Re: AdminStudio Enterprise Security

looeee · ‎Oct 30, 2003

Hi
I don't think that I understand the "Security" feature of AdminStudio Enterprise.

I want my packagers to only be able to see their own packages and I don't want them to see the workflows tab.

I have unchecked all the relevant boxes in the "Manage Roles" dialog and made everyone but the project admins members of the Author role.

I am using MSSQL7 server.

My users are logging in using NT authentication.

Problem:
No option makes any difference, everyone is Admnistrator.
Catalog->User Permissions always shows Administrator - Full control
I can get it to work for SQL users but we can't use them here

looeee

CChong · ‎Oct 30, 2003

First thing I would like you to do is to deny access to the BUILTIN\Administrators group in your SQL Server through Enterprise Manager. This is bug in AdminStudio 5.0 and in the next paragraph I will explain how this originates.

When a NT user tries to login into AdminStudio database, AdminStudio gets all the groups this user belongs to. Then for each group AdminStudio tries to find out what roles the group belongs to in SQL Server. If the group belongs to sysadmin role this means the user is also a sysadmin. This is good because this way AdminStudio system administrators can add one group and all its member will belong to the same roles at SQL Server level.

However during this process comes BUILTIN\Administrator group. Every NT machine comes with this group and your SQL Server machine will also have this group by default. In addition SQL Server by default puts this group in sysadmin role.

So now if the user on a given machine belongs to BUILTIN\Administrator group AdminStudio will go to SQL Server and try to find this group and will find this group on SQL Server also with sysadmin role. Now the name of these groups are same but actually they are local groups on two different machines. AdminStudio should have treated them different but unfortunately this a bug and AdminStudio treats it as the same group. This way AdminStudio will treat the user as system admin even though the user is not an admin.

The good news is we have fixed this bug and will be available in our next release. For time being you can either completely remove the BUILTIN\Administrator group from SQL Server or Deny Access to the BUILTIN\Administrator group.

Please let me know about the result. I will glad to assist you further if you have any question.

looeee · ‎Oct 30, 2003

Hi Amber,

Thank you very much for your help. Maybe it would have helped if I mentioned that my packagers are all either Local or Domain Admins !

Denying access to BUILTIN\Administrators looked like it worked until I found that I could not connect to the box via Enterprise Manager.

Rather than denying access, deleting the account gave me the desired effect as then there was no special handling done for admins so it defaulted to the accounts that it DID know about.

struggling to get SQLAgent to log in now.....

thanks once again

looeee

CChong · ‎Oct 31, 2003

The way we are fixing this bug is as follows:

We are trying to keep our authentication mechanism very simple. When a user tries to login and if the user belongs to BUILTIN\Administrator group and the same group exist in SQL Server we will skip to take into account the privileges of this group.

In fact we skip to take into account the privileges of any user or group that belongs to BUILTIN domain.

However if the SQL Server and the user who is logging into the SQL Server exist on the same machine then AdminStudio will consider the roles of users and groups belonging to BUILTIN domain.

What do you think about this?

You can provide me with your feedback at ambera@installshield.com