Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


The Many Ways To Configure SQL Database Security for DNN.

DNN has many ways to configure the SQL database based on the security that is needed.  To make it easier to evaluate which security model to use, I have listed the possible scenerios and how to setup each scenerio. 

Scenerio #1 (dbowner access, dbo)

You can keep the databaseOwner in the web.config file set to dbo and set the permissions for the user you are going to access the site with to only have db_owner permissions.
This assumes that the default schema for the user that is used in the connectionString is set to dbo  (if not, this will not work).

Scenerio #2 (non db-owner access, dbo).

You can keep the databaseOwner in the web.config file set to dbo and set the permissions for the user you are going to access the site with to only having db_datareader, db_datawriter, db_securityadmin and db_ddladmin permissions.  This assumes that the default schema for the user that is used in the connectionString is set to dbo  (if not, this will not work).

Scenerio #3 (non db-owner, execute only access, dbo)

You setup 2 users one with db_datareader, db_datawriter, db_securityadmin and db_ddladmin permissions and the other with not additional access except belonging to the public group.  You then use the the user that only belongs to the public group for the normal connectionStrings and you use the one with the additional parameters in the upgradeConnection parameter.  This is better than the 1st 2 because the everyday user that runs the site only has execute permissions on all the sprocs and functions.  See my blog here about this setup.
This assumes that the default schema for the users that are used in the connectionString / upgradeConnectionString is set to dbo  (if not, this will not work).

Scenerio #4 (db-owner, {custom databaseOwner})


If you set a user as the databaseOwner in the web.config then it has to have db_Owner permissions.  Otherwise setting it as databaseOwner in the web.config is not correct.  Joe Brinkman has a great video about this setup posted here.  To get it to work though,
instead of giving the user that is set as the dbowner (ex: DNNdbo) in the DNN web.config  db_datareader, db_datawriter, db_securityadmin and db_ddladmin permissions you have  to give the use  dbowner permissions

Scenerio #5 (db-owner,  lmited or execute access only, {custom databaseOwner})

This is the scenerio where there is problems, but it can be overcome using the upgradeConnectionString.  If you do the steps to implement Scenerio #4 and then add another user (ex: DNNUser) you can then either give this user db_datareader, db_datawriter, db_securityadmin and db_ddladmin permissions or you can only let them be part of the public group so it only has execute permisions.   When you create the login for the user make sure you set the default scheme (login / user mappings) to the same schema you created in Scenerio #4.  You then set the upgradeConnectionString to use the user that is the owner of of the scheme you created (ex: DNNdbo), and you set the normal connectionsStrings to the limite access user (ex: DNNUser).

Summary

DNN does support none dbo_owner support (Scenerio #2 & #3).  DNN does also support non dbo support (Scenerio #5), but if you set the databaseOwner to a user other than dbo that user has to have db_owner permissions.  So that your site does not need to run under this user you have to use the upgradeConnectionsString and have an additional user that is setup with limited permissions (set to use the same default schema as the db_owner user).

Comments

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (22)
Alec Whittington (11)
Alessandra Daniels (3)
Alex Shirley (10)
Andrew Hoefling (3)
Andrew Nurse (30)
Andy Tryba (1)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (37)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Bogdan Litescu (1)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (213)
Chris Paterra (55)
Clint Patterson (108)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (181)
Daniel Valadas (48)
Dave Buckner (2)
David Poindexter (12)
David Rodriguez (3)
Dennis Shiao (1)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (80)
Francisco Perez Andres (17)
Geoff Barlow (12)
George Alatrash (12)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Kelly Ford (4)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matt Rutledge (2)
Matthias Schlomann (16)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (40)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Oliver Hine (1)
Patricio F. Salinas (1)
Patrick Ryan (1)
Peter Donker (54)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Sacha Trauwaen (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott Schlesier (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Steven Fisher (1)
Tony Henrich (3)
Torsten Weggen (3)
Tycho de Waard (4)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (40)
Will Strohl (180)
William Severance (5)
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out