No Application Logins Allowed - SOX

From: Mike Q (MikeQ_at_discussions.microsoft.com)
Date: 06/21/05

  • Next message: Venkat: "Check a user is connected to the database or not" 
    Date: Tue, 21 Jun 2005 07:12:13 -0700

    Hi there,
      I'm trying to work through an issue regarding our MS SQL Server logins.
    Our development folks are currently using application logins. That is, the
    "Customer" application uses a login to SQL Server called "Customer" and the
    appropriate rights are granted to the Customer login. We've recently been
    informed that application logins do not offer the required security
    (auditing) needed by the industry. From what I've been able to find we've
    got a couple options:
    1. Grant our users Windows Authentication access to SQL Server.
    2. Use Application Roles.

    There seem to be an issue surrounding both.

    First, we certainly don't want every user granted direct access to our SQL
    Servers. If anyone got a hold of an interactive SQL client (Query Analyzer
    and MS Access come to mind) we'd be screwed. Although we could audit the
    fact that someone screwed our database, it doesn't seem like that type of
    thing would be in the best interest of me keeping my job.

    Second, the use of application roles sound good but I'm told that having our
    developers call sp_SetAppRole before any Select, Exec, Update, Delete or
    Insert would kill their performance. We are running using disconnected typed
    datasets which allow the developers to disconnect after retrieving data.

    I'm not sure what options are left. On one hand we want our users to be
    granted access to SQL server so that thier own login can be tracked and
    audited. On the other I don't want to allow every user to have direct
    windows authenticated access to the databases.

    Any insights would be appreciated.

    Thank you.

  • Next message: Venkat: "Check a user is connected to the database or not"

    Relevant Pages

    • Re: same application on multiple schemas
      ... As for the "comparison" with Sql Server, it was not intended to ask ... why Oracle does "not" support sql server behaviour:) I know oracle (I ... For every customer that will use our application, ... will use schema "SchemaA" ...
      (comp.databases.oracle.server)
    • Re: same application on multiple schemas
      ... As for the "comparison" with Sql Server, it was not intended to ask ... why Oracle does "not" support sql server behaviour:) I know oracle (I ... For every customer that will use our application, ... will use schema "SchemaA" ...
      (comp.databases.oracle.server)
    • Re: Modeling/Constraint question
      ... there are no duplicates in the keys; ... Enter: the surrogate key. ... there is a customer number. ... SQL Server community, why should believe anything else you say? ...
      (comp.databases.ms-sqlserver)
    • Re: same application on multiple schemas
      ... As for the "comparison" with Sql Server, it was not intended to ask ... why Oracle does "not" support sql server behaviour:) I know oracle (I ... For every customer that will use our application, ... will use schema "SchemaA" ...
      (comp.databases.oracle.server)
    • Re: System Administrator Implied Permissions
      ... >> Hi Dan, ... >> Now, given this, why does SQL Server ... However, these logins were not ... Other sysadmin role members have the ...
      (microsoft.public.sqlserver.security)