Re: application roles

From: Mary Chipman (mchip_at_online.microsoft.com)
Date: 12/14/04 

Date: Tue, 14 Dec 2004 09:26:55 -0500

The best way is to take advantage of parameterized stored procedures,
granting only execute permissions for database roles to selected
stored procedures and denying all permissions to the base tables to
public. Users might be able to connect due to their Windows logins
being enabled on the server, but they would be prevented from reading
or modifying data using other query tools. Access won't let you link
to tables you don't have permissions on. It's more work, but worth it
if your goal is increased security.

--Mary

On Tue, 14 Dec 2004 07:56:58 -0500, "bill" <belgie@datamti.com> wrote:

>Thanks for the input.
>
>What is the recommended approach to prevent users from accessing database
>resources independently of the user interface? Users have database
>permissions and can access the database using MSAccess or whatever.
>
>I appreciate your help.
>
>-Bill
>
>
>"Mary Chipman" <mchip@online.microsoft.com> wrote in message
>news:7o4sr0tctd2ep62l4h8666ha605e60kckl@4ax.com...
>> You probably won't find much because application roles are not widely
>> used, especially in Web applications because you have to sacrifice
>> connection pooling to get them to work. See:
>>
>> PRB: SQL Application Role Errors with OLE DB Resource Pooling
>> http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q229564
>>
>> This was written for ADO, but still applies to ADO.NET. Even if they
>> worked, you would still not want to use them even in a .NET Winforms
>> application because the application role password must be supplied by
>> your client code. Reading the IL of a compiled assembly is fairly
>> straightforward using the disassembler tool (ildasm.exe). Even if it's
>> not embedded in your code, the password must be stored *somewhere* on
>> the client, which makes it vulnerable.
>>
>> --Mary
>>
>> On Mon, 13 Dec 2004 08:42:34 -0500, "bill" <belgie@datamti.com> wrote:
>>
>> >I am looking for examples and assistance in configuring application roles
>> >using SQL Server 2000 and VB.NET, both web forms and windows forms.
>> >
>> >Are there any suggestions?
>> >
>> >Thanks
>> >Bill
>> >
>>
>

Relevant Pages

  • Re: Execute Persmission denied on object sp_OACreate
    ... SQL Server doesn't check permissions on indirectly referenced objects as ... You can prevent ad-hoc execution of powerful master database procs while ... >I have a user who has execute permissions on a store procedure in a>database> which in turns executes 4 stored procedures in the master database. ...
    (microsoft.public.sqlserver.security)
  • Re: List Users Permissions down to table.column action
    ... THIS STORED PROCEDURE GENERATES COMMANDS ... -- FIXED PROBLEMS WITH STATEMENT LEVEL PERMISSIONS GRANTING. ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- GRANT USER ACCESS TO SERVER ROLES ...
    (microsoft.public.sqlserver.security)
  • Re: User access on a company intranet
    ... Yes they need full permissions on the folder where the backend is. ... You wouldn't need to do this in your copy of the database. ... However you can toggle the shiftkey bypass from another mdb file. ... When you want to implement security, you create a new mdw file, ...
    (microsoft.public.access.security)
  • Re: Active directory corruption
    ... During an installation of PHP I accidentally changed permissions for the ... Active Directory database is unavailable because it is damaged, ... Open a command prompt and run NTDSUTIL to verify the paths for the ...
    (microsoft.public.windows.server.sbs)
  • Re: Active directory corruption
    ... default web site and copied the permissions to all the child ... as it may not be the database that is the problem. ... prompt, use the ESENTUTL to check the integrity of the database. ... To recover the database type the following at the command prompt: ...
    (microsoft.public.windows.server.sbs)