Basic Security Question

Sep 30, 2007

Hi,

I'm trying to learn the "correct" way to use security with SQL Server 2005 and .NET 2.0. Let me explain what I've always done in terms of security and why.

Historically, I've created a Users table and a UserPermissions table in my database. The Users table has the username and password, and the UserPermissions table relates to the Users table and has a list of all (application-defined) permissions granted to the user. For example, say the application has features A, B, and C. The administrator might grant features A and C to user John Doe.

The reason I put this table into my database is two-fold. First, it allows me to easily setup a list of features that the application can secure. Second, it allows the application to log into SQL Server using a constant username a password. The application always gets access to the database, but then if the user didn't provide a good username and password, the application logs back out of the database and quits.

The downside to this is that SQL Server doesn't know who's accessing it. So if I wanted to have a trigger that gets the current user, all users appear to be the same person. The upside is that the administrator doesn't need to go into SQL Server and set up new users, and the users aren't aware of the actual username and password used to access the database, so they can't get to it directly.

I'd really like to learn to set up security the right way. What I want is:

A) Each user to be uniquely identified within SQL Server - i.e., each one logs in with his own user id
B) The application has complete control over the database (I want the application to be able to read all tables, for example)
C) The user doesn't have direct access to the database. I don't want the user to be able to load SQL Server Management Studio on his computer and go directly into the database
D) There is some way to grant application-specific features to each user

I would think this has to be a common scenario. Can anyone offer some good tips on how to accomplish what I'm trying to do? Thanks in advance...

-Eric

View 4 Replies


ADVERTISEMENT

Basic Security Question

Sep 10, 1999

I'm new to SQL 7.0 and have a basic security question. I want to set up security so that different roles can see different portions of the same tables. In other words, Department A see's its projects from table 1 and Department B users see only their projects from table 1. The results are then linked to the client front end, so that the basic form they input/read off will give them the results from table 1 with only their projects. Is there a simple way to do this with a stored procedure or view, so that the result set can be linked to the form and only differs depending on the role? Thanks for the help.

View 1 Replies View Related

Basic Security Questions

Sep 5, 2006

Hi,

I am new to SQL 2005, can someone give me some details instructions about how to do below two tasks:


All my developers are in a window domain user group, I need to grant dbo privileges to that domain group so then can do the their development work. The rule is all objects they create need to be owned by dbo not by there ID. ( I can€™t do it because I got €œ The €œDeafult_Schema clause cannot be used with a windows group€?)
Same as above but this time they only need select permission on tables nothing else.

Many thanks.

PC

View 1 Replies View Related

Basic Login Security

Apr 4, 2008

I'm having 2 Dummy Users.
The one i created i direct login on the server and access to 2 databases.
The second one i've placed in a AD users group.
That group has a login and is also mapped to the 2 databases.

Sql server is running with on a AD-users, not localsystem.

Why can DummyOne work fine, and DummyTwo (the grouped one) can login but access none of the databases.

What have I missed ?

View 7 Replies View Related

Basic Security Question For Remote App

May 1, 2007

I'm designing a C# winforms app that will be used by 500 customers/companies. The customers will use the app to edit data for their company on the remote SQL Server. What's the best way to manage security in terms of logins/passwords? Should each user have a different login? (probably not) Or should the application have it's own login/password that is encrypted and the user never knows what the login/password is?

Also, is it necessary to use Web Services for this application? Any other thoughts/comments are very welcome.

View 4 Replies View Related

Basic Security Differences Between SQL And Access

Jan 16, 2008

Ok, I know it's a really basic question but I'm hoping someone will humor me. Not being a database expert I am wondering what the basic security differences are between a SQL server db and an Access db. What makes SQL a more secure choice for confidential information over Access.

I know from a useability SQL is the better choice being a multiuser access platform but I am not familar with security mechanisms employed.

I appreciate any info on this.

Thank you.

View 1 Replies View Related

Basic Authentication Vs Security Extension For Internet/Xtranet RS Access

Dec 19, 2007

does anybody know why MS doesnt consider Basic Authentication a viable solution for Inter/Xtra net access to RS? I'm re reading the documentation at http://msdn2.microsoft.com/en-us/library/bb283249.aspx but so far am not getting what the Security Extension options accomplish that can't be accomplished with much less effort using some form of Basic Authentication.

View 25 Replies View Related

SQL 2012 :: Persist Security Info And Integrated Security In Connection String

Dec 4, 2014

I use from sql server 2008. and c#

what is the best connectionstring?

I don't know if i use Persist Security Info and Integrated Security or not?

And if yes then their value must be true or false?

View 1 Replies View Related

Code Access Security Across Multiple Assembly Security Extension

Oct 14, 2005

Hello there I have trying to figure out for days how to enable FullTrust for my Reporting Services security extension.

View 9 Replies View Related

SSRS -- Security Filter And Model Item Security Setting

Jul 31, 2007



Hi,


I have posted this issue for a week, haven't got any reply yet, I posted it again and desperately need your help.


The article http://msdn2.microsoft.com/en-us/library/ms365343.aspx says:
Model Item Security can be set for differnt security filters, but when I use SQL Server Management Studio to set Model Item Security, it seems "Permissions" property surpass "Model Item Security" property. -- My report server is using Custom Authentication.



For example, in "Permissions" property of the model, if I checked "Use these roles for each group or user account" without setting any user or group, no matter what users I added to "Model Item Security" with "Secure individual model items independently for this model" checked, NO one user can see the model on report manager and report builder;

in above situation, if I added "user1" and gave role such as "Browser" role to "user1" in "Permissions" property, if I checked "Secure individual model items independently for this model" in "Model Item Security" property, even I did NOT grant "user1" to root model and any entities under the model, the "user1" is able to access the model and all entities in report builder.



My question is on the same report model, how to set "AdminFilter" (empty security filter) for administrator permissions and set "GeneralFilter" (filtered on UserID) for general user based on their UserID?


The article also says:

"Security filters are always applied, even for users who have Content Manager or Administrator permissions to the model. To allow administrators or other users to see all rows of an entity on which row-level security is defined, you can create an empty security filter (which always returns True) and then use the filter to grant those users access to all the rows."



So I defined 2 filters "GeneralFilter" and "AdminFilter" for "Staff" entity for my report model "SSRSModel", I expect after I deployed the report model, the administrator users use report builder to build reports with all rows available, and the non-admin users can only see rows based on their UserID.



I can only get one result at a time but not both:

either the rows are filtered or not filtered at all, no matter how I set the "SecurityFilter" for the entity: I tried setting both "AdminFilter" and "GeneralFilter" for SecurityFilter at the same time, combination of "DefaultSecurityFilter" and "SecurityFilter", or one at a time.



Your help is highly appreciated!

Desperate developer

View 1 Replies View Related

Differance Between Persist Security Info And Integrated Security

Apr 26, 2007

hi i want to know what is the differance between  
Persist Security Info=False;Integrated Security=Yes;

View 1 Replies View Related

SQL Security :: Running Job As Windows Security Group

Oct 18, 2015

Is there any possibility to schedule SQL job execution as Windows Security Group? I need to run powershell script through SQL job with one of this group member's permissions. 

View 4 Replies View Related

Setup Of Security / Integrated Win Security On Vista

Jul 6, 2007

I have Sql Server Express installed on Vista (service pack 2)

I have Visual Studio 2005 with an application that I'm trying to access it with within a WCF service.



The login ID of the service is added to the database.

The database has remote access turned on.

The ID is granted access to all databases within the server.

The thread is being set with WindowsProvider and the services set their thread to WindowsProvider.

The dataserver is set with using Windows Authentication for security.



When I open my connection to the database, though, it reports the typically useless message that the connection is not allowed and that the server may not allow remote connections.



How to I get past this? I've done everything right.

View 1 Replies View Related

Use An Existing AD DL Security Group For Security Role

Jun 18, 2007

I want to use an Active Directory security group that is a Distribution List for a new role assignment for an existing report. Can someone tell me if this is possible? I get an error each time I try:














The user or group name <DLName> is not recognized. (rsUnknownUserName)"

View 1 Replies View Related

SQL 2K Security Baseline Or Security Checklist

Jul 20, 2005

Is there anybody out there with a MS SQL 2K Security Baseline orSecurity Checklist. Where can I get one????Thanks in advanceDavid

View 1 Replies View Related

SQL Security Events In Windows Security Log

Feb 28, 2008



Hi;

I am looking for a way to log all security related events for SQL in Windows Security Log. I am trying to use SCOM for monitoring SQL and I am looking at ways to generate alerts in my SCOM Console for specific events in SQL e.g. A table is deleted, user is modified, deleted, etc. Is this possible and if yes how do I achieve the same?

Rgds;

View 6 Replies View Related

Transport Security Vs Dialog Security

Aug 3, 2006

In an environment where there are many initaitors speaking to a central target with frowarders in between, from what i can understand this best policy is to disable encryption on the endpoints, since dialog encryption will be enforced this is all that is really required, is this correct.

If the endpoints used encryption the message would need to be encrypted and decrypted at each forwarder resulting in slower perfromance, where as dialog encryption would only encrypt at the sender and decrypt at the target, so is this the best way to go?

Secondly is it best practice to open a dialog initally and send messages over this dialog for years never ending the conversation? This way the services only have to authenticate eachother once, if there are no reboots etc that is of course.

I would think performance wise sending each message and ending the conversation each time is a much greater overhead ? So would it be best practice to keep dialogs open and keep sending messages ?

Initally when i was learning service broker i thought that one must send a message and end the dialog until the next message, but i think the other way is the best option ?

Is this correct ?

Thanx

View 1 Replies View Related

Dialogue Security Vs Transport Security

Feb 19, 2007

Hi

I'm designing a distributed application where I will have SQL Server 2005 distributed databases replicating data to my central hub which is again a SQL Server 2005 database using SQL Service Broker. Data will be sent from the central hub to the distributed sites and vice versa. I need to authenticate the communication and also secure the communication by encrypting the messages. Which security shall I use? Where do I configure the type of security being used? What is the difference between transport security Vs dialogue security - Full security model?



Thanks

View 4 Replies View Related

NT Security Vs SQL Server Security

Jun 19, 2000

Hi:

Can anybody tell me the advantage and disadvantage to use NT security for SQL Server 7.0? For a corporation with 400 users, what is your recommendation for the SQL Server security management. Thanks.

Joan

View 1 Replies View Related

Windows Security Vs. SQL Security

Jul 30, 2004

What's the better security to use? Currently I'm always registering using the Windows authentication. When I'm trying to register using SQL authentication I always get "Login failed for user 'sa'" error....

View 1 Replies View Related

A Very Basic Q

Mar 18, 2005

This is probably a very silly question.I started learning ASP.net by following ASP.NET Unleashed. I am stuck where he wants me to open a connection to SQL Server database. I have just downloaded
MSDE. But I dont know where to type this code and how to run it..so as to connect to the database.

<%@ Import Namespace="System.Data.SqlClient" %>

<Script Runat="Server">

Sub Page_Load
Dim conPubs As SqlConnection

conPubs = New SqlConnection( "server=localhost;uid=webuser;pwd=secret;database=pubs" )
conPubs.Open()
End Sub

</Script>

Connection Opened!

Now do i have to change the uid to SA ? (i had to assign one when i downloaded and installed MSDE?

Thanks for the help.

View 1 Replies View Related

Basic DTS...

Nov 16, 2005

Hi all,

am not very experienced in using DTS and really need your help. I have a dts package that i have scheduled to run every day. Here's what i want the package to do:

1. Check whether a value for a certain column in a certain row of a table in my database is 0 or 1. If it is 1, then
2. Run the dts task (which i have created and is working)

In other words, when the package is started, i want to execute a stored procedure or sql task or whatever, and if that returns 1 then i want to continue, if it returns 0 i want to finish the package without running the dts task. I'm sure there's a simple way to do this, but i could use your help...!

Thanks,
Elisabet

View 1 Replies View Related

Need Basic.

Jul 11, 2007

Hi All,



Can this be done and if so can you give a bullet list of the steps need to accomplish this.

I need to load a bunch of files into a stagging table. Need to loop through the files and load them.

Thanks,

Michael

View 3 Replies View Related

BASIC Q

Mar 12, 2008



Hi,
what this statement do?
does it add all the values or combine all the values.
REPLACE combine WITH lc_tran + lc_exp + lc_war + ll_boc

Regards
kk

View 1 Replies View Related

Basic Problem

Feb 19, 2007

I downloaded SQLExpress and Visual Studio Express to my home computer.
I built a simple database, adding data through theSQLexpress admin tool.
 I built a web page using MS Studio. I connected to the database and used the webpage for a few days. Then I restarted the computer. Now the web page won't open, and MS Studio won't open the MDF file in the App_Data folder.
I can still see and work in the database through SQL server Express.
 The web page and the MSStudio attempt to connect to the mdf file both fail with this message:
Cannot open user default database. Login failed.Login failed for user 'KAAAK/Administrator'.
So it seems to be trying to connect as the Windows user.
When I try to modify the connection to connect through a user/password I created in SQL manager, I get a message that the user is not a trusted SQL user.
 from web.config:
<connectionStrings>
<add name="ConnectionString" connectionString="Data Source=.SQLEXPRESS;AttachDbFilename=|DataDirectory|info.mdf;Integrated Security=True;User Instance=True;User ID=Admin;Password=12345" providerName="System.Data.SqlClient"/>
</connectionStrings>
 That was changed from the original string created automatically by MS Studio
<connectionStrings>
<add name="stocksConnectionString" connectionString="Data Source=.SQLEXPRESS;AttachDbFilename=|DataDirectory|stocks.mdf;Integrated Security=True;User Instance=True;" providerName="System.Data.SqlClient"/>
</connectionStrings>
I am sure this is some simple problem, but why would the system refuse to access an mdf file it had already been accessing.?
Thanks, Michael

View 1 Replies View Related

Basic SQL Connection

Mar 5, 2007

   Hi all, having trouble with my first sql communication. I've got hosted service with an SQL database i've populated with a row.
 When it gets to the third line the page crashes with an error.
         SqlConnection connection = new SqlConnection("Server=mydbserver.com;Database=db198704784;");// +"Integrated Security=True");        SqlCommand cmd = new SqlCommand("SELECT UserName FROM Users",connection);        SqlDataReader reader = cmd.ExecuteReader();
 
is there somewhere i need to put in my username or password? or is this code just wrong
 
Many thanks burnside. 
 
-- Edited by longhorn2005

View 7 Replies View Related

Basic LIKE Question?

Jun 8, 2007

not sure why I am having trouble here but I am using the following WHERE clause expecting to find all rows where any one of the the three keywords are present.
 ....WHERE Company.L_Keywords LIKE '%metal%' AND Company.L_Keywords LIKE '%tile%' AND Company.L_Keywords LIKE '%ceramic%' 
however it appears to finding only the rows where all three words are present in the L_Keywords field

View 2 Replies View Related

Very Basic SQL Question.

Jul 25, 2007

This is a very simple question. How would a select satement be formated in the following example.
SELECT Grade, Student_ID, First_Name, Last_Name FROM Scores WHERE (This is where I'm stuck and I know this is not the right formatting although I wish it were because it would make my life a little bit easier.) Student_ID = 115485, 115856,  568547, 965864, etc...
I may have up to 100 specific student ids to put in this one statement. I know I can use the "WHERE  Student_ID = 115485 OR Student_ID = 115856, OR Student_ID = 568547" but that would be alot of waste. Seems like there should be an easier way than using the "OR Student_ID =" for every entry.
Can someone explain another way I can do this. Thanks in advance.

View 3 Replies View Related

Basic Sql Question

Jan 28, 2008

Hey, I have a pretty simple question.My query is throwing an error saying "Invalid column name 'subject'."The problem is that subject is a custom column I've made, well just look at the sql:SELECT a.ArticleID, subject=ISNULL((select subject from subjects),'') where subject='some subject' 

View 8 Replies View Related

DTS And Visual Basic

May 15, 2001

I have already created package which loads a text file to database using the dts wizard in Enterprise Manager.How do I execute that package using visual basic?Please provide the Code!!!Thanks

View 2 Replies View Related

Just One Basic Question...

Apr 25, 2000

Hello,

I've just migrated my access database from access2000 to sql7.0. The wizard told me there was no problem. But a simple question:

How do i open my database? Where can i see tables, fields...?
Is there no interface like the one in access2000?

Thanks in advance!

View 2 Replies View Related

Basic MDX Code

Dec 6, 2004

Hi there.
I am trying to use MDX code to create a measure in ProClarity. Please help!!

A store can be one of a number of ‘Brands’. The MDX segment below gives me the Sales Value of a selected item, but for Store Brand 'Brand1' only. This works fine - but how do I add a brand? That is, how do I see the combined Sales Value for the selected item for 'Brand1' and 'Brand2'?

([Store Brand].[Brand1],[Measures].[Sales Value],[Item].CurrentMember)


B

View 8 Replies View Related

SQL Indexing - ***BASIC****

Sep 15, 2005

Hoping someone could me with an ongoing indexing question that I have.

On my site, we have over the past 5 years developed what is emerging as a fairly complicated dbase structure, as features have been added to my site and relations have increased between different database tables, there has been a need to index fields in different ways, and in some instances field indexing has overlapped. For example we may have a table that has 5 fields (field1,field2,field3,field4,field5). A need to index field1 is requried because of a query that reads:

SELECT * From Table1 where field1=XXXXX

Additionally there may be a need to for another query that reads:

SELECT * From Table1 where field2=XXXXX

In this instance an index is placed on field2....
But, for example when there is the following query:

SELECT * From Table1 where field1=XXXXX and field2 = XXXXX

Is it necessary to set a new index on: field1,field2 ???

We have made the choice that yes, in fact there is...but now over time some of our tables have instances of single fields being indexed along with combinations of two single fields that have already been indexed, being indexed together. As tables have grown to over 1,000,000 records and having up to 15 or so indexes, we realize that the number of indexes maybe degrading performance. Also, indexes vary in type, e.g INT,BIGINT,Varchar fields... In the above instance, can we eliminate the multi-indexes and improve performance over all...?


On a second related question:

In the event that two tables are joined on a common field.

e.g. Select * from Table1,Table2 where Table1.field1=Table2.field1

Is it necessary to index both of these fields in tables: Table1 and Table2 ?


Hope someone can help, as we are looking to improve the efficiency of our tables as they continue to grow.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved