Thanks everyone! My goal was actually very simple. Some "facts" I knew about SQL Server permissions were overturned today. Didn't know you can simply grant individual permissions. I was under the impression server and database roles were all I had to play with.
I have clients that need our web server to "Read" and execute existing stored procedures. (Some of those stored procedures may delete/update like Mike said) however this is fine, as long as we can run them. Again thanks! Brian -----Original Message----- From: Mike Chabot [mailto:mcha...@gmail.com] Sent: Thursday, November 18, 2010 3:42 PM To: cf-talk Subject: Re: What was that security again? None of the server or database roles would classify as "minimum settings." You achieve minimum settings with GRANT and DENY statements. Is your goal to restrict a user to only reading data? If one of your stored procs allows for the deletion of data, and you grant execute permissions to the user, the user will be able to execute that stored proc and delete the data, even if they are not granted specific delete permission on the table. You might explore the deny roles and deny granular permissions if you really don't want someone to do anything other than read data. It is reasonable to combine the db_datareader role along with granular stored procedure permissions to meet your goal. Also restrict the permissions for the data source in ColdFusion Admin as another layer of protection. ddladmin allows a user to truncate a database table, so avoid that role if you want read-only. It helps if users need to truncate though. -Mike Chabot http://www.linkedin.com/in/chabot On Thu, Nov 18, 2010 at 2:27 PM, Russ Michaels <r...@michaels.me.uk> wrote: > > Yes but it is a safe role, you can;t do anything dodgy > > -----Original Message----- > From: Dave Watts [mailto:dwa...@figleaf.com] > Sent: 18 November 2010 19:20 > To: cf-talk > Subject: Re: What was that security again? > > >> DDLADMIN should suffice, this is what role we give to all our customers. > > That's way more than needed for reading data. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA > Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339387 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
