I understand there is a Domino ini setting for turning off all FT-indexing for an entire server. But is there any way to do this for only some databases on the sever, possibly on a per folder basis?
A fulltext can only be created by a user with manager access to the database.
In a well configured environment NO USER needs manager access to ANY database.
Even administrators don't need that (as there is Full Administration Mode).
So: Give users editor to the databases, manage access to databases with groups (user managed groups if you want), and then decide which databases to index.
In the end give the rules about which databases should have an index to the admins...
Related
I need to set up a training database on Azure that will allow all users to run Select statements (nothing else, it will be read-only).
Multiple users would all be logging in as the same read-only login, and creating/running select statements via SSMS or some other tool.
Any caveats to doing this? I'm planning on opening up the firewall and allowing all IP addresses to access it.
You can use the AdventureWorkLT database that you can install from Azure portal as shown here.
Take in consideration that Basic tier only allows 300 sessions and 30 concurrent logins. You may have to use Standard tiers depending on the number of sessions expected. Please visit this documentation for more information about limits of Azure SQL tiers.
I need to be able to restrict access to a specific columns in my database.
The user cannot make a SQL view of columns A and D or C and D but are allowed to for B and D.
Any suggestions and help would be greatly appreciated.
The Access Database Engine is not designed to manage security in the way that you have described*. You could restrict access to certain items at the application level, but users would still be able to open the back-end database file directly and see things that you apparently don't want them to see.
If this sort of security really is important then you should use a client/server back-end database and set permissions on various objects at the database level. For example, any edition of Microsoft SQL Server, even the Express Edition, can do this.
*(The older Access .mdb database format supported user-level security, but that security model has been deprecated.)
As a general approach for relational databases, I would just suggest a view creation (which would contain only columns available for particular users) and then just allowing access to the views and forbidding access to the tables.
I was just wondering if there are any access methods or rules to prevent people from accessing a database? I'm pretty new to sql so if so, how would you implement a method or rule to a database? Is it through properties of the database, or does it have to be written in SQL script somewhere?
I am using Microsoft SQL Server 2008.
Any help appreciated, thanks in advance.
At a high level:
To allow a user access you need to have a login present at server level (the level higher than your DB's). There will be a 'Security' node at the server level where you can 'add login'. Depending on whether you're using windows user accounts (integrated security) or sql server logins the precise format of the logins will vary, but the user added will want to match the format of the accounts you are using.
Once you have granted a user access to the server in terms of a server login, you can then grant permissions at a database level. There will also be a 'Security' node at database level where you can add a new login at database level.
The database level login needs to match or be mapped to a login at server level.
At database level you can grant/deny all kinds of permissions, but it would be common to grant roles to a user, SQL includes built in roles such as 'datareader'/'datawriter' which are often used for 'generic access'
The image Diego posted illustrates in the GUI where to find some of these options, but the permutations are lengthy and it would be hard to explain any more without knowing some specifics about what you are trying to do.
Read about Logins and Users.
Logins protect you at a server level and Users at a database level. A user usually inherits a login's information.
you can see them on SSMS:
there is no point on writing too much as you can simple google it and find tons of explanations
Problem
Is it somehow possible to create a Windows Authentication login for a SQL database without performing a check for the user at creation time?
Example
Consider ServerA that exists in our DomainA, and ServerB that exists in the customer's DomainB. Being separate companies, DomainA and DomainB never share resources. But, if we backup from ServerB and restore to ServerA, we are able to see the existing SQL logins for users from DomainB, and even modify and code against these logins. This is good, because we are able to develop the database schema on ServerA and then publish to ServerB.
But, if I want to add a new user for this database, and am working on ServerA in DomainA, the following command produces an error:
CREATE USER [DomainB\User];
Windows NT user or group 'DomainB\User' not found. Check the name again. (Microsoft SQL Server, Error: 15401)
This is bad, because we're no longer able to develop on ServerA using the same schema as ServerB.
Backstory
I'm attempting to bring our database-driven application's database schema into source control using a Visual Studio 2010 Database Project. It's important to me to make this work well enough to convince the boss not to continue using 60-GB database backups in a zip file as a means of 'Version Control' (especially since this is just for schema, and not a backup routine). VS2010 DB Projects use scripting to create/modify databases, and so they can't create WinNT users for an unknown domain. In order to get the boss's buy-off, we're going to have to be able to match the capabilities of restoring a backup, and that means being able to re-create users for domains that we don't have access to.
Using SQL Server 2008 in my case.
Note - DBProjects are best suited to managing and versioning your SCHEMA, not your data.
If you want to keep rolling backups of your SQL databases as a whole, then I'd recommend a decent backup strategy.
If you want to better manage your databases' evolving schemas, then using DBProjects may well be your best bet.
FWIW, if you reverse-engineer a DB into a DBProj, you could then run a script to replace DomainB\known-user with DomainA\known-user prior to deploying within DomainA, no?
No, because SQL needs to know the windows SID (ugly GUID) of the user at the time it's created.
Note that you can, however create a SQL or Windows User with the same name and password as your remote SQL, Machine, or Domain user, and it will be able to log in.
I have to access some customers databases being hosted in a shared environment. There are numerous databases being hosted on any given customers instance. So everytime I access a database I have to scroll and search.
I would like to be able to configure Management Studio to just go directly to the database I want to work with for a given connection and hide all others on that connection/instance. But i still want to be able to see databases on other instances i might be working with, i.e. local using the same Object Explorer.
If that not possible is there any reason why the web hosting provider would grant their customers the VIEW ANY DATABASE permission? Im assuming thats why I can see all the other dbs?
If i cant configure Management studio to do what i want as per (1) then I was going to email the provider and ask that they prevent me from seeing them from the "server" end. Would this be an easy thing for them to do? If they REVOKE the VIEW ANY DATABASE permission then that should solve my "problem" right? But would it create any others?
You will require access to the master db to effect the outcome you want. There are no options to configure Sql Server management Studio (SSMS) to do what you want.
So (1) is out.
(2) however is a go so long as your service provider play alongs. You are right they will have to
DENY VIEW ANY DATABASE TO youruseracount
which will require access to the master db. But before they do this they will have to set youruseraccount as the owner of your database.
sp_changedbowner 'youruseraccount'
The side affect of all of this is
a. You wont be able to see any other databases in the instance which is what you want.
b. Only one user will be able to use SSMS to admininster your database with the 'View Only My Db' list. This is because only one user can be the Database Owner.
..
Richard
2 articles describe it (no point if I copy/paste, really)
One and Two