Re: Security question ..

From: Rick Sawtell (quickening_at_msn.com)
Date: 12/10/04

Next message: Richard Ding: "Re: To DISABLE all ForeignKeys in a DB"
Previous message: JXStern: "Re: Help with a complicated query"
In reply to: Bob Castleman: "Security question .."
Next in thread: Bob Castleman: "Re: Security question .."
Reply: Bob Castleman: "Re: Security question .."
Messages sorted by: [ date ] [ thread ]

Date: Fri, 10 Dec 2004 10:28:29 -0600

"Bob Castleman" <nomail@here> wrote in message
news:%23fyjHys3EHA.3236@TK2MSFTNGP15.phx.gbl...
> If you use NT authentication, a user's permissions to a database are
> independant of an application that might act as the front end, correct?
> For example, there is nothing to prevent a user from using MS Access to
> open a connection and start "exploring". Is there any way to prevent this
> short of using SQL Authentication?
>
> Thanks,
>
> Bob Castleman
> SuccessWare Software
>

Your assertion that a user's permissions are independent of the application
is true only so far as how that application is connecting to the database.

Even using Access and "exploring" will require an ODBC login to SQL Server.
That login can use SQL Authentication or Windows Authentication. It depends
on how you create the ODBC driver.

Application roles are essentially a special login to the SQL Server that is
granted to the application rather than the user/odbc/ole-db driver. That
application role is special in that regardless of what rights the users
normally has in SQL Server with the user's own login credentials, the
application role's credentials and permissions completely override the users
permissions.

For example, if the user has access to only Table A and TableB with his/her
SQL Login, but the Application role has access to Only Table C and Table D.
When the user runs the application, they will only have access to Table C
and D through the application role. Their normal access to TableA and
TableB will not be available until they are outside the application's
connection to the database.

HTH

Rick Sawtell
MCT, MCSD, MCDBA

Next message: Richard Ding: "Re: To DISABLE all ForeignKeys in a DB"
Previous message: JXStern: "Re: Help with a complicated query"
In reply to: Bob Castleman: "Security question .."
Next in thread: Bob Castleman: "Re: Security question .."
Reply: Bob Castleman: "Re: Security question .."
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Login with no Fixed Server Role and DB Role can stop SQL Agent Service?
... a Window 2000 Login with Domain User default permissions, ... > actually answered the question about the permissions the user has re: ... Forget about SQL Server for the moment. ... >> Enterprise Manager, but he is still able to stop the SQL Agent ...
(microsoft.public.sqlserver.security)
Re: Security question ..
... What I want to prevent is any access to the database accept through our ... application unless you have elevated permissions. ... Authentication, if he is smart enough to create an NT Auth ODBC connection ... passes through to the database or to use SQL Server authentication. ...
(microsoft.public.sqlserver.server)
Re: SQL Server Security: NT Groups
... permissions from their group membership. ... So if I'm a member of GroupA and GroupA is granted a login ... SQL Server and access database B. ... membership, role membership with deny taking precedence. ...
(microsoft.public.sqlserver.security)
Permissions!
... permissions to database objects are concerned. ... I have a SQL Server 7.0 database table which has 6 columns. ... REVOKE or DENY permissions to these 3 users? ... Please note that I login to my Windows 2000 Professional machine using ...
(microsoft.public.sqlserver.security)
Re: Windows Server 2003 Auto connect printers;
... I removed the NT Authentication but then the user's don't have enough ... then for a normal basic user to login to a TS without having NT ... Isn't some form of admin rights required for a non admin user ... >> You do this by granting only those permissions that are ...
(microsoft.public.win2000.termserv.apps)