Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Eagle_f90
Constraint Violating Yak Guru
424 Posts |
 Posted - 2003-10-11 : 23:55:29
|
| I have a bunch of ASP scripts that need to both read and write information to a sigle database on the server. Should I use the default dbo user or create a new one and give it datawrite and dataread access? Which is best for the security of the server and database?--For those with wings, fly to your dreamsDearms are what are found at the end of reality, and your reality if what is found at the end of your dreams. |
|
|
AjarnMark
SQL Slashing Gunting Master
3246 Posts |
Posted - 2003-10-13 : 02:24:48
|
| When you say "default dbo user" do you mean SA? Then the answer is an emphatic NO!! Do not use the SA login for your ASP pages. I suggest you create a specific SQL login for your web app to use. And in fact, I would NOT grant that user datawriter or datareader access. Instead, I would (and in fact did in my previous work) grant that user only permission to execute stored procedures, and then use stored procedures to do all of your data retrieval and manipulation. This is much more secure.--------------------------------------------------------Visit the SQLTeam Weblogs at [url]http://weblogs.sqlteam.com[/url] |
 |
|
|
Eagle_f90
Constraint Violating Yak Guru
424 Posts |
Posted - 2003-10-13 : 10:20:46
|
| I don't mean the SA user, when I go to see which users are already created there is alerdy one called "DBO" Also, I can't just give them permition to used stored procedures since my ASP scripts will be reading and writting the data, I don't know knough about T-SQL to do the project I want to do with only stord procedures.--For those with wings, fly to your dreamsDearms are what are found at the end of reality, and your reality if what is found at the end of your dreams. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-10-13 : 12:44:43
|
| Do not use dbo either. Create a role in your database. Then provide explicit permissions to that role. The explicit permissions would be EXECUTE on stored procedures then any other rights needed on the tables. You should only provide database level roles in non-production environments.Tara |
|
|
|
Eagle_f90
Constraint Violating Yak Guru
424 Posts |
Posted - 2003-10-13 : 14:31:02
|
| So what permions do I need to set to let the new user I creat for the ASP scripts change information in the database? I was looking at books onine info on permitions and they have listed "select", "insert", "update", "delete", "REFERENCES", and "execute". I will be using select statments so I am assuming that I will need the "select" permitions, but do I also need the "insert" and "update" or only one of them?--For those with wings, fly to your dreamsDearms are what are found at the end of reality, and your reality if what is found at the end of your dreams. |
|
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-10-13 : 14:36:49
|
| You need INSERT permissions if the user needs to INSERT data into that table. You need UPDATE if updates will occur to already existing rows. But do not just grant all permissions on all tables. You need to know what your application does in order to determine what permissions to grant.Are you using stored procedures? If so, permissions are as easy as granting EXECUTE on the stored procedures. No other permission would be required unless some of them are doing dynamic sql.Tara |
|
|
|
|
|
|
|
|
Database roles