User Data Segregation
- From: Aaron <aaronakin@xxxxxxxxx>
- Date: Tue, 26 Jun 2007 18:26:20 -0000
My company has a web-based application that currently uses one SQL
Server login account to connect to a SQL Server 2005 database. We
have quite a few application-based security controls in place to
ensure that when a user logs into the site, they will only see there
own data and not someone else's, but we would like to beef up our
security.
I've been trying to find out the best way to segregate data..just in
case our application-based security controls failed for any reason.
Since we have hundreds of thousands of web-users who login through the
application, it doesn't seem logical to have a SQL login account for
each one of these users...nor does it seem logical to have views for
each user.
We've considered wrapping every SQL statement from the application in
an object that will pass in the session ID, user ID, etc for
verification, but we haven't worked out the logistics of this, and it
seems like this would cause a performance hit on the database.
I keep wondering how companies such as Bank of America handle data
segregation and ensure that when I login to my online banking account,
that I will NEVER see another customer's bank account info. Would
anyone mind sharing some suggestions please?
.
- Follow-Ups:
- Re: User Data Segregation
- From: Adam Machanic
- Re: User Data Segregation
- Prev by Date: Re: What are the Roles of Production DBA?
- Next by Date: Re: User Data Segregation
- Previous by thread: permission problems running SQLExpress under terminal server
- Next by thread: Re: User Data Segregation
- Index(es):
Relevant Pages
|
