Sql-server – SQL Cross Database Views Security

database-designSecuritysql serverview

Cross Database Views:

Hi,
We have two databases

Database A: Contains dbo.Customerid table,

Database B: Contains dbo.Customerdescription table,

Database Reporting: has a schema for consultant vendors (vdr), so they can join, but not see security information, (SSN and driverlicenses, etc)

I am seeing a lot of information: What is the optimal, secure way to give access to the consultants for cross-database views?

I am seeing error messages,
"The SELECT permission was denied on the object DatabaseA.dbo.customer, etc"

create table DatabaseA.dbo.Customer
(
       Customerid int primary key,
       Customersalescode varchar(25),
       Membersince datetime
)
create table DatabaseB.dbo.CustomerDescription
(
       CustomerId int primary key, 
       Firstname varchar(255), 
       LastName varchar(255), 
       SSN int,  
       Driverlicensenumber varchar(30)
 )

create view vdr.CustomerReport
as
select 
    cust.CustomerId,
    cust.Membersince,
    cds.FirstName,
    cds.LastName
from DatabaseA.dbo.Customer cust
inner join DatabaseB.dbo.Customerdescription cds
    on cust.Customerid = cds.customerid

Best Answer

Unless DB_CHAINING is set to true for all 3 databases, you should give the SELECT permissions on the underlying tables.

In case you set DB_CHAINING to true, all 3 owners of these databases are the same and all 3 objects have the same owner (for now it's not true in your design because your tables are owned by dbo and view is owned by vdr) permissions on the underlying tables will not be checked due to Ownership Chaining

To make ownership chaining work in your case you should do the following:

Run:

use Reporting; 
go 
alter authorization on schema::vdr to dbo;`

set db_chaining to true on all 3 databases:

use master;     
go      
alter database Reporting set db_chaining on;    
alter database DatabaseA set db_chaining on;
alter database DatabaseB set db_chaining on;

check owners of all 3 databases and if it's not the same change it to the same login using
```
alter authorization on database::yourDB to yourLogin
```

Related Solutions

Ms-access – Database to track employee performance

Following the question and your comment - I'm not sure that I remember correctly, but I think that MS Access doesn't allow for a primary key with multiple columns, so you'd better add an auto-increment (autonumber in Access) integer column as PK, and add the other needed columns: EmployeeID, Date, Performance, Quality, Attendance. I'm sure that the Employee table could benefit from having a EmployeeID column (simply just use an int that's autonumber or use the SSN of that person..or whatever id you think you have and it's unique). This EmployeeID column would then be used as a reference in other tables (as the one with gathered values for P, Q and A).

Also, I wouldn't make a separate Manager table, but add a column called ManagerID to the Employee table and make it reference the EmployeeID (eg: for EmployeeID = 5, the ManagerId = 1, and based on the IDs you will get their names).

Later edit: found out I'm a dumb Access user, MS Access allows multi column PKs :-). Anyway, it's still much more simple to manage users and reference them by an ID, and not by a compound PK.

In your current situation I'd make 2 tables:

Employee - EmployeID, FirstName, LastName, Email, ManagerId; and a second with
History: ID, EmployeeID, Date, Performance, Quality, Attendance.

Should be enough for what data you want to gather now.

How to design relationships for variant data

This might force a bit of change for your tables, but we do something like this at work:

Ensure each table has a int/guid primary key of some sort:

Organization Table

ID | Name
1  | MyOrganization

Then create a type-table to house your different LeadSource types:

LeadSourceTypeKey | Description
1                 | Organization
2                 | Company Office

Then on your ProductSoldList Table add 2 columns LeadSourceID and LeadSourceType

Then you can easily query the ProductSoldList TABLE and know which LeadSource to join back to:

SELECT *
FROM   [ProductSoldList] PL
       INNER JOIN [Organization] O
       ON PL.LeadSourceID = O.ID AND
          PL.LeadSourceType = 1
       INNER JOIN [Company Office] CO
       ON PL.LeadSourceID = CO.ID AND
          PL.LeadSourceType = 2

Best Answer

Related Solutions

Ms-access – Database to track employee performance

How to design relationships for variant data

Related Question