ser account created in each database the login is accessing'. As long as on
ly one login can be used in a db and a user is associated with a login, what
is the purpose of having a
distinction between a User and a Login? Why can't you just add a Login to a
database and skip the User? Also, what is the purpose of allowing the user
name to be different than the login name (I realize it defaults to the login
name)? Since connection
strings use the login name, what purpose is there to have the username poten
tially different?
I'm assuming this has something to do with database (as opposed to server) r
oles, in which case multiple users can be added to a role. However, why are
n't Logins added directly to roles instead of Users?Sorry, but you should try and keep this as simple as possible.
A login is a security mechanism to control access to SQL server.
A user account is a security mechanism to control access to databases once a
connection has been established to SQL Server with a login. That is why
logins are mapped to user accounts.
Logins can be added to server roles to give that login rights to perform
server level operations -- adding logins/users, adding databases, etc.
Users are added to database roles since you need a user account to connect
to the database. DBO is an important one -- database owner.
Don't forget to read up on groups -- especially public.
****************************************
***************************
Andy S.
MCSE NT/2000, MCDBA SQL 7/2000
andymcdba1@.NOMORESPAM.yahoo.com
Please remove NOMORESPAM before replying.
Always keep your antivirus and Microsoft software
up to date with the latest definitions and product updates.
Be suspicious of every email attachment, I will never send
or post anything other than the text of a http:// link nor
post the link directly to a file for downloading.
This posting is provided "as is" with no warranties
and confers no rights.
****************************************
***************************
"mt" <anonymous@.discussions.microsoft.com> wrote in message
news:55BC9EF1-E300-46D3-8EC8-D69BADF4843B@.microsoft.com...
quote:
> In the Books Online, it is stated that '...a single login is mapped to one
user account created in each database the login is accessing'. As long as
only one login can be used in a db and a user is associated with a login,
what is the purpose of having a distinction between a User and a Login? Why
can't you just add a Login to a database and skip the User? Also, what is
the purpose of allowing the user name to be different than the login name (I
realize it defaults to the login name)? Since connection strings use the
login name, what purpose is there to have the username potentially
different?
quote:
> I'm assuming this has something to do with database (as opposed to server)
roles, in which case multiple users can be added to a role. However, why
aren't Logins added directly to roles instead of Users?|||"mt" <anonymous@.discussions.microsoft.com> wrote in message
news:55BC9EF1-E300-46D3-8EC8-D69BADF4843B@.microsoft.com...
quote:
> In the Books Online, it is stated that '...a single login is mapped to one
user account created in each database the login is accessing'. As long as
only one login can be used in a db and a user is associated with a login,
what is the purpose of having a distinction between a User and a Login? Why
can't you just add a Login to a database and skip the User? Also, what is
the purpose of allowing the user name to be different than the login name (I
realize it defaults to the login name)? Since connection strings use the
login name, what purpose is there to have the username potentially
different?<
Thing of accessing SQL Server as a two-tier process. You need a login to
connect to SQL Server, then you need to grant a login access to a specific
database or databases. Where possible it's recommended to use Windows
Authentication, grant login authentication to NT groups, and assign specific
database access to those groups. Once this mechanism is in place, it's
simple a matter of adding a user or users to the particular group and you're
done!
Please read this paper for a more in-depth discussion:
http://www.microsoft.com/technet/tr...chnet/prodtechn
ol/sql/maintain/security/sp3sec/default.asp
quote:
> I'm assuming this has something to do with database (as opposed to server)
roles, in which case multiple users can be added to a role. However, why
aren't Logins added directly to roles instead of Users?<
Roles were designed to be used by applications that could connect via a
given account/password (hidden in the application) that have specific rights
on a database.|||> "mt" <anonymous@.discussions.microsoft.com> wrote in message
quote:
> news:55BC9EF1-E300-46D3-8EC8-D69BADF4843B@.microsoft.com...
one[QUOTE]
> user account created in each database the login is accessing'. As long as
> only one login can be used in a db and a user is associated with a login,
> what is the purpose of having a distinction between a User and a Login?
Why
quote:
> can't you just add a Login to a database and skip the User? Also, what is
> the purpose of allowing the user name to be different than the login name
(I
quote:
> realize it defaults to the login name)? Since connection strings use the
> login name, what purpose is there to have the username potentially
> different?<
>
Thing of accessing SQL Server as a two-tier process. You need a login to
connect to SQL Server, then you need to grant a login access to a specific
database or databases. Where possible it's recommended to use Windows
Authentication, grant login authentication to NT groups, and assign specific
database access to those groups. Once this mechanism is in place, it's
simple a matter of adding a user or users to the particular group and you're
done!
Please read this paper for a more in-depth discussion (watch line wrap):
http://www.microsoft.com/technet/tr...chnet/prodtechn
ol/sql/maintain/security/sp3sec/default.asp
quote:
>
server)[QUOTE]
> roles, in which case multiple users can be added to a role. However, why
> aren't Logins added directly to roles instead of Users?<
>
Roles were designed to be used by applications that could connect via a
given account/password (hidden in the application) that have specific rights
on a database.
quote:
>
Steve|||MT,
As a newbie on SQL server ( I'm an Oracle DBA ) I found out that the online
docs where prety clear on how to log into the server / database(s) Please re
ad the "Permissions Validation" part in the "Administring SQLserver/Managing
security /Security levels"
No comments:
Post a Comment