A Fine Slice Of SQL Server
– Enable AAD auth on Azure SQL server
– Conn to Azure SQL database via AAD admin
– Create contained user for the managed identity (using Azure VM name as contained username)
create user <vmname> from external provider;
alter role db_owner add member <vmname>;
Read on for the full set of steps.
Comments closedAnas Baig provides a primer on the California Consumer Privacy Act:
While the GDPR has some of the most crushing requirements, such as the brief 12-hour window to report a breach, CCPA takes a broader view. It goes even further to locate and protect what constitutes personal or private data as per the GDPR.
The primary difference between the two is that GDPR is more about prior consent, while CCPA is about opting out. GDPR binds businesses to ask for consent before having a consumer’s data stored and processed. On the other hand, CCPA requires businesses to enable consumers to opt-out at any point.
It allows consumers to access every piece of personal information saved and a complete list of third parties it is shared with. Moreover, consumers have the right to sue a company for violating privacy guidelines even if there has been no breach.
Considering how much we heard about GDPR, I’m surprised there’s been so little about CCPA.
Comments closedDebaditya Bhattacharyya reviews the impact of a Kafka security advisory:
The Apache Kafka® project announced on September 19, 2022 that a security vulnerability has been identified in Apache Kafka, CVE-2022-34917. After being informed of this, Instaclustr began investigating its potential impact on customers of our Apache Kafka offering. This vulnerability allows malicious, unauthenticated clients to allocate large amounts of memory on the brokers. This can lead to OutOfMemoryException in the brokers causing denial of service.
Read on to learn more about the impact and techniques for mitigation.
Comments closedGilbert Quevauvilliers plays to the audience:
With the recent announcement (Announcing Public Preview of Multiple Audiences for Power BI Apps | Microsoft Power BI Blog | Microsoft Power BI) it is now possible to create multiple audiences in a single App Workspace.
What this means you can now have a single app workspace but create a view for specific users (each view is known as an Audience)
This blog post will detail how to manage multiple audiences with AAD Security Groups, where the only requirement will be to update the app when new reports get created and to which audience to make them available.
There’s also a big warning on Gilbert’s post that you will not want to miss.
Comments closedKenneth Fisher ran into an interesting issue:
One of my co-workers came to me the other day and told me that they found their network id as a login on one of our SQL Server instances. Why is that note worthy? We make a point of using AD groups if at all possible. He did a little bit more work and tracked it down to a series of commands that he had run recently. I’ll be honest with you, this was starting to feel like a couple of other cases where I’ve seen database objects and principals show up unexpectedly. One was when I created a database object without setting a default schema, and the other was when I created a database audit specification to audit a user that didn’t have an associated database principal (access was through an AD group).
This time around, it was creating a server role. Read on for Kenneth’s thoughts and how you can avoid accidentally creating logins for individual Active Directory users.
Comments closedWe received some support cases when customers encounter the error below while trying to add an AAD security group to their Azure SQL Database or Azure SQL managed instance. In this blog article, we will be listing a few points to be checked to troubleshoot this error and can help you to identify the cause.
Msg 33130, Level 16, State 1, Line 1
Principal ‘XXXXXX’ could not be found or this principal type is not supported.
Read on for several reasons why things might be going wrong.
Comments closedEtienne Lopes takes us through cell-level encryption:
Securing data has always been important but as time goes by, more and more data is available all around us, some of it is considered sensitive data and it becomes a major concern to protect it somehow, in fact in certain cases it is legally mandatory to comply with certain regulations (like GDPR). SQL Server offers a few options regarding data protection (either by means of encryption or obfuscation), cell level encryption being one of them.
In this post I’ll explain what is cell level encryption along with its use cases and I’ll use a thorough demo to show how to implement it in a database and how it works
Despite Always Encrypted being available, I’m more apt to use column-level/cell-level encryption because it’s easier to implement. Well, that and the lack of Always Encrypted in Azure Synapse Analytics.
Comments closedBack in the SQL Server 2019 days, I laid out a post which covered a really annoying bug around Windows authentication and PolyBase. The upshot is that SQL Server 2019 CU2 broke Windows authentication, meaning that you could not create external objects on a SQL Server instance while using a Windows authenticated session. In CU2, if you tried, you would get a Level 20 error which would kill your session.
Over the next several CUs, the SQL Server team improved things incrementally: first, the error that you got was a Level 16 error, so your statement would fail but the session would remain active. Then, in CU6, they made it so that if your SQL Server instance is on a server running on a domain, then you would be okay—you could create external objects while connected with a domain-authenticated Windows account.
I decided to give this a try in SQL Server 2022 RC0 and ran into some interesting results.
Click through for those results.
Comments closedGilbert Quevauvilliers provides access:
I was recently doing some testing and when I went to share a Power BI report with an external (B2B) user I could not initially find out how to do this.
NOTE: I had already created my External (B2B) users, you can follow this guide below if you still need to create the external (B2B) users: Distribute content to external guest users with Azure AD B2B – Power BI | Microsoft Docs
I thought it would be good to share the steps on how I achieved this below.
Read on to see how. Also check out the insightful question in the comments section.
Comments closedShoham Dasgupta announces a new preview program:
Transparent data encryption (TDE) in Azure SQL Database and Managed Instance helps protect against the threat of malicious offline activity by encrypting data at rest. TDE with Customer-Managed Key (CMK) enables Bring Your Own Key (BYOK) scenario for data protection at rest, by allowing a key stored in a customer-owned and customer-managed Azure Key Vault to be used as the TDE Protector on the server or managed instance.
When using TDE with Customer-Managed Key, one of the important responsibilities that customers need to perform on a regular basis is key rotation, that is, rotating the TDE Protector on the server by switching to a new key (or new version of the earlier key) from Azure Key Vault. Key rotation is a critical activity for an organization that is required to meet security and compliance objectives.
Automated key rotation for Azure SQL Database and Managed Instance is now available in preview, simplifying key management responsibilities for customers.
Click through to see how this works.
Comments closed