--
Message posted via http://www.sqlmonster.com
I think the best solution is to leverage both AD and SQL Server role-based
security. This reduces the ongoing security administration effort. The
approach I usually use:
One-time setup tasks:
- Create database roles (e.g. SalesManagers)
- Grant object permissions to database roles (e.g. GRANT EXECUTE ON
dbo.uspGetSalesQuota TO SalesManagers)
- Create AD groups based on organizational roles (e.g.
MyDomain\SalesManagers)
- Create SQL Server logins for the AD groups (e.g. CREATE LOGIN
[MyDomain\SalesManagers] FROM WINDOWS)
- Create database users for the AD groups (e.g. CREATE USER
[MyDomain\SalesManagers])
- Add database users to the roles (e.g. EXEC sp_addrolemember
'SalesManagers', 'MyDomain\SalesManagers')
Going forward, your Network Admin can then control security via AD group
membership. You can also accomplish this without the SQL roles (i.e. grant
permissions directly to AD groups) but that requires that you have a
different object permission script for each environment (dev, QA,
production, etc.). I've found it easier to use the same database object
security for all database instances, with the only environmental difference
being logins, users and role membership.
--
Hope this helps.
Dan Guzman
SQL Server MVP
http://weblogs.sqlteam.com/dang/
"Hoardling1 via SQLMonster.com" <u43783@uwe> wrote in message
news:ad2aa9732d5a8@uwe...
Thank You.
Dan Guzman wrote:
>> Which is better in use. Setting up Active Directory groups and using it
>> to
>[quoted text clipped - 6 lines]
>> Directory security, while I want more in SQL Server, so we are at a
>> difference. I am trying to find out the pros and cons of each.
>
>I think the best solution is to leverage both AD and SQL Server role-based
>security. This reduces the ongoing security administration effort. The
>approach I usually use:
>
>One-time setup tasks:
>
>- Create database roles (e.g. SalesManagers)
>
>- Grant object permissions to database roles (e.g. GRANT EXECUTE ON
>dbo.uspGetSalesQuota TO SalesManagers)
>
>- Create AD groups based on organizational roles (e.g.
>MyDomain\SalesManagers)
>
>- Create SQL Server logins for the AD groups (e.g. CREATE LOGIN
>[MyDomain\SalesManagers] FROM WINDOWS)
>
>- Create database users for the AD groups (e.g. CREATE USER
>[MyDomain\SalesManagers])
>
>- Add database users to the roles (e.g. EXEC sp_addrolemember
>'SalesManagers', 'MyDomain\SalesManagers')
>
>Going forward, your Network Admin can then control security via AD group
>membership. You can also accomplish this without the SQL roles (i.e. grant
>permissions directly to AD groups) but that requires that you have a
>different object permission script for each environment (dev, QA,
>production, etc.). I've found it easier to use the same database object
>security for all database instances, with the only environmental difference
>being logins, users and role membership.
>
>> Which is better in use. Setting up Active Directory groups and using it
>> to
>[quoted text clipped - 7 lines]