Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / October 2006

Tip: Looking for answers? Try searching our database.

Column permissions

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Vik - 30 Oct 2006 13:37 GMT
1. I denied some user the select permissions on some columns in a table.
However, this user is able to see these columns through the views (SQL
Server 2000). Is there a way to automatically deny the permissions on the
same columns in all the views or it's necessary to set the permissions in
every view?

2. If a column is unchecked in the permissions window, is this the same as
permission granted?

3. I've read somewhere that users should not have access to the tables, only
have access to the views. What is a reason for this recommendation?

Thanks.
Reply to this Message
Eric Johnson - 30 Oct 2006 18:08 GMT
1) Because of ownership chaining, if the user can read the column in
the view, they can read the column in the table, despite the
permissions being denied.

2) If the column is unchecked, that is permissions revoked, if it is
checked that is permission granted and the red X is denied.

3) This recommendation is based on a few things. First, the problem you
are seeing is remedied by using only views. You don't have to manage
certain permissions twice if everything is in views. Additionally, this
creates an abstraction layer, where the table can be changed and as
long as you update the view, the user never knows about the change.
This also applies to applications. Additionally, direct table access
opens up holes that a DBA may forget to plug. For instance, adding a
new "confidential" column and not denying permission on it. If you
are using views, (not views that just select * from a table), then the
new column will not be available until you explicitly make it so.

Eric Johnson
Consortio Services

> 1. I denied some user the select permissions on some columns in a table.
> However, this user is able to see these columns through the views (SQL
[quoted text clipped - 9 lines]
>
> Thanks.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.