SQL Server - what's the point of database users?

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

SpontaneousOrder replied

18 March 2014, 22:15
Originally posted by Freaki Li Cuatre View Post

I seem to be able to do everything with just the login.

Why have the overhead of creating database users too?

I'm sure there are more complex scenarios than mine where this would be needed.

Do your databases have a guest user? If you remove that then they would probably need a 'proper' user.
i.e. can you get access to one DB, and restrict another, all using just the login?
Leave a comment:
lilelvis2000 replied

18 March 2014, 20:53
Originally posted by Freaki Li Cuatre View Post

No, but I can set all that at the login level.

Let's suppose I have an AD group called CUK Users and I want that group to be able to have read/write privileges on a database called CUK. All I do is map the login to that table and add the db_reader/db_writer roles for CUKUsers.

I've still got everything else locked down - the login can only run queries on CUK. And I haven't had to create users to do this. So, why would I create users in this scenario when the login seems to do everything?

Fine, if you are using AD. But most of my clients won't let AD near SQL Server. I suppose they are worried about network admin users blowing away databases.

Not being a DBA its not something I worry about.
Leave a comment:
robpow replied

18 March 2014, 15:26
Why do you need the user context to reach the DB at all? In a multi-tier application you tend to do all the auth in the middle tier/webserver/etc and just have an application identity connect to the DB.

Or do the users need access to the DB using SQL Mgmt Studio, Excel etc?

Matt
Leave a comment:
SpontaneousOrder replied

18 March 2014, 13:03
I don't know SQL Server. Is Users a synonym for Schemas, like in oracle?
Leave a comment:
eek replied

18 March 2014, 12:24
Originally posted by Freaki Li Cuatre View Post

No, but I can set all that at the login level.

Let's suppose I have an AD group called CUK Users and I want that group to be able to have read/write privileges on a database called CUK. All I do is map the login to that table and add the db_reader/db_writer roles for CUKUsers.

I've still got everything else locked down - the login can only run queries on CUK. And I haven't had to create users to do this. So, why would I create users in this scenario when the login seems to do everything?

audit trails?
Leave a comment:
Freaki Li Cuatre replied

18 March 2014, 12:08
Originally posted by mudskipper View Post

Exactly. That's the point of users - most won't need to do everything.

No, but I can set all that at the login level.

Let's suppose I have an AD group called CUK Users and I want that group to be able to have read/write privileges on a database called CUK. All I do is map the login to that table and add the db_reader/db_writer roles for CUKUsers.

I've still got everything else locked down - the login can only run queries on CUK. And I haven't had to create users to do this. So, why would I create users in this scenario when the login seems to do everything?
Leave a comment:
mudskipper replied

18 March 2014, 11:46
Originally posted by Freaki Li Cuatre View Post

I seem to be able to do everything with just the login.

Exactly. That's the point of users - most won't need to do everything.
Leave a comment:
SimonMac replied

18 March 2014, 11:29
Originally posted by eek View Post

because you may not want some users and systems anywhere near certain information

Why not just give everyones sysadmin privileges?

Oh hang on......
Leave a comment:
eek replied

18 March 2014, 11:03
Originally posted by Freaki Li Cuatre View Post

I seem to be able to do everything with just the login.

Why have the overhead of creating database users too?

I'm sure there are more complex scenarios than mine where this would be needed.

because you may not want some users and systems anywhere near certain information
Leave a comment:
Freaki Li Cuatre started a topic SQL Server - what's the point of database users?

18 March 2014, 10:55
SQL Server - what's the point of database users?

I seem to be able to do everything with just the login.

Why have the overhead of creating database users too?

I'm sure there are more complex scenarios than mine where this would be needed.
Tags: None