February 28, 2008 at 9:27 am
Hi,
I am a DBA new to CLR and I have a developer who would like to start using CLR. I have started to research CLR but I have not yet found anything on what permissions a SQL Server login needs to use CLR (db_owner, Proxy Account, etc). I know if I grant SA to a login then the developer can work with CLR but granting SA to each developer is not something I want to do.
Thanks,
David
February 28, 2008 at 9:52 am
Using CLR is not much different security-wise than developing T-SQL procedures. Once it's built - the same permissions apply (whether built in T-SQL or CLR).
Your question really comes down to - how do I keep my DB secure and give my developers access that they need?
Answer - keep the devs away from production, and have a "move from test to staging to prod" procedure. You can play lots of games security wise - but the bottom line is - you can't adequately secure against a developer if they're developing in a place where they might "do damage". So - don't put them in a "damage-causing" place.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
March 2, 2008 at 8:45 am
demmets (2/28/2008)
Hi,I am a DBA new to CLR and I have a developer who would like to start using CLR. I have started to research CLR but I have not yet found anything on what permissions a SQL Server login needs to use CLR (db_owner, Proxy Account, etc). I know if I grant SA to a login then the developer can work with CLR but granting SA to each developer is not something I want to do.
Thanks,
David
CLR integration first needs to be enabled in the SQL instance. It's disabled by default in SQL Server 2005. After that, permissions are managed the same way as with any other database object.
__________________________________________________________________________________
SQL Server 2016 Columnstore Index Enhancements - System Views for Disk-Based Tables[/url]
Persisting SQL Server Index-Usage Statistics with MERGE[/url]
Turbocharge Your Database Maintenance With Service Broker: Part 2[/url]
April 28, 2008 at 2:53 am
Hi,
I think the “CLR Triggers for SQL Server 2005” article on
http://aspalliance.com/1273_CLR_Triggers_for_SQL_Server_2005.all
may be helpful in this discussion.
This popular white paper is written by a software engineer from our organization Mindfire Solutions (http://www.mindfiresolutions.com).
I hope you find it useful!
Cheers,
Byapti
April 28, 2008 at 3:09 am
clr integration can be enabled from sp_configure. But, there are lot of security considerations both you and the developer to do before starting the coding. The developer should think about the assembly security etc (SAFE, UNSAFE etc) depending on the purposes, you should consider the login permissions with which the assemblies are executed etc. Its better you read and prepare before you start. To start with, BOL is really good.
May 9, 2008 at 8:35 am
Remember that SQL Server 205 incorporates Execute As, that permits the use of fine-grained permissions to "executable" objects, like a Stored Procedure, or a given step of a job.
You should also take into consideration (new) server objects supported by SS 2K5 like Credentials and Proxies.
These also give you fine-grained control of permissions and security to associate with the use of Execute As.
May 12, 2008 at 1:10 am
I'd like to understand how security is implemented for CLR custom aggregates.
The EXECUTE permission can be easily given on the CLR custom scalar value functions (among others), but I'm not able to run my CLR custom aggregates under accounts which have no administrative privileges in the db!
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply