Wednesday, March 21, 2012

Permissions not enforced

I have a pc set up with a System DSN to access my Sql Server. It is set up t
o
use NT Authentication according to the Login Name.
I have discovered that the User has full permissions to Select, Insert,
Update and delete records in any table. In Enterprise Manager this User is
configured to have just Select permissions on a few tables. Some of my table
s
are set up with Update and Delete permissions revoked for all Users and
Roles. So it appears to me that the DSN is not using NT Authentication and
that the User is being authenticated with sa permissions.
Where am I going wrong?You can query master..sysprocesses to see how the user is
connecting, what login is used. If the user is connecting
using Windows authentication then the user is likely
inheriting permissions through membership in a group.
-Sue
On Tue, 28 Jun 2005 01:30:02 -0700, Hoof Hearted
<HoofHearted@.discussions.microsoft.com> wrote:

>I have a pc set up with a System DSN to access my Sql Server. It is set up
to
>use NT Authentication according to the Login Name.
>I have discovered that the User has full permissions to Select, Insert,
>Update and delete records in any table. In Enterprise Manager this User is
>configured to have just Select permissions on a few tables. Some of my tabl
es
>are set up with Update and Delete permissions revoked for all Users and
>Roles. So it appears to me that the DSN is not using NT Authentication and
>that the User is being authenticated with sa permissions.
>Where am I going wrong?|||Yes it turns out the account I was testing it with, is a member of the NT
administrators group. But I had explicity denied him certain permissions
within the database. So I am surprised that his membership of the
Administrators group overrides this.|||By default, the builtin\administrators group is added to SQL
Server as sysadmins. Members of sysadmins can do whatever
and bypass any denies.
-Sue
On Tue, 28 Jun 2005 13:42:02 -0700, Hoof Hearted
<HoofHearted@.discussions.microsoft.com> wrote:

>Yes it turns out the account I was testing it with, is a member of the NT
>administrators group. But I had explicity denied him certain permissions
>within the database. So I am surprised that his membership of the
>Administrators group overrides this.
Posted by at
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)