Hi,
In BOL it is mentioned that we can control the access of users to file
system resources by using impersonation (WindowsIdentity.Impersonate).
Imagine I have a SP that creates a file on disk but the user sends the path
as a parameter. Although I can control the user to access only to particular
path, but how can I control the developer herself? As a DBA, I need to
control the developer while they can write their codes without using
"WindowsIdentity.Impersonate". If they don't do impersonation, they can work
under the security account of SQL Server.
I want to give permissions based on the user accounts that they log into
their Windows.
Thanks in advance,
LeilaLeila wrote:
> Hi,
> In BOL it is mentioned that we can control the access of users to file
> system resources by using impersonation (WindowsIdentity.Impersonate).
> Imagine I have a SP that creates a file on disk but the user sends the pat
h
> as a parameter. Although I can control the user to access only to particul
ar
> path, but how can I control the developer herself? As a DBA, I need to
> control the developer while they can write their codes without using
> "WindowsIdentity.Impersonate".
I do not really understand the question. What I mean is that; if the
developer writes the code without Impersonate, then everyone runs
without impersonation - so IMHO, it is not a question about dev vs.
regular users. If you are worried about dev doing things they shouldn't
do - well make sure they only have necessary rights on dev machines and
not production boxes.
> If they don't do impersonation, they can work
> under the security account of SQL Server.
> I want to give permissions based on the user accounts that they log into
> their Windows.
Well, I would assume that the account SQL runs under has very low
priviliges, and if you want to give rights according to the log-ins -
require that the code has Impersonate. Also, remember that running under
the account of SQL is only applied when you execute out of SQL Server,
i.e. file I/O etc.
Niels
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment