Re: use of application roles
From: Dan Guzman (danguzman_at_nospam-earthlink.net)
Date: 06/27/03
- Previous message: Wolf Ganerman: "EXCEPTION_ACCESS_VIOLATION"
- In reply to: Sandy: "use of application roles"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Jun 2003 21:46:56 -0500
"Sandy" <sandra.carr1@jsc.nasa.gov> wrote in message
news:615901c33c1f$b6fc32e0$3101280a@phx.gbl...
>
> Question 1: If I use SQL Server 2000's 'application role'
> to let my users enter data via a custom application, am I
> creating a security hole because of the hardcoded username
> & password?
>
> Background: The application allows users to logon via
> passthrough Windows authentication. The users enter data
> into the application and have no reason to directly access
> the database. The application puts the data into the
> correct tables and keeps an audit trail.
AFAIK, the only security vulnderability in this scenario is if you store
the application role password in clear text. You can encrypt the app
role password if you are concerned with this,
> Question 2: Do the users need any rights to the database
> if the 'application role' is used?
Users need to be valid users in the application role database so that
sp_setapprole can be executed. However, no permissions need be granted
to users; permissions need only be granted to the app role.
-- Hope this helps. Dan Guzman SQL Server MVP ----------------------- SQL FAQ links (courtesy Neil Pike): http://www.ntfaq.com/Articles/Index.cfm?DepartmentID=800 http://www.sqlserverfaq.com http://www.mssqlserver.com/faq ----------------------- > Question 2: Do the users need any rights to the database > if the 'application role' is used?
- Previous message: Wolf Ganerman: "EXCEPTION_ACCESS_VIOLATION"
- In reply to: Sandy: "use of application roles"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
