Click here to view and discuss this page in DocCommentXchange. In the future, you will be sent there automatically.

SQL Anywhere 11.0.0 » SQL Anywhere Server - Database Administration » Starting and Connecting to Your Database » Connecting to a database » Using integrated logins

 

Creating integrated logins for Windows user groups

In addition to creating integrated logins for individual Windows users, you can create integrated logins for Windows user groups.

When a Windows user logs in, if they do not have an explicit integrated login mapping, but belong to a Windows user group for which there is an integrated login mapping, the user connects to the database as the database user or group specified in the Windows user group's integrated login mapping.

Caution

Creating an integrated login for a Windows user group allows any user that is a member of the group to connect to the database without knowing a user ID or password.

See Preventing members of Windows user groups from connecting to a database.

Members of multiple groups

If the Windows user belongs to more than one Windows user group, and more than one Windows user group on the computer has an integrated login mapping in the database, then the integrated login only succeeds if all of the Windows user groups on the computer have integrated login mappings to the same database user ID. If multiple Windows user groups have integrated login mappings to different database user IDs, an error is returned and the integrated login fails.

For example, consider a database with two user IDs, dbuserA and dbuserB, and the Windows user windowsuser who belongs to the Windows user groups xpgroupA and xpgroupB.

This SQL statement... Allows...
GRANT INTEGRATED LOGIN
TO windowsuser
AS USER dbuserA;
windowsuser to connect to the database using the integrated login mapping set explicitly for windowsuser.
GRANT INTEGRATED LOGIN
TO xpgroupA
AS USER dbuserB;
windowsuser to connect to the database using the integrated login mapping granted to xpgroupA.
GRANT INTEGRATED LOGIN
TO xpgroupA
AS USER dbuserB;
GRANT INTEGRATED LOGIN xpgroupb
AS USER dbuserB;
windowsuser to connect to the database because both Windows user groups that windowsuser belongs to have an integrated login mapping to the same database user.
GRANT INTEGRATED LOGIN
TO xpgroupA
AS USER dbuserA;
GRANT INTEGRATED LOGIN 
TO xpgroupb
AS USER dbuserB;
No connection to the database. When windowsuser attempts to connect to the database, the integrated login fails because each Windows user group has an integrated login mapping to a different database user and windowsuser is a member of both Windows user groups.
Domain Controller locations

By default, the computer the SQL Anywhere database server is running on is used to verify Windows user group membership. If the Domain Controller server is a different computer than the one the database server is running on, you can specify the name of the Domain Controller server using the integrated_server_name option. For example:

SET OPTION PUBLIC.integrated_server_name = '\\myserver-1';

See integrated_server_name option [database].


Preventing members of Windows user groups from connecting to a database