![]() ![]() When granting access to logins or users to access a SQL Server instance or database, it is important that the principle of least privilege (PoLP) is followed. This means that to grant some privileges to a user, the user must be created first. This helps to ensure that only those authorized users are able to perform certain actions, which is important for the security and integrity of our data. In practice I find that many sysadmins rarely follow this pracfice, often because of two reasons. First, the practice of setting a variety of permissions is cumbersome and the tendency to take the easiest (or laziest) path is common. You should have privilege to create a new database through this MySQL Database panel even though you don’t have privilege to create new database through phpMyAdmin). Create a new database with your preferred name (I am going to use the name ‘ newDB ‘ for easy reference. The second problem is that the permission sets and necessary permissions for various actions are often poorly understood by most people. Login to your cPanel and click on ‘MySQL Databases’. This leads towards the common "grant nothing" or "grant everything" approaches. Ineed, often the "sa" account (or other sysadmin privileged login) is often used in applications because this avoids any permission errors. The master user is assigned to the masterdba group and assigned the masteruserrole. Likewise, db_datareader and db_datawriter are often granted to every user to avoid setting more granular permissions and following the PoLP. In an attempt to reverse this trend, I am providing a series of articles on SQL Server permissions that help sysadmins create and use roles that contain granular levels of permissions for certain jobs. This particular article examines the permissions needed for the DROP DATABASE command. This is a command that many developers may need to use on their development instances, and it does not require sysadmin privileges.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |