RE: Permissions

RE: Permissions

 

  

Hmmnn, given what can be potentially be done using the sp_OA and/or xp_cmdshell sprocs, I'm not sure that's gonna fly.

Anyone have any other ideas?

P

-----Original Message-----
From: Davis Ralph
[mailto:mssqldba-ezmlmshield-x22480250.[Email address protected]
Sent: Friday, May 27, 2005 12:37 PM
To: LazyDBA Discussion
Subject: RE: Permissions


CREATE a role in master that has the exec perms needed(maybe more than one
role if security requires it). Then give the uses permissions in master
only to public(default) and the role they need for the exec perms.

We have a role for xp_cmdshell and another one for sp_sendmail. Accounts
that are proven to require this functionality are put in the appropriate
role. They have no other privileges in master but these.

I don't know of any way to keep them out of master but still grant
appropriate exec access to system SPs or XPs.

Thanks,
Ralph W. Davis
*********************************************************
*** CORPORATE DBA group - Houston ***
*********************************************************

-----Original Message-----
From: Paul Schlieper
[mailto:mssqldba-ezmlmshield-x34557142.[Email address protected]
Sent: Friday, May 27, 2005 11:11 AM
To: LazyDBA Discussion
Subject: Permissions

Hi all,

I'm trying to have SQL Server write reports to a local drive (OK, ideally a
network drive, but this is not a showstopper).

These were all working fine using xp_cmdshell and BCP. Someone noticed that
this meant that certain users needed access to master, not to mention
xp_cmdshell, and had some security concers. This resulted in my having to
re-do these reports without using xp_cmdshell.

So I tried sp_OA with FileSystemObject to create the files. A wrapper sproc
is calling 17 report sprocs, each of which calls the report-writting sproc,
which contains all the calls to sp_OA.

I have granted execute on the wrapper sproc to Public. But non-admin users
are getting the Execute permission denied error on the sp_OA sprocs, which
are also in master.

So, how can I do this without granting the users (or the reporting NT group)
access to master?

P



---------------------------------------------------------------------
TO REPLY TO EVERBODY , PLEASE CLICK REPLY-ALL, NOT JUST REPLY
Website : http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html

-----------------------------------------
Confidentiality Note: The information contained in this message, and any
attachments, may contain confidential and/or privileged material. It is
intended solely for the person or entity to which it is addressed. Any
review, retransmission, dissemination, or taking of any action in reliance
upon this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please contact the
sender and delete the material from any computer.



---------------------------------------------------------------------
TO REPLY TO EVERBODY , PLEASE CLICK REPLY-ALL, NOT JUST REPLY
Website : http://www.LazyDBA.com
To unsubscribe: http://www.lazydba.com/unsubscribe.html

MS Sql Server LazyDBA home page