Web应用程序访问的服务帐户设置
我在一个项目中工作,我们的数据库中有pii信息。为了确保Web应用程序访问数据库,我想知道最佳做法是允许服务帐户访问所有对象的执行权限,还是更安全地限制对所需对象的
执行访问权限?限制访问,有哪些缺点?是唯一可以阻碍开发团队的缺点吗?
I work for a project where we have pii information in our database. To secure the web app access to the database, I wanted to know is it best practice to allow the service account access execute permissions to all objects or is it more secure to limit the execute access to the needed objects? With limiting the access, what are the drawbacks? Is the only draw back that it could hinder the development team?
如果对所有人执行,谁负责监督存储的procs访问权限对象不是正确的方法?它应该是DBA还是软件开发团队?
Who's responsibility would it be to oversee the stored procs access if execute to all object is not the right approach? Should it be the DBA or the software development team?
我建议 查看角色。这里的最大胜利是角色是数据库的一部分,因此您可以完全编写脚本安全性,然后告诉部署类型"添加用户并将其添加到此角色"。他们没有打击SQL权限
I would suggest to look into the roles .The big win here is roles are part of your database, so you can completely script security then tell the deployment types to "add a user and add him to this role" and they aren't fighting SQL permission
GRANT SELECT,UPDATE,INSERT,DELETE,EXECUTE在SCHEMA :: DBO上[我的数据库角色]
GRANT SELECT, UPDATE, INSERT, DELETE, EXECUTE on SCHEMA::DBO to [My DB Role]
同时尝试使用存储过程 可以利用代码签名,最细粒度和最强大的访问控制方法
Also try using stored procedures that can leverage code signing, the most granular and powerfull access control method