Apologies for not knowing much around this subject, we currently run sql
server 2000 for a database and have each user marked up on the database.
We are moving to use a windows security group, so taking the
management slightly away from the database server.
What I would like to know is, will this effect functions such as
suser_sname() by returning the group name instead of user id? I would
assume not but it's worth checking!
Also, I'm guessing if a user is marked on the database as their own id
and as part of a security group, then all permissions are thrown in with
deny taking preference? How does this work with a database owner who is
also part of a security group that has limiting functionality?
Thanks for your help,
ChrisSUSER_SNAME() or SYSTEM_USER will return a user's individual Windows
account name, even if server access has been granted via group
membership. You can use IS_MEMBER() to check membership of a Windows
group if necessary.
Permissions work more or less like most other Windows permissions -
they are cumulative, but DENY overrides everything else. Check out
"Managing Security" in Books Online, and this white paper:
http://www.microsoft.com/technet/pr...n/sp3sec00.mspx
Simon
No comments:
Post a Comment