Re: How to SELECT records based upon ASP.NET Roles

From: "Eric Chaves" <eric.dot.chaves@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Aug 2006 14:14:26 -0300

Ji Bob and Joe,

helps with this type of thing and is very flexible. However, you might
also be able to use SQL row-level security as well (which is something
I've never done and know nothing about except that I've heard such as
thing exists :) ).

As far as I know, MS-SQL up to SQL 2000 doesn't support row-level security.
Row level permissions is kind a complicated topic to be implemented without
some DB server support:
- You can filter the data on BO or DAO objects with dinamic queries (ie:
queries that your application build and execute trough ADO Commands, for
examploe), but this doesn't perform well; is prone to SQL injection, is hard
to build complex joins (on the fly); The positive side is that you can
easily customize the roles, you doesn't requires DB logins (and thus you
keep all benifts of Connection pooling);
- You can filter the data on BO or DAO restrict all access by
stored_procedures; This prevents SQL Injections, has a better performance
since the queries are pre-compiled, but is hard to extend as application
changes;
- You can filter the data on DB Server, restricting all access to views
(deny access on table objects and allow insert updates on SPs or views
only). Since you can't pass parameters to views, you'll restrict the access
(the where statement) based on SQL login name; This breaks connection
pooling (you'll need at least on connection per role) but is the most
effective and with better performance aproach.

Anyway this is a design that needs to take into account what kind of
database operations will be made, since they'll drive the best aproach and
each one has a great impact on the maintence/performance jobs.

Cheers,

Eric.

.

Follow-Ups:
- Re: How to SELECT records based upon ASP.NET Roles
  - From: Bob

References:
- How to SELECT records based upon ASP.NET Roles
  - From: Bob
- Re: How to SELECT records based upon ASP.NET Roles
  - From: Joe Kaplan \(MVP - ADSI\)

Prev by Date: Preferred method of hashing salted password
Next by Date: Re: password salting
Previous by thread: Re: How to SELECT records based upon ASP.NET Roles
Next by thread: Re: How to SELECT records based upon ASP.NET Roles
Index(es):
- Date
- Thread

Relevant Pages

Re: Concurrent database access in SQL 2005 Mobile
... Please stick to having an "dummy" connection in Open State. ... SQL CE/Mobile has a background thread that flushes the changes ... they run for long hours and we have not seen memory leaks so far. ... then opens his work forms and it's in ...
(microsoft.public.sqlserver.ce)
Re: Concurrent database access in SQL 2005 Mobile
... Please stick to having an "dummy" connection in Open State. ... So it is a kind of asynchronous commit which happens every 10 ... I am not sure of this claim as we have many applications built on SQL CE ... then opens his work forms and it's in ...
(microsoft.public.sqlserver.ce)
Access 2003 adp/proxy security - A substitute for SYSTEM_USER()
... We need a way for SQL to know the nt username that initiated the proxy ... Many stored procedures and views use a UDF that also depends on ... SyUserLogin and use HostIDand HostName() to find the right row. ... We've played with the Connection dialog settings, ...
(microsoft.public.sqlserver.connect)
Access 2003 adp/proxy security - A substitute for SYSTEM_USER()
... We need a way for SQL to know the nt username that initiated the proxy ... Many stored procedures and views use a UDF that also depends on ... SyUserLogin and use HostIDand HostName() to find the right row. ... We've played with the Connection dialog settings, ...
(microsoft.public.access.security)
RE: Logging in in background
... wold take all kinds of modifictions as I'd need to be checking that each SQL ... my database and all have connection strings associated with them. ... I suspect that there is also an issue on the SQL Server side as I keep ...
(microsoft.public.access.modulesdaovba)