Re: Security question ..

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Bob Castleman (nomail_at_here)
Date: 12/10/04 

Date: Fri, 10 Dec 2004 14:20:56 -0500

Using just roles is not sufficient. Part of this is related to Sarbanes
Oxley. For instance, if I give somebody read/write access to a table via a
role and they are able to create an ODBC connection to the database via
something other than our app, they will inherit the role and be able to make
modifcations outside of the audit trail provided by any business rules
imbedded in the application. This is precisely the type of thing a SOX audit
is going to red flag. As I stated above, all of this is partly answered by
the appropriate architecture. Unfortunately our app is a simple 2 tier with
the front end connecting directly to the database, lots of dynamic sql, no
stored procedures or views, etc.

So much work and so little time :(

"JXStern" <JXSternChangeX2R@gte.net> wrote in message
news:d0njr05vmnd72for6v2lon1hrb3ijitq8b@4ax.com...
> On Fri, 10 Dec 2004 10:33:14 -0500, "Bob Castleman" <nomail@here>
> wrote:
>>If you use NT authentication, a user's permissions to a database are
>>independant of an application that might act as the front end, correct?
>
> Correct.
>
> Now, you can still limit what those permissions are, but they will
> indeed be the same whether he logs in with the closed app or something
> like Access.
>
>>For
>>example, there is nothing to prevent a user from using MS Access to open a
>>connection and start "exploring". Is there any way to prevent this short
>>of
>>using SQL Authentication?
>
> What's wrong with SQL authentication?
>
> As someone suggested, maybe "application roles" are a good halfway
> point and will do what you need - one hard-coded password for the app.
> In fact, in general, maybe roles will be helpful for you.
>
> J.
>

Relevant Pages

  • Re: 70 permission denied on Windows server 2008 TS
    ... app connects to an access 2000 database. ... file server ... For the Access database, everything is file-system permissions. ...
    (microsoft.public.data.ado)
  • Re: Troubles with User Permission
    ... I experience trouble when trying to access the windows registry and my app ... not sure about the database being read-only. ... That may or may not have anything to do with permissions or user privileges. ...
    (microsoft.public.vb.general.discussion)
  • Re: ASP.NET & Access database
    ... If I open my website on my app server, ... runs ok until I try to open the page that requests the access database. ... > There's two types of permissions needed in order to be ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Access 2003 wont open without read only
    ... Well, I'm not sure I like this answer, but if I opened up the permissions on ... I loaded a previous copy of the database on a local server down ... I can't update tables in a custom app that I coded to ...
    (microsoft.public.access.setupconfig)
  • Re: Portable Database Choice
    ... I searched this group quite a bit looking for database alternatives and did find the options below from this search. ... I'm posting this in the hope it can be of use to other developers in a position similar to mine where I needed a low cost alternative to Pocket Access. ... One app requires synchronization between desktop and mobile device, the other requires a push of data from the desktop to mobile. ...
    (microsoft.public.dotnet.framework.compactframework)