Re: Confused about Windows Authentication
- From: "Uri Dimant" <urid@xxxxxxxxxxx>
- Date: Thu, 1 May 2008 08:43:36 +0300
JT
Is there a better way to approach this? If not, is there an
explanation on how to set up the user accounts that is better than
what I found in the help files? If I'm using Windows Authentication,
is it possible to have the application use a specific, unrestricted
account when the normal accounts for Windows logins are restricted to
just reading?
I think you on the right way. As I understood you cannot (at least I'm not
aware of) have two logins connected by one connection string , I mean to
activate the unrestricted account you will have to open a new connection
for him/her.
Have a look at application role to be activate by the application.
http://sqlcat.com/whitepapers/archive/2007/12/16/sql-server-2005-security-best-practices-operational-and-administrative-tasks.aspx
"JT" <jt@xxxxxxxxxxx> wrote in message
news:a937c621-3f48-47c9-996f-858635c2f937@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I read in the help file for MSSQL 2005 that Windows Authentication is
better than SQL Server authentication. Okay. So here's my scenario
and what I think I should do. Hopefully, you can offer me some
advice.
I have an application that interfaces with 2 MSSQL 2005 databases and
a DB2 database. For this example, I'll call them Master, Aux1 and
Aux2. Master contains most of the data and is MSSQL 2005. Aux1 is
MSSQL 2005 and contains a view that I need to read. Aux2 is DB2 and
contains 2 views. One is accessed directly. The other will be DTS'd
into a table in Master. I don't want the connection strings available
to the end-user, but I want to be able to change connection strings so
that the application is configurable to other databases. What I want
to do is
1) Create a user account in Master that gives it the rights to do
whatever is necessary. The application will restrict each user based
on Windows Authentication. I can secure this one connection string.
2) Create a table for storing the Aux1 and Aux2 connection strings
that can only be accessed by the account in step 1. Running the
application will give the appropriate users the rights to run the
forms for changing this table via the database user account.
This way the application can be ported to use different Aux1 and Aux2
databases but changing the connection strings cannot be done through
SQL Server Management Studio by just anyone with a valid Windows
login.
Is there a better way to approach this? If not, is there an
explanation on how to set up the user accounts that is better than
what I found in the help files? If I'm using Windows Authentication,
is it possible to have the application use a specific, unrestricted
account when the normal accounts for Windows logins are restricted to
just reading?
Thanks,
JT
.
- Follow-Ups:
- Next by Date: Re: SQL2005 non-administrator Service Account
- Next by thread: Re: Confused about Windows Authentication
- Index(es):
Relevant Pages
|
|
