Option: Ignore users permissions and role memberships
rgribble
Posts: 88
Back in version 3 a feature was requested that would ignore user's membership of roles.
This allows us to define roles with permissions on database objects and use redgate to synchronise the creation of new roles and applying of permissions, without it also wanting to add the users from the test envrionment into the production environment etc.
The feature request was here: http://www.red-gate.com/messageboard/vi ... highlight=
In V4 and V5 this feature was implem,ented (which is great), however it has been bundled up with a second (similar) option of ignoring user's permissions entirely
In my situation, i WANT a table, view, stored proc etc to show up as different if an individual user has been granted access to it. I use redgate tools for auditing our database as well with a service that scans each production database against it's known snapshot (stored in source control). any differences are immediately picked up - as production databases should NOT be changing without audit/SCM departments knowing about it!
If i have this option on, i wont see objects that differ because joe bloe suddenly has complete access to sensitive financial data.
However if i have the option off, then every role shows up as different, because the members of them are different to where the snapshot was taken (on a staging server where the empty DB is built from scripts, and has no users in any of the roles).
In a future version i would like to see the "Ignore users permissions and role membership" option split into 2 separate options:
- Ignore user's role membership
When comparing and scripting roles, users will not be considered. Still must consider other roles which may be a member of this role though.
- Ignore user's permissions
Totally ignores any permissions granted to an individual role
Obviously the existing option "Ignore permissions" would still apply and would override the showing of ANY permissions, whether Role based or individual person based.
This allows us to define roles with permissions on database objects and use redgate to synchronise the creation of new roles and applying of permissions, without it also wanting to add the users from the test envrionment into the production environment etc.
The feature request was here: http://www.red-gate.com/messageboard/vi ... highlight=
In V4 and V5 this feature was implem,ented (which is great), however it has been bundled up with a second (similar) option of ignoring user's permissions entirely
In my situation, i WANT a table, view, stored proc etc to show up as different if an individual user has been granted access to it. I use redgate tools for auditing our database as well with a service that scans each production database against it's known snapshot (stored in source control). any differences are immediately picked up - as production databases should NOT be changing without audit/SCM departments knowing about it!
If i have this option on, i wont see objects that differ because joe bloe suddenly has complete access to sensitive financial data.
However if i have the option off, then every role shows up as different, because the members of them are different to where the snapshot was taken (on a staging server where the empty DB is built from scripts, and has no users in any of the roles).
In a future version i would like to see the "Ignore users permissions and role membership" option split into 2 separate options:
- Ignore user's role membership
When comparing and scripting roles, users will not be considered. Still must consider other roles which may be a member of this role though.
- Ignore user's permissions
Totally ignores any permissions granted to an individual role
Obviously the existing option "Ignore permissions" would still apply and would override the showing of ANY permissions, whether Role based or individual person based.
This discussion has been closed.
Comments
Can we be granted permissions to edit our own posts in this forum?
I have not looked at the issue from this perspective. We will consider this in for future releases. Many thanks,
Andras
Red Gate Software Ltd.