Application Role with VB6

From: Paul Whittaker (PaulWhittaker_at_discussions.microsoft.com)
Date: 01/24/05 

Date: Mon, 24 Jan 2005 05:47:04 -0800

In VB6 I've got the following code when opening a connection to sql server:
    With cn
        .ConnectionString = "MyConnectionString"
        .ConnectionTimeout = 10
        .Properties("OLE DB SERVICES") = -2
        .Open
        'Had to allow execute for sps against the windows group until we can
suss app role
        .Execute "EXEC sp_setapprole 'MyApp',{ENCRYPT N 'MyPassword'},'ODBC'"
    End With

In sql server I've added a windows group to the database to allow the users
of the application to open the connection. I gave the windows group no
permissions of any kind. I added an application role and gave it select,
insert etc. permissions on the tables and execute permissions on all stored
procedures

When the application runs under a windows user (who is in the windows group
I added to the databse), the application can select data from the database
but gets 'execute permission denied' on any stored procedure that it tries to
run.

If I examine the permissions of one of these stored procedures, there is a
grant on it for the application role (there are no denies on it at all). If I
then explicitly grant permission on one of these stored procedures to the
windows group containing the windows user, they are able to access it.

Ok, I think, it looks like it is ignoring the application role, so I deleted
the application role from the database and amended the VB code, the user is
then unable to access any data.

My conclusion then becomes the application role was giving the user access
to table data, but not to stored procedures, and when I granted permission to
the windows group this somehow overrode the application role. This is clearly
rubbish, because as I understand it, once an application role takes over, no
other permissions matter.

Anybody see what I'm doing wrong?
Thanks
Paul

Relevant Pages