PASS logo

November 14-17

In person. In Seattle

2021 Summit video library

Module Signing: Use Certificates to Grant Higher-level Permissions Without Compromising Security

Solomon Rutzky

We often need to grant a higher-than-ideal level of permissions to a Login or Role so that someone can: start a SQL Agent job (but you don’t want them to edit anything), get data from a DMV that requires “VIEW SERVER STATE” permission (but that permission gives access to too much data), query across databases, TRUNCATE a table, etc. These problems are usually solved with some combination of: EXECUTE AS (i.e. Impersonation), cross-DB ownership chaining, or TRUSTWORTHY ON. Unfortunately, those options are all security risks.

Module Signing — — is more flexible and secure, but requires a Certificate or Asymmetric Key. Those can be confusing to work with, and the security mechanism isn’t intuitive. However, that confusion ends here.

Come learn how to have more secure, granular permissions that handle cross-DB tasks, Dynamic SQL, and SQLCLR. See what module signing can do, how certificates and asymmetric keys work, and realize it’s not as hard as you thought.

Get updates

Sign up to get the latest conference information, announcements and price bump reminders direct to your inbox.

Redgate will only contact you about PASS Data Community Summit and SQL Saturday, unless you separately request emails about Redgate.