Central Management of Sql Logins

thbaig1 · December 1, 2015, 9:05am

HI,
I
have 4 servers that host multiple databases. I am in process to
implement role/user based security to limit QAs and Dev Access. As we
have dev,test and stage env too, so it make it more trouble to manage
login in in all envs. We don't have domain integration to MSSQl, so I
will need to manage sql logins for all users.e.g. create new user,edit
role ,edit password etc.
I want to manage them centrally to avoid
any inconsistency, create/edit user on one server and it may reflect to
all server. By searching google I found I can use CMS(Central Management
Server) group to manage MSSQL instances, but it use windows
authentication only.
Is this good option to manage logins or I may consider some other tools/factors too ?

Thanks

gbritton · December 1, 2015, 2:02pm

Best thing is to use so-called double-abstraction:

Create AD groups for the your DEV and QA groups
Put the Windows logins into the proper AD group
Create Database roles with the just the permissions required for DEV and QA access
Add the Windows groups to the Server logins and database users
add the groups to the proper database roles

That way, you manage the users at the AD level and never have to mess with them at the SQL level.

thbaig1 · December 2, 2015, 8:03am

Thank you gbritton.
But what if I don't have AD and associated users ?

I am evaluating solution where I don't have AD, users will connect directly to server with sql logins.

gbritton · December 2, 2015, 1:44pm

Use windows users and groups