Archives of the TeradataForum
Message Posted: Tue, 22 Nov 2005 @ 18:11:12 GMT
<-- Anonymously Posted: Tuesday, November 22, 2005 09:46 -->
We are looking for advice on how other sites manage the problem of controlling access requests to data.
Here, we setup users into what we call 'usergroups' and then assign rights to that usergroup which are then inherited by users within it.
We create a Database called 'CustomerServiceTeam' from user SECADMIN.
We create a number of Users FROM 'CustomerServiceTeam'
We then grant accessrights to ALL CustomerServiceTeam.
We have found this to be a good method for fulfilling audit/governance requirements as our standard ensures that the lowest 'level' of access that is granted is for all members of the 'usergroup'. From that perspective, It is also accepted here that what we term 'individualised' access (a user specfically granted on a table/view, that its 'usergroup' hasn't) is a dangerous scenario. However, we are finding this increasingly difficult to enforce as the users want the flexability of allowing only a subset of their usergroup access to specific views.
The options we are currently discussing include:
Defining specific ROLES for those users and only granting to them.
Defining a seperate Usergroup for them and drop/recreate those into this new usergroup.
In both cases, the potential overhead on us is immense as taking this to its conclusion would see either a ROLE for every table in our environment and/or a 'usergroup' for every user!
Our Question is:
How do other sites meet the flexability demands of users like this and keep the workload reasonalble?
|Copyright 2016 - All Rights Reserved|
|Last Modified: 23 Jun 2019|