Re: Conflicting AD groups



Josh,

Within SQL Server rights are additive. This means that the sum of rights granted to all groups (with rights to SQL Server) for a particular login are applied. This sums both GRANT and DENY, with DENY overriding any GRANTs for the same permission.

Here are articles:
http://sqlserverpedia.com/wiki/Object_&_Statement_Permissions
http://technet.microsoft.com/en-us/library/ms174927(SQL.90).aspx

And (off topic) an interesting follow-on about properties (as opposed to permissions) being assigned to groups.
http://blogs.msdn.com/lcris/archive/2008/08/22/sql-server-windows-groups-default-schemas-and-other-properties.aspx

RLF

"JRStern" <JRStern@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:414E90D7-22E1-41E0-BCB2-8886DF7D953F@xxxxxxxxxxxxxxxx
I'm not a security guy, don't know if this is a simple or complex question,
but it seems it would be common.

We're setting up a new environment where most SQL Server security will be by
the Active Directory group membership a Windows login has. If a login is in
several groups with different levels of privileges, how is this resolved?
Point to a KB article would be fine.

Thanks.


Josh


.



Relevant Pages

  • Validating an NT ID from SQL Server
    ... and need a way in SQL server to query NT to see ... The web site know their login id, ... >does a lookup in a table to get their rights. ...
    (microsoft.public.sqlserver.security)
  • Re: Validating an NT ID from SQL Server
    ... and need a way in SQL server to query NT to see ... The web site know their login id, ... >>does a lookup in a table to get their rights. ...
    (microsoft.public.sqlserver.security)
  • Re: Object browser or database dropdown in Query Analyzer freezes
    ... I expect it's a rights issue on the SQL Server itself. ... Each login is granted rights to the objects including the list of databases. ... Generally this prevents getting a connection so perhaps your login has rights to Views or SPs but not to the other objects. ...
    (microsoft.public.sqlserver.connect)
  • BUILTINAdministrators help
    ... 1.Remove the login BUILTIN\Administrators from SQL Server. ... 2.Assign a specified account or NT Group ... specified account with login rights. ...
    (microsoft.public.sqlserver.security)
  • Re: xcopy deployment to sql server DTS package in restricted envir
    ... Try using Run As with the DTS package. ... William Vaughn ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Hitchhiker's Guide to Visual Studio and SQL Server ...
    (microsoft.public.dotnet.framework.adonet)