My company is currently planning to reconfigure security and we are currently arguing over which way to go, storing everything in Active Directory or in SQL Server? So setting up Active Directory groups and use it to create a read and a read/write group and just move users in and out of these security groups and manage security for SQL Server from Active Directory or use SQL Server and move all users into security and create groups in SQL Server and manage the security from there?
我的公司目前正计划重新配置安全性,我们目前正在争论将哪些方法存储在Active Directory或SQL Server中?因此,设置Active Directory组并使用它来创建读取和读/写组,只需将用户移入和移出这些安全组,并从Active Directory管理SQL Server的安全性或使用SQL Server并将所有用户移动到安全性和在SQL Server中创建组并从那里管理安全性?
1 个解决方案
#1
AD is the way to go in my opinion, for a number of reasons.
出于多种原因,AD是我认为的方式。
Security doesn't just cover access to databases. It covers access to files, folders etc. Anything in SQL is irrelevant to the question 'Should they have access to this spreadsheet?'. AD is the way to go there. Why not integrate everything into the same mechanism?
安全性不仅涵盖对数据库的访问。它涵盖了对文件,文件夹等的访问.SQL中的任何内容都与“他们是否有权访问此电子表格?”这一问题无关。 AD是去那里的方式。为什么不将所有内容集成到同一机制中?
AD is more flexible than SQL. An AD Group can contain other AD groups. If you have an AD group called e.g. 'Power Traders' then the Power Traders are added to that group. There would also be groups which give access to individual securables (files, folders, databases, apps etc); 'Power Traders' would be added to those groups and inherit the access to the individual things. If another job also needs access to one of these, that job group can be added to the necessary individual group.
AD比SQL更灵活。 AD组可以包含其他AD组。如果您有一个名为例如的AD组'Power Traders'然后Power Traders被添加到该组。还有一些组可以访问个人安全(文件,文件夹,数据库,应用程序等); “Power Traders”将被添加到这些组中并继承对各个事物的访问权限。如果另一个作业也需要访问其中一个作业,则可以将该作业组添加到必要的单个组中。
If an individual needs access to something outside his normal job, just add them to the individual groups necessary.
如果个人需要访问正常工作之外的某些内容,只需将其添加到必要的各个组中即可。
A full solution would actually have multiple levels of groups. How many would be down to the company and how it wishes to organise itself.
完整的解决方案实际上会有多个级别的组。有多少会归功于公司以及它希望如何组织起来。
#1
AD is the way to go in my opinion, for a number of reasons.
出于多种原因,AD是我认为的方式。
Security doesn't just cover access to databases. It covers access to files, folders etc. Anything in SQL is irrelevant to the question 'Should they have access to this spreadsheet?'. AD is the way to go there. Why not integrate everything into the same mechanism?
安全性不仅涵盖对数据库的访问。它涵盖了对文件,文件夹等的访问.SQL中的任何内容都与“他们是否有权访问此电子表格?”这一问题无关。 AD是去那里的方式。为什么不将所有内容集成到同一机制中?
AD is more flexible than SQL. An AD Group can contain other AD groups. If you have an AD group called e.g. 'Power Traders' then the Power Traders are added to that group. There would also be groups which give access to individual securables (files, folders, databases, apps etc); 'Power Traders' would be added to those groups and inherit the access to the individual things. If another job also needs access to one of these, that job group can be added to the necessary individual group.
AD比SQL更灵活。 AD组可以包含其他AD组。如果您有一个名为例如的AD组'Power Traders'然后Power Traders被添加到该组。还有一些组可以访问个人安全(文件,文件夹,数据库,应用程序等); “Power Traders”将被添加到这些组中并继承对各个事物的访问权限。如果另一个作业也需要访问其中一个作业,则可以将该作业组添加到必要的单个组中。
If an individual needs access to something outside his normal job, just add them to the individual groups necessary.
如果个人需要访问正常工作之外的某些内容,只需将其添加到必要的各个组中即可。
A full solution would actually have multiple levels of groups. How many would be down to the company and how it wishes to organise itself.
完整的解决方案实际上会有多个级别的组。有多少会归功于公司以及它希望如何组织起来。