" <JRStern@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:414E90D7-22E1-41E0-BCB2-8886DF7D953F@xxxxxxxxxxxxxxxx
I'm not a security guy, don't know if this is a simple or complex question,
but it seems it would be common.
We're setting up a new environment where most SQL Server security will be by
the Active Directory group membership a Windows login has. If a login is in
several groups with different levels of privileges, how is this resolved?
Point to a KB article would be fine.
Thanks.
Josh
.
- References:
- Conflicting AD groups
- From: JRStern
- Conflicting AD groups
- Prev by Date: Conflicting AD groups
- Next by Date: Re: Conflicting AD groups
- Previous by thread: Conflicting AD groups
- Next by thread: Re: Conflicting AD groups
- Index(es):
Relevant Pages
|
