###BeginCaseStudy###
Case Study 2
Contoso Ltd
Overview
Application Overview
Contoso, Ltd., is the developer of an enterprise resource planning (ERP) application.
Contoso is designing a new version of the ERP application. The previous version of the ERP
application used SQL Server 2008 R2. The new version will use SQL Server 2014.
The ERP application relies on an import process to load supplier data. The import process
updates thousands of rows simultaneously, requires exclusive access to the database, and runs daily.
You receive several support calls reporting unexpected behavior in the ERP application.
After analyzing the calls, you conclude that users made changes directly to the tables in the
database.
Tables
The current database schema contains a table named OrderDetails. The OrderDetails
table contains information about the items sold for each purchase order. OrderDetails
stores the product ID, quantities, and discounts applied to each product in a purchase
order. The product price is stored in a table named Products.
The Products table was defined by using the SQL_Latin1_General_CPl_CI_AS collation. A
column named ProductName was created by using the varchar data type.
The database contains a table named Orders. Orders contains all of the purchase orders from
the last 12 months. Purchase orders that are older than 12 months are stored in a table named OrdersOld.
Stored Procedures
The current version of the database contains stored procedures that change two tables. The
following shows the relevant portions of the two stored procedures:
Customer Problems
Installation Issues
The current version of the ERP application requires that several SQL Server logins be set up
to function correctly. Most customers set up the ERP application in multiple locations and
must create logins multiple times.
Index Fragmentation Issues
Customers discover that clustered indexes often are fragmented. To resolve this issue, the
customers defragment the indexes more frequently.
All of the tables affected by fragmentation have the following columns that are used as the
clustered index key:
Backup Issues
Customers who have large amounts of historical purchase order data report that backup time
is unacceptable.
Search Issues
Users report that when they search product names, the search results exclude product names
that contain accents, unless the search string includes the accent.
Missing Data Issues
Customers report that when they make a price change in the Products table, they cannot
retrieve the price that the item was sold for in previous orders.
Query Performance Issues
Customers report that query performance degrades very quickly. Additionally, the customers
report that users cannot run queries when SQL Server runs maintenance tasks.
Import Issues
During the monthly import process, database administrators receive many supports call from
users who report that they cannot access the supplier data. The database administrators want
to reduce the amount of time required to import the data.
Design Requirements
File Storage Requirements
The ERP database stores scanned documents that are larger than 2 MB. These files must only
be accessed through the ERP application. File access must have the best possible read and
write performance.
Data Recovery Requirements
If the import process fails, the database must be returned to its prior state immediately.
Security Requirements
You must provide users with the ability to execute functions within the ERP application,
without having direct access to the underlying tables.
Concurrency Requirements
You must reduce the likelihood of deadlocks occurring when Sales.Proc1 and Sales.Proc2 execute.
###EndCaseStudy###
You need to recommend a solution that addresses the security requirement.
What should you recommend?
A.
Revoke user permissions on the tables. Create stored procedures that manipulate data.
Grant the users the EXECUTE permission on the stored procedures.
B.
Grant the users the SELECT permission on the tables. Create views that retrieve data
from the tables. Grant the users the SELECT permission on the views.
C.
Deny the users SELECT permission on the tables. Create views that retrieve data from
the tables. Grant the users the SELECT permission on the views.
D.
Deny the users the SELECT permission on the tables. Create stored procedures that
manipulate data. Grant the users the EXECUTE permission on the stored procedures.
Explanation:
* Security Requirements
You must provide users with the ability to execute functions within the ERP application,
without having direct access to the underlying tables.
Why not D?
Question is
Security Requirements
You must provide users with the ability to execute functions within the ERP application,
without having direct access to the underlying tables.
D is correct
D is correct
A. because we are talking not just about select. all permissions to the tables should be revoked here…
Pete are right – A is corect
Yes A is the right answer since we want to revoke the customer from all rights to the direct tablebut grant theselected rights tothe table throght the store procedure
Revoke all Permission but Deny only the select Permission so we want to remove all user permissions (including insert and delete) so we must revoke the user permission
Also Deny ends the users permission even from another stored procedure but revoke take the select,… permission from only the direct table but they can select through the store procedure or any other program
Answer A is the most logic answer
C is correct
Really?! Despite all of the above concise explanations you’d still suggest option C?! Are you a troll or just plain stupid?!!
revoke means that the users have explicit assigned rights.
If they got the permission by an application role, its not possible to revoke it for the user. But its possible to deny it.
I’m going with A. Setting deny select would still allow insert, update, delete etc if granted to those users.
The answer is A.
From the scenario:
“…The previous version of the ERP application relied on table-level security…”
“…You must provide users with the ability to execute functions within the ERP application, without having direct access to the underlying tables…”
Most probably, this question assumes your knowledge of SQL permission chaining.
The proposed solution: create stored procedures in the same schema with tables, revoke direct access to tables from users (if any), and grant EXECUTE permissions to stored procedures.
That will be the end of this article. Here youll obtain some sites that we consider you will value, just click the hyperlinks.
below you will uncover the link to some sites that we believe you ought to visit
although sites we backlink to beneath are considerably not connected to ours, we feel they’re essentially really worth a go through, so have a look
very few internet sites that occur to become in depth below, from our point of view are undoubtedly very well really worth checking out
just beneath, are numerous totally not connected internet sites to ours, however, they’re certainly really worth going over
below youll find the link to some web sites that we assume you’ll want to visit
always a significant fan of linking to bloggers that I enjoy but do not get a whole lot of link really like from
although internet websites we backlink to below are considerably not connected to ours, we really feel they are basically worth a go through, so have a look
C.
Explanation:
* Security Requirements
You must provide users with the ability to execute functions within the ERP application,
without having direct access to the underlying tables.
User-defined functions allows only SELECT statment from underlying tables. So:
1. Deny SELECT from underlying tables.
2. Grant SELECT from the view.
Answers A and D about manipulating data. We cannot manupulate data (UPDATE, INSERT, DELETE) through functions.
one of our visitors just lately advised the following website
Here is an excellent Weblog You might Find Exciting that we Encourage You
Every when in a though we select blogs that we read. Listed below are the most up-to-date internet sites that we pick
Here is an excellent Blog You might Find Interesting that we Encourage You
Sites of interest we’ve a link to
Every after inside a though we pick blogs that we read. Listed below would be the latest internet sites that we pick
below youll locate the link to some internet sites that we feel you must visit
below youll find the link to some sites that we assume you must visit
just beneath, are numerous totally not related websites to ours, even so, they may be surely really worth going over
we like to honor quite a few other web web-sites around the internet, even though they arent linked to us, by linking to them. Underneath are some webpages worth checking out
we came across a cool web page which you may well love. Take a appear when you want
we like to honor numerous other world wide web web sites on the web, even when they arent linked to us, by linking to them. Beneath are some webpages really worth checking out
although web-sites we backlink to beneath are considerably not associated to ours, we really feel they’re actually really worth a go by, so possess a look
check below, are some totally unrelated sites to ours, even so, they may be most trustworthy sources that we use
Parterowe domy cieszą się do wielu lat niesłabnącą popularnością i bardzo dużym zainteresowaniem ze strony inwestorów. Jest to spowodowane głownie faktem, że