(6.5) Why do logins remain in Public group? 
Author Message
 (6.5) Why do logins remain in Public group?

Running SQL Server 6.5.

Encountering perms problem with logins added to
groups other than public.

Public group has full rights to all objects in
designated db (appears to be by design from
vendor's app).  Only login ids appearing as
members of Public, are "dbo," "default" (created
by vendor's app at install), and "guest."
Only "default" has access rights to designated db.

Other groups are MORE restricted than Public.
All real users have logins that are members of
these restrictive groups.  Each login has no
permissions defined, they inherit whatever perms
are set for their group.  Yet, when I view
the "Object Permissions" for each user, it shows
that they are a member of Public _AND_ their
security group.

The problem is, the users are not being
restricted anywhere; it's as if they are
inheriting Public's perms, rather than the perms
of their more restrictive groups - thus having
access to all data.  I thought user/group rights
were enforced based on the MOST restrictive not
LEAST restrictive perms in the SQL Server
security model.

Do I need to change the perms on Public?  If the
vendor's app requires this to enable a trusted
connection, how can I remove these users from
public, when they don't show-up under the Public
group?

I've searched MSKB, TechNet and this board for
info.  I've run sp_changegroup in ISQL/w - no
effect.  Anyone have insight, leads, answers...?

DBA nearly DOA!

Sent via Deja.com http://www.***.com/
Before you buy.



Tue, 23 Apr 2002 03:00:00 GMT
 (6.5) Why do logins remain in Public group?

Sounds like you are using the enterprise manager,
time to venture into new territory.

Permitions are defined in each database in the sysprotects table.
They link to a id in the sysusers table (a recursive table -users and groups
are in this table)

In master there is a table syslogins in which  a id links to the sysusers
for each database.

Study the sp_XXX that have to do with permitions - even look at the code
behind them
(in master)

With a bit of time you can write some scripts to transfer permintions from
one group to another
( by generating the required Grant statements - avoid directly editing the
system tables, some times
it is required)

Kevan Rurak



Tue, 23 Apr 2002 03:00:00 GMT
 
 [ 2 post ] 

 Relevant Pages 

1. Restore SQL 6.5 Logins and User/Group

2. Why not combine this group with microsoft.public.fox.programmer.exchange

3. SELECT query in Access97 to SQL 6.5 returning wrong records - why Why WHY

4. SELECT query in Access97 to SQL 6.5 returning wrong records - why Why WHY

5. Remapping/Copying SQL Logins from NT Local Groups to Domain Global Groups

6. Alter Table in SQL Server 6.5 (One Step Remaining)

7. Alter Table in SQL Server 6.5 (One Step Remaining)

8. why timestamp columns remain in restored published db??

9. Killing Multiple Logins in stored proc SQL 6.5

10. SQL SERVER 6.5 logins

11. Problems with upgrading sql server 6.5 with integrated logins

12. SQL 6.5 Logins


 
Powered by phpBB® Forum Software