Re: ASP.NET, Win2k, SQL 2k on an intranet (w/Kerberos?)

From: Matjaz Ladava (matjaz_at__nospam_ladava.com)
Date: 05/22/03 

Date: Thu, 22 May 2003 22:41:46 +0200

In your place I would go trough database and have mirrored accounts in SQL
server (in the form of domain\username). Next I would implement groups
table. After you done that, you can create views on SQL server to filter out
who can se what data.
Then there is also possibility with PrincipalPermision,......
I've seen systems, where security was done on table level (about 200
tables). It was total nightmare to administer.

Regards

Matjaz Ladava

"Mike Lerch" <mlerchNOSPAMTHANKS@nycap.rr.com> wrote in message
news:ha7qcvs63bo56rl33s329q0ib49k71d0ej@4ax.com...
> >Impersonation has a big drawback, and this is, that you loose connection
> >pooling on SQL server.
>
> That is an excellent point. A pretty big deal, too.
>
> >I would in your case, leave windows authentication,
> >but avoid impersonation. This way your application would act on behalf of
> >ASPNET account. Grant ASPNET account logon rights to SQL server and limit
it
> >just to one database. Next, for security purposes, program all DB access
> >trough stored procedures and give ASPNET account just execute permission
on
> >stored procedures. In this way you would get security, because what
ASPNET
> >account does is limited to stored procedures and secondly you get
> >performance, because SP's are faster.
>
> That's pretty much what's advocated in the top of that Intranet
> Security document. Later on they do talk about the Kererbos (I was
> mistaken when I implied that that document didn't talk about that
> technique) in a section called "Flowing the Original Caller to the
> Database."
>
> The thing I don't like about making the ASPNET account just have
> execute permission instead of the users is that some of the pages are
> doing to require the users to enter data that will be stored in the
> database. Other pages will report on information from a very large
> pool of data, but filter it according to the user's identity (i.e. an
> Eastern Sales Manager will see his stuff, a Western Sales Manager will
> see her stuff).
>
> Maybe I could combine those: have IIS validate the user using Windows
> Authentication, have the ASP.NET process acount hit the database, and
> use IPrinciple to pass the user's name as a parameter to the database
> instead of impersonation. Hmm.
>
> Lerch

Relevant Pages

  • RE: Backups have Shadow Copy Problems
    ... and restarted the server. ... suggested and changed the recovery model to simple on the one database called ... I understand the issue to be: the backup task failed ... You back up data from a volume that contains a Microsoft SQL Server ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem connecting to SQL2000...
    ... problems with their current sql installation. ... >Install without database engine (that way you could ... >account is the database access account. ... >Microsoft MVP - SharePoint Portal Server ...
    (microsoft.public.sharepoint.portalserver)
  • Re: upsizing to sql 2005
    ... the word SERVER in it, ... You can access to the database by multiple means (Access, ... and how does it update the SQL database with the new records in Access? ... Query Name: Arcadia - ARC ...
    (microsoft.public.access.queries)
  • Re: Linked Tables in Access
    ... any use of SQL Passthru, Linked Tables or any other use of MDB / MDE ... server, or would I also need to convert *those* queries to passthrough ... I've been trying to understand why Access database files become corrupt. ...
    (microsoft.public.access.adp.sqlserver)
  • Re: Leveling by ID vs. "Standard"
    ... of this trade called Project Management. ... a database for the "Project Tables," ... to write reports on data from the server database. ... product supporting queries created with SQL. ...
    (microsoft.public.project)