In addition to creating integrated logins for individual Windows users, you can create integrated logins for Windows user groups.
When a Windows user logs in, if they do not have an explicit integrated login mapping, but belong to a Windows user group for which there is an integrated login mapping, the user connects to the database as the database user or group specified in the Windows user group's integrated login mapping.
Creating an integrated login for a Windows user group allows any user that is a member of the group to connect to the database without knowing a user ID or password.
See Preventing members of Windows user groups from connecting to a database.
If the Windows user belongs to more than one Windows user group, and more than one Windows user group on the computer has an integrated login mapping in the database, then the integrated login only succeeds if all of the Windows user groups on the computer have integrated login mappings to the same database user ID. If multiple Windows user groups have integrated login mappings to different database user IDs, an error is returned and the integrated login fails.
For example, consider a database with two user IDs, dbuserA and dbuserB, and the Windows user windowsuser who belongs to the Windows user groups xpgroupA and xpgroupB.
This SQL statement... | Allows... | ||
---|---|---|---|
|
windowsuser to connect to the database using the integrated login mapping set explicitly for windowsuser. | ||
|
windowsuser to connect to the database using the integrated login mapping granted to xpgroupA. | ||
|
windowsuser to connect to the database because both Windows user groups that windowsuser belongs to have an integrated login mapping to the same database user. | ||
|
No connection to the database. When windowsuser attempts to connect to the database, the integrated login fails because each Windows user group has an integrated login mapping to a different database user and windowsuser is a member of both Windows user groups. |
By default, the computer the SQL Anywhere database server is running on is used to verify Windows user group membership. If the Domain Controller server is a different computer than the one the database server is running on, you can specify the name of the Domain Controller server using the integrated_server_name option. For example:
SET OPTION PUBLIC.integrated_server_name = '\\myserver-1'; |
Preventing members of Windows user groups from connecting to a database
Send feedback about this page via email or DocCommentXchange | Copyright © 2008, iAnywhere Solutions, Inc. - SQL Anywhere 11.0.0 |