None of the server or database roles would classify as "minimum settings." You achieve minimum settings with GRANT and DENY statements. Is your goal to restrict a user to only reading data? If one of your stored procs allows for the deletion of data, and you grant execute permissions to the user, the user will be able to execute that stored proc and delete the data, even if they are not granted specific delete permission on the table.
You might explore the deny roles and deny granular permissions if you really don't want someone to do anything other than read data. It is reasonable to combine the db_datareader role along with granular stored procedure permissions to meet your goal. Also restrict the permissions for the data source in ColdFusion Admin as another layer of protection. ddladmin allows a user to truncate a database table, so avoid that role if you want read-only. It helps if users need to truncate though. -Mike Chabot http://www.linkedin.com/in/chabot On Thu, Nov 18, 2010 at 2:27 PM, Russ Michaels <[email protected]> wrote: > > Yes but it is a safe role, you can;t do anything dodgy > > -----Original Message----- > From: Dave Watts [mailto:[email protected]] > Sent: 18 November 2010 19:20 > To: cf-talk > Subject: Re: What was that security again? > > >> DDLADMIN should suffice, this is what role we give to all our customers. > > That's way more than needed for reading data. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:339374 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
