KBI 312173 Using Read-Only Account In Argent Reporter To Prevent Bad Custom SQL Query From Damaging Database
Version
Argent Omega 2.2A-2404-A and later
Date
Thursday, 13 June 2024
Summary
SQL Query reports are versatile and extremely flexible to report any SQL data
Argent Reporter provides built-in SQL queries for both Compliance Reports and SQL Query Reports.
Compliance Reports
Generic Compliance Reports
SQL Query Reports
Sometimes users may need to further customize the SQL query or create their own SQL query for reports.
Badly formatted SQL query might damage database. For example, a stored procedure might have syntax of deleting rows
The easiest way to avoid the unexpected consequences is to use the built-in SQL queries.
In cases that custom SQL query must be used, make sure to specify the read-only credential
There are two types of SQL logins – Windows Authentication and SQL Server Authentication
To make a SQL login READ-ONLY, specify Database Roles db_datareader, db_denydatawriter and public.
Then create User/Password Credential in Credential Manager
Use the defined credential in custom report. The report then won’t be able to delete or modify database.
Technical Background
Argent Omega uses Impersonation to switch security context when the read-only account is a Windows account.
To do impersonation, the account must have user right of ‘Log on as a batch job’ on Argent Omega Generator machine
This is not necessary if a SQL Server account is used for authentication
Resolution
Upgrade to Argent Omega 2.2A-2404-A or later