(877) 456-7632 info@msxgroup.com
Message Boards
Sign up Latest Topics
 
 
 


Reply
  Author   Comment  
sschro

Registered:
Posts: 11
Reply with quote  #1 
It is my understanding that all Forecaster Web users need be given some level of permission(s) at the SQL Server level (preferably inherited via a group). Setting aside the application administration and security levels, what permissions on the SQL Server end should users have? db_owner seems far too much permissions necessary...
Rob.Diaz

Moderator
Registered:
Posts: 88
Reply with quote  #2 

All users of Forecaster who are NOT Administrators must be granted the Forecaster role in the Forecaster database.  This is true whether they are using the full client or the web client.

 

All Forecaster Administrators must be granted db_owner within the SQL Database.  When accessing the application via the web they won't have any features available that would take advanage of that level of permission, but typically Forecaster administrators wouldn't use the web bits anyway. 


__________________
Rob Diaz
MSX Group
http://www.msxgroup.com
sschro

Registered:
Posts: 11
Reply with quote  #3 
Thank you Rob
buchb

Registered:
Posts: 1
Reply with quote  #4 
Hi Rob,
My SQL server security settings are all set according the manuals from Microsoft and the main administrator is db_owner... but when she creates a new user in a Forecaster company, the SQL server doesn't create the user properly, if at all... I have most of the time to go into the SQL server and add the user manually or enable the user (it gets created, but is disabled)...
Is there any problem with this or is there a fix that can be applied ? we're on version 7.0.1614.9 (SP3 CU#1).
Thanks in advance.
Rob.Diaz

Moderator
Registered:
Posts: 88
Reply with quote  #5 

Hi buchb,

 

Forecaster does NOT create the corresponding SQL Server logins for new users. This is always a manual process for IT (or a sufficiently trained Forecaster user who has the proper client tools) to do.

 

You can simplify this through the use of Windows groups if you're using Windows authentication, but someone still has to manage the groups.

 

Unfortunately, there is no other workaround because in this particular case it sounds like Forecaster is working as it is designed to work.

 

Hope this helps explain the situation.

Rob

Quote:
Originally Posted by buchb
Hi Rob,
My SQL server security settings are all set according the manuals from Microsoft and the main administrator is db_owner... but when she creates a new user in a Forecaster company, the SQL server doesn't create the user properly, if at all... I have most of the time to go into the SQL server and add the user manually or enable the user (it gets created, but is disabled)...
Is there any problem with this or is there a fix that can be applied ? we're on version 7.0.1614.9 (SP3 CU#1).
Thanks in advance.


__________________
Rob Diaz
MSX Group
http://www.msxgroup.com
sschro

Registered:
Posts: 11
Reply with quote  #6 

Following up on this.

Our security in forecaster is pretty much hosed up with users added directly. Ideally I'd want to set this up by groups. Say: ForecasterAdmins, ForecasterUsers. Where admins have dbo_owner permissions as well as a Forecaster, and users have Forecaster schema checked.

I presume it can be done this way, via groups rather than by adding users directly to the database (via AD).

Thanks

Rob.Diaz

Moderator
Registered:
Posts: 88
Reply with quote  #7 
Yes, AD Groups can be (and are often) used with Forecaster.  The only thing to watch out for is the default schema.  Basically, you cannot set a default schema for a group. Therefore, it will try to use a user's own schema as the default. This is fine for non-admins, but less-fine for admins who should have dbo as the default schema. 

Basically, the thing to consider when you are doing this is that you just need to make certain that the group for Forecaster Admins does have the db_owner database role, which should effectively allow them to do what they need to do within Forecaster.  The Non-admin AD group would get the Forecaster role.  When users then start to log in, SQL Server will create "users" in the Forecaster database.  As long as this user object has a default schema that the user has full control over, it should work.  f users are having trouble using Forecaster, you'll need to look at the user items within Forecaster's database to make sure that they have an appropriate default schema. 

Most of the time, I've only seen trouble on older, unpatched SQL Server 2005 installs.  But a few times I've seen SQL Server map users incorrectly into the database, requiring a little bit of troubleshooting to make sure everything worked.

__________________
Rob Diaz
MSX Group
http://www.msxgroup.com
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.