Sql-server – Is SQL Server/Windows integrated security good for anything


The distinctions among Windows user permissions and any set of SQL Server GRANTs seem like unrelated concepts. As often as not, it seems to actually be implemented with pseudo-logins for database roles; but that doesn't map usefully back to Windows permissions. Assuming single-login identity verification, why not just go with the simplest possible database roles?

So far we've picked up the single benefit that you don't need to store a password in your application; but that seems more like a trivial beneficial consequence than a design goal; there are lots of other more direct ways to achieve that, without closely coupling the entire security apparati of both universes.

Doesn't anyone else have any benefit to suggest, other than single login and ability for SD to maintain groups, thereby duplicating the capability for groups (based on the same user login) already existing in SQL Server?

The group issue has several flaws, including the assumption that the AD manager is assumed to be equally qualified to maintain both; and it excludes any network connections that aren't part of AD (thereby locking you into MS technology.)

And to put it in best-practice terms, you've built in coupling of systems, which is generally conceded to be a Bad Thing.

Best Solution

Many of these have been said or are similar to previous answers... With AD integration:

a) I don't have to worry about the users who have access to any given application, I can pass that off to the security guys.

b) I can restrict access at a table by table level based on groups that already exists, as well as forcing standard users to only have the ability to call stored proc's.

c) When a developer leaves my group, we don't have to change all the DB passwords (i.e. if you care about data security...)

d) It's easy to do custom logging based on the user who makes the change. There are other ways to do this, but I'm all about being lazy.

e) Integrates with IIS authentication. If you're already using IE & IIS for your intranet, this just makes life a lot easier.

Note: There are far more reasons not to use it, and I never used it before my present position. Here where everything is lined up in AD already... It's just the easiest time I've ever had with database security.