Re: T-Sql & Active Directory Roles, Identification of original login of impersonated ID's and Suspended processing

Tim (tim_rogers01@xxxxxxxxxxx) writes:
1). T-Sql and Active directory roles.
We want to be able to control access to data within a table based on a
role within Active directory.
For example, Region1 has 4 sites, Region 2 has 3 sites and so forth.
All the sites are held in a single database table.
The staff in Region1 must be limited to only being able to retrieve
data for their 4 sites.
We would like to set up an active directory role for each region and
use this to control things.
Is there any way in which T-Sql can retrieve data about the Active
Directory Roles?

You can grant DB access to a Windows group, and I think you also
can grant permissions in SQL Server to Windows groups. But you seem
to be looking at some row-level security scheme. In that case, have a
look at the is_member() function.

2). Drilling back to the original ID when an impersonating ID is used
at database level.
We have legacy systems that allow for an individual login but once the
data request is passed to the database the access is via a generic ID.
This is causing a problem with tracking the authors of inappropriate
changes to the data.
Is there anyway in which T-Sql can drill back to the original ID?

It would have helped if you had told how impersonation is done, as
there are several options. But I can think of two ways:

1) Have the generic ID to perform an EXECUTE AS on behalf of the
real user. Note that in SQL 2005 you can add login-less users to
a database.

2) Issue SET CONTEXT_INFO before the generic ID starts working. Then
use the context_info function to retrieve that data in your T-SQL
code.

We are finding that the larger SQL statements, in terms of the number
of rows affected, are being 'Suspended' and just hanging for hours.
The term Suspended is taken from the Management>Activity
Monitor>Status Column.
We believe that the 'Suspended' is occuring because the process is
waiting on memory but we're not certain.
Does anyone know the cause and / or cure for this 'undocumented
feature'?

Without knowing more, I would guess on cached connections for linked
servers. I don't think they are waiting for memory.

--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.

Relevant Pages

  • Re: some security concerns
    ... I'm not an expert on MS SQL Server, but if you are using Active Directory; ... password for the database which cannot be linked to Active Directory. ... overall it still comes down to training of the data entry people as ...
    (comp.databases.ms-access)
  • Re : Active Directory and SQL Server NT Authentication problem
    ... I am trying to set up SQL server NT authentication but ... Using Active Directory on windows 2000 server, ... granted permissions to access the database. ... database using NT authentication. ...
    (microsoft.public.sqlserver.security)
  • Re: SQL and AD
    ... > the connection string to a SQL Server database. ... > allows you to add the instance of SQL to Active Directory. ... > done for a database after SQL has been added to AD (the options tab at the ...
    (microsoft.public.windows.server.active_directory)
  • Check Group Membership
    ... I would like to use Active Directory groups to ... control access to some access databases I have been assigned. ... passwords are not synched with the user's network password. ... I could set up a query calling a stored procedure on the SQL server, ...
    (microsoft.public.access.formscoding)
  • Re: Is_Member problem : Does user belong to custom Group
    ... There is no "usergroup" in SQL Server. ... login, there is a user that mapped to the Login ... We can create a ROLE in the database and add the users. ... I've created some custom groups in Active Directory and put some ...
    (microsoft.public.sqlserver.security)