| Author |
Topic |
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
 Posted - 2012-10-24 : 09:50:36
|
| I'm in the midst of a rather bizzare situation and would appreciate any (sensible) advice on how to improve it.First a little background. We have one table containing information about most if not all the groups in the organisation. The plan is to use SSRS to report this information (along with other information in the database). Now here is the important bit. For this particular table each group insists that none of the other groups can see "their" data. To make matters worse there are around 40 groups, and to make it even worse only about 120 records in the table at the moment!!!, though that will slowly increase in time.I can't think of any sensible way of handling this, all I have come up with so far is to create an AD group for each organisational group and have one view with a corresponding report for each group. Short of locking these people in a room until there is only one left, does anyone have any suggestions?thankssteve-----------Insanity: doing the same thing over and over again and expecting different results. |
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2012-10-24 : 10:08:52
|
| do you've a mapping table where you've users (members) mappped against these groups?------------------------------------------------------------------------------------------------------SQL Server MVPhttp://visakhm.blogspot.com/ |
 |
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2012-10-24 : 10:53:26
|
| Not in any database, that's currently all done in AD-----------Insanity: doing the same thing over and over again and expecting different results. |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2012-10-24 : 11:40:43
|
| then you've to create groups for each in AD------------------------------------------------------------------------------------------------------SQL Server MVPhttp://visakhm.blogspot.com/ |
|
|
|
Transact Charlie
Master Smack Fu Yak Hacker
3451 Posts |
Posted - 2012-10-24 : 11:55:49
|
you didn't mention how technical the groups were.If its a legitimate security risk then encryption sounds required. For the fields that are sensitive, let each group encrypt the values using their own encryption schema.of course, if the data is not business critical / top secret / sensitive....just tell them not to be so ****ing stupidTransact CharlieMsg 3903.. The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION. http://nosqlsolution.blogspot.co.uk/ |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2012-10-24 : 12:11:28
|
I second Transact Charlie's suggestion. They can encrypt their data with a separate passphrase for each group. If the data is decrypted with the wrong passphrase it returns Null:declare @a varbinary(max)=encryptbypassphrase('doi','duh')select @a, cast(DECRYPTBYPASSPHRASE('doi',@a) as varchar(max)), cast(DECRYPTBYPASSPHRASE('duh',@a) as varchar(max))If they're not agreeable to that, see if a CxO is willing to decide for them, and be sure to spin tales like "well if they REALLY want it to be secure each department needs their own SQL Server, and I shouldn't have to manage it as that would make me a security risk..."  |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2012-10-25 : 05:15:09
|
thanks all for the suggestionsquote:
Originally posted by Transact Charliejust tell them not to be so ****ing stupid
This is my favoured solution but it doesn't look like I will get away with it just yet. There is a lot of politics involved here (with a very small p ) I like Rob's CxO suggestion too but sadly the person who might do that is off sick at the moment.I do like the idea of the encryption though that might have enough of a nuisance factor to make them see sense and should be pretty straightforward for me to setup.I wonder if enforcing a minimum of 20 characters for the passphrase is evil  -----------Insanity: doing the same thing over and over again and expecting different results. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2012-10-25 : 07:07:14
|
quote:
I wonder if enforcing a minimum of 20 characters for the passphrase is evil
Nope. Evil begins at 50 characters.  Your justification is, "it's a passPHRASE, not a passWORD. Just pick something easy to remember." Lots of Shakespearean quotes will do.Paranoia can only be beaten by more paranoia, you're lucky that they are doing this for "security" because it can excuse all kinds of extreme behavior on your part. You're just trying to make it more secure! |
|
|
|
elwoos
Master Smack Fu Yak Hacker
2052 Posts |
Posted - 2012-10-25 : 09:13:12
|
| Hee hee I like your thinking Rob. I've just got a list of the users, at least 2 of them are going to have to "remember" more than 10 of these passphrases, and about half are going to have to remember more than one. Hopefully they will generate enough pressure for some common sense to apply-----------Insanity: doing the same thing over and over again and expecting different results. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2012-10-25 : 10:36:26
|
| Just be grateful you've never had to work somewhere that required security clearance. (Seriously, be grateful) The only thing it's good for is stories to support situations like yours."Well, if you think THAT'S a long password, at my old job...ooops, I can't talk about that. Let's just say 50 characters is NOTHING. And we had to WRITE DOWN every time we logged in..." |
|
|
|
|
Crazy Days