Re: Security question ..
From: Bob Castleman (nomail_at_here)
Date: 12/10/04
- Next message: Bob Castleman: "DUH!"
- Previous message: JTC ^..^: "Re: Security question .."
- In reply to: Rick Sawtell: "Re: Security question .."
- Next in thread: Bob Castleman: "DUH!"
- Reply: Bob Castleman: "DUH!"
- Reply: REMOVE_BEFORE_REPLYING_dportas_at_acm.org: "Re: Security question .."
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 10 Dec 2004 12:03:20 -0500
What I want to prevent is any access to the database accept through our
application unless you have elevated permissions (i.e. administrator). The
way you've explained this, if I give a user access to an object via NT
Authentication, if he is smart enough to create an NT Auth ODBC connection
through any other application , he will have access to those table based on
whatever access was granted. Creating an application role would not prevent
this as all the user would have to do is shut down the application and then
he would revert to the roles allowed through the NT Authenticated login.
It seems to me that the only way to prevent this is through a tiered
architecture that forces users to submit queries to a middle tier which
passes through to the database or to use SQL Server authentication. But
everything I've seen says that you should use NT authentication.
Bob
"Rick Sawtell" <quickening@msn.com> wrote in message
news:%23%23F7LUt3EHA.208@TK2MSFTNGP12.phx.gbl...
>
> "Bob Castleman" <nomail@here> wrote in message
> news:%23fyjHys3EHA.3236@TK2MSFTNGP15.phx.gbl...
>> If you use NT authentication, a user's permissions to a database are
>> independant of an application that might act as the front end, correct?
>> For example, there is nothing to prevent a user from using MS Access to
>> open a connection and start "exploring". Is there any way to prevent this
>> short of using SQL Authentication?
>>
>> Thanks,
>>
>> Bob Castleman
>> SuccessWare Software
>>
>
> Your assertion that a user's permissions are independent of the
> application is true only so far as how that application is connecting to
> the database.
>
> Even using Access and "exploring" will require an ODBC login to SQL
> Server. That login can use SQL Authentication or Windows Authentication.
> It depends on how you create the ODBC driver.
>
> Application roles are essentially a special login to the SQL Server that
> is granted to the application rather than the user/odbc/ole-db driver.
> That application role is special in that regardless of what rights the
> users normally has in SQL Server with the user's own login credentials,
> the application role's credentials and permissions completely override the
> users permissions.
>
> For example, if the user has access to only Table A and TableB with
> his/her SQL Login, but the Application role has access to Only Table C and
> Table D. When the user runs the application, they will only have access to
> Table C and D through the application role. Their normal access to TableA
> and TableB will not be available until they are outside the application's
> connection to the database.
>
> HTH
>
> Rick Sawtell
> MCT, MCSD, MCDBA
>
>
>
>
- Next message: Bob Castleman: "DUH!"
- Previous message: JTC ^..^: "Re: Security question .."
- In reply to: Rick Sawtell: "Re: Security question .."
- Next in thread: Bob Castleman: "DUH!"
- Reply: Bob Castleman: "DUH!"
- Reply: REMOVE_BEFORE_REPLYING_dportas_at_acm.org: "Re: Security question .."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
