Hi there
Can anyone point me to a good tutorial or give me a run down on using Sql Application roles from my asp.net application. Books Online only give a run down on how to set it up - not how to implement or use it from my code. MSDN no help. Google - same thing.
Any help greatly appreciated.
Thanks in advance
Hello,
I am new user of SQL Server. I have some problems with these words. I want to make my database works in my specified permissions. I will specify permissions with schemas and these schema wants an owner. I want this owner should be my user. When creating a user it needs a valid login. I am selecting my login and it occurs and error says this login has an different user. I am specifying permissions with roles. But i can't make association all of them. I hope i told my problem to you as well. If you explain these words to me and tell me how can i do my database's works with my own schemas, users and roles i'll be grateful. Thanks for advices.
Happy coding...
After reading Books Online, I am still confused with Database Role vs Application role.
My intention is to control the end users' authority on the database, where the end users will access through Winforms client application. With proper assignment of schema and database roles to an user, I believe this will enough to control the permisison of an user.
If this is the case, why Application role exists? When and why should I use Application Role? How is it different from Fixed Database Role?
We have a distributed app that creates it's own instance of sqlexpress when installing. This prevents anyone with sa rights on another instance from accessing our data directly (HIPAA compliance concerns). We are currently looking into making our app easier to install, and want to be able to attach our database to existing instance (if one exists), but still prevent the sa account of that instance from directly accessing/viewing our data. Are application roles the way to accomplish this, is there another way, or is this even possible?
Thanks in advance.
We are looking to make our applications as secure as possible. I am interested in how well Application Roles work to make security tighter.
Have you used Application Roles. If you have, I'd like to know if it helped provide better security or not and if it did, how was it implmented in you production environment. I already know how to get it set up, I'm just wondering if it's really worth the trouble.
Thanks!
I may need to setup an application role(s) fro a SQL 2000 db that is being front-ended by VB6. There are 2 types of functions needed, and admin role with access to all tables, and a user role with access to only specific tables. I know from just a straight db roles, I could set up 2 roles, set their rights, and then add the users to these roles. My questions is if I need the same functionality for an Application role, do I need 2 Application roles, one for the admin, and the other for the user?
View 1 Replies View RelatedWe have an an application that was written using OLE DB (ADO) against a SQL 2000 Server that uses an Application role to give rights to the database objects. It connects, calls sp_setapprole and goes on. If the database needs to LOCK a record, it is creating a new ADO Connection and instantiating the Approle again. This model has been working fine up til now.
Now we are installing a SQL 2005 server for the latest version of the product we are working on and are running into an error. The error is
Error: 18059, Severity: 20, State: 1.
The connection has been dropped because the principal that opened it subsequently assumed a new security context, and then tried to reset the connection under its impersonated security context. This scenario is not supported. See "Impersonation Overview" in Books Online.
It's happening when the second ADO Connection for locking a record is being created and the sp_setapprole is being executed.
One of my questions is what is the problem with executing the approle on a different connection? Our code has not changed, so obviously SQL 2005 is doing something different. The other is What can we do to correct this?
Is the resource pooling different? We had problems in the beginning with approles and figured out through research that we needed to add OLE DB Services=-2 to the connection string to turn off resource pooling.
Is there an extra step to using Approles in SQL 2005?
Any help would be greatly appreciated as we need to resolve this ASAP.
Thanks,
David
I want to test Application Roles security for our project, I guess it serves the purpose.
But the quesion I have is if a developer who can look at the application code know's the "Password" can he set the password from Query Analyser and get acess to the database.
Thanks!
Hello,
in SQL Server 2005 I have an application role that is being used to limit access to my server data from third party applications. Everything is working well, except changing the Application role password.
I set up a small form that allows an administrator to change the App Role password through the front end app. I cannot, however, seem to get the Password field in my approle to accept a parameter.
For example:
declare @newpassword varchar(128)
set @newpassword = 'foo'
ALTER APPLICATION ROLE MyApplicationRole
with PASSWORD = @newpassword
This procedure gives me a syntax error in the last line. It will accept a string in quotes but not a varchar parameter.
Ideas?
Hi, Am migrating my SQL 2000 legacy app to SQL2005 and am dealing with restrictions on the underlying system tables. Have taken advice that Granting VIEW state to all users is heavy handed (especially meta data access at SERVER level). Now looking at Module signing which is great. I can supply SP's which target the few System table/ information schema fields that I require. Now I Sign the Sp's cool, now I grant exec rights to the application role (doesn't work). Create a db role and put my users in it, okay grant role exec on Sp's (fine they work).
However my application runs under an application role always, so my users rights are ignored and it appears that its only the users not the approles who can benefit from the module signing ? I know I can switch too and from approle using cookies but I seem to be going round in cirlces here.
Essentially is there any 'EASY' and 'CONTROLLED' way that my application user who has no rights, who immediately switches to the application role can see the dbName (All rows ) from master.sysdatabases ?
Thansk for any advice
I have an application that segregates data into two differentdatabases. Database A has stored procs that perform joins betweentables in database A and database B. I am thinking that I have reachedthe limits of Application Roles, but correct me if I am wrong.My application creates a connection to database A as 'testuser' withread only access, then executes sp_setapprole to gain read writepermissions. Even then the only way 'testuser' can get data out of thedatabases is via stored procs or views, no access to tables directly.Anyone know of a solution? Here is the error I get:Server: Msg 916, Level 14, State 1, Procedure pr_GetLocationInfo, Line38Server user 'testuser' is not a valid user in database 'DatabaseB'The system user is in fact in database A and B.thanksJason Schaitel
View 4 Replies View RelatedHi all:
[Posting this in the security forum because in this forum I found a related post.]
I have a problem with SQL Server 2005 and application roles and pooling. I needed to use application roles and I needed to use pooling at the same time for an application. I am using sp_setapprole and sp_unsetapprole. In order to ensure that the application role is always set and unset by the application, I actually developed a custom Data Provider based on the SqlClient Data Provider. I have a custom Connection and Command class that wrap the SqlClient versions. Upon opening my custom Connection class, I execute the sp_setapprole stored procedure. Upon closing or disposing the connection, I call sp_unsetapprole.
This works fine in 99% of my tests. However, I have three or four methods (always the same ones, but one only fails ever so often) that fail, but only under the following circumstances:
Pooling is turned on (but pool size doesn't matter)
I am using my custom Data Provider (using System.Data.SqlClient does not cause this issue... but I am also not using approles then)
When other tests have run in the same test run. I.e. when I run the failing methods by themselves in a test run, there is no problem.
So it seems to me that the problem is related to using application roles with pooling turned on. For scalability reasons, we cannot turn pooling off. When the methods fail, I see the following two (2) entries in the SQL Log:
Error: 18059, Severity: 20, State 1.
The connection has been dropped because the principal that opened it subsequently assumed a new security context, and then tried to reset the connection under its impersonated security context. This scenario is not supported. See "Impersonation Overview" in Books Online.
I understand the error message somewhat. However, I am not sure why the "reset" of the connection occurs. My code does not call reset anywhere, so it must be something that happens in the background.
I am reviewing code to see if there is possibly a situation where the sp_unsetapprole procedure does not get called or does not get called successfully, but there is a lot of code (in many custom components).
I would like to know if anyone has a suggestion on how to solve this problem, or, find the code that may be causing the problem.
Thanks in advance,
SA.
Coldfusion Web appls from Oracle to SQL Server 2005 - How to use Application Roles in Coldfusion.
Is there anyone who has used application roles in Coldfusion Applications? How would you set this up?
I know how to set up application roles. If you establish your application role and you move from one page to another, how would you run cfquery since you loose your initial user connection in place of the application role connection. Are there alternatives to using application roles in Coldfusion?
Sample code would be helpful.
TF
Can you write a stored procedure to add a user to your DB and set the roles the user belongs to?
I want to write a stored proc. to add users and set roles so it can be used in code instead of doing it manually.
After the user has been added and their roles set, can you write another stored proc. to give you what roles they belong to?
Apologies if my post does not fit into this forum. I initially tried the SQL Server Data Access forum but I now think my question is more security related.
Is it possible for a web user who has been successfully authenticated with forms authentication to be authorised to use a SQL Server 2000 role depending on a particular ASP.NET 2.0 role that they have been authorised to use? I understand that that I can assign a SQL Server 2000 role to the ASPNET or NETWORK SERVICE account but this will grant access to anonymous web users to the database role. I can ensure that I only call stored procedures which access sensitive data in web pages that are in restricted by ASP.NET roles. However, it would be nice to also restrict stored procedures via the ASP.NET 2.0 Forms Authentication roles.
If this is not possible have you got any bright ideas how I could restrict access to stored procedures who are anonymous web users.
Many thanks,
Mark
I'm developing an ASP.NET2.0 application which accesses a SQL Server 2005 Express database. I plan to use integrated security for access to the database.
I'm confused about the relationships between Windows groups, the ASP.NET web.config file <allow roles=.../> and SQL Server roles.
I would like to create a Windows group to which I can assign multiple users and grant that group access to a Web Site using windows authentication and also grant that windows group access to the database my web application uses.
I have gotten the combination of Windows Authentication to the web site and to the database to work for a specific windows user but I am having trouble determining the combination of database security entities I must create to allow access to my database by members of the windows group.
For a Windows user:
1. Create Windows user
In SQL Express
2. CREATE LOGIN FROM WINDOWS WITH DEFAULT_DATABASE =
3. CREATE USER FOR LOGIN
4. CREATE ROLE
5. EXEC sp_addrolemember <role-name> <user-name>
For a Windows group, what would be the equivalent commands necessary to grant a windows group access to my database? Specifying the Windows Group name in sp_addrolemember does not appear to be sufficient even though the documentation states that a windows group name is a valid value for the member name argument.
Hi! Can anyone say which ms sql server predefined roles are similar to the following oracle predefined roles: dba, connect, resource. I already know that sysadmin in MS SQL Server is the same as DBA in Oracle but what about the rest?
Thanks a lot.
I am in the process of locking down the SQL Server in an environment that is considered to be in production (pilot stages) and there is no staging or test environment that mirrors it. I need assistance in determining the server and database roles to assign to existing logins, most of which currently have sa and dbowner rights. Because it is not a development environment, I need to be sure that downgrading the server and/or database level permissions will not break any functionality.
I'm starting with the logins that have the SA fixed server role. These logins need to be able to install applications that require the use of a backend database, which will be stored on SQL Server. In addition, through the installation process a new login/password for the newly created database(s) is normally created. For the existing logins with the SA fixed server role, will downgrading to the securityadmin and dbcreator roles be sufficient to facilitate those needs, or are those too much/ too little? And should any user account ever be granted the SA role? If so, what questions could I ask to determine this need?
Since these install process for these applications usually prompt to install using SA or local system account to authenticate to SQL to create the new database(s), that account should have securityadmin and dbcreator roles to create the database and its tables, as well as add a new login to that database.
Please address this question, keeping in mind that the logins will only be performing the described actions, installing apps using SQL Server as the backend database and adding a login to that database (which may or may not be done during the installation process).
Thank you,
nu_dba
Hi,
I'm looking for some guidance/help regarding setting up a sa - lite account in SQL 2005. I need to give another admin rights to create/monitor maintenance plans, backup and restore databases, monitor performance/logins, but NOT be able to have any rights on several tables (and of course not being able to set user permissions).
I've tried using server and db roles but haven't been able to determine how to give someone w/o full sa rights access to maintenance plans.
If you can think of soemthing, please let m eknow.
Jenn
I have MS SQL Server 2000 DB.
I have created a User and created some tables for the same.
I created a Role named A and granted Select Permissions for few tables to that roles.
When I created another Role named B and added this role (A) to B, the permissions are not being xferred to B. Bcos of which, if i assign an User to Role B, he is not able to select the tables for which permissions have been given thru role A.
Note : If i give assign directly the user to Role A, it is working. But i want to assign User to role A only thru B.
have SQL Server 2005 std edition SP1 installed on Windows 2003 Std edition .Configured Transactional (single Publisher and no clustered environment.)
Replication past two months working fine, Now
1.Distrib.exe application err is coming.
Due to which my job is failing (Distributor to Subscriber).
Iam attaching thw file.
Thanks
Sandeep
I need to grant select/viewing on a information_schema for a programmer. how do I grant this without granting server role "System Administrators".
Thanks,
Jason
I need to grant select/viewing on a information_schema for a programmer. how do I grant this without granting server role "System Administrators".
Thanks,
Jason
Does anybody know how to set up a role that can only set up jobs in Sql7.0.
TIA - Philip
I might be missing something. I have 'upsized' an Access database to SQL 7.0. I then created new users on the server. I then added them to the database and gave them the role db_datawriter. When they try to connect, they can't. When I look at the permissions tab for the tables, I see their ID's, but none of the boxes are marked. Did I forget to do something?
View 3 Replies View RelatedIs there a way in 7.0 to allow users with the "Public" role truncate tables without giving them sysadm rights?
Thanks,
Kevin
I am creating a new user. I would like to give read only access just for the tables in a database. I had assigned only public and db_Datareader roles to this user. With these roles the user could able to see the script of the SPs and also the DTS packages. Also with the above roles the user could able to create new DTS packages and SPs. Is it possible to deny the user to look at the sps and ability to open the DTS packages created by some other users.
What I need to do is create a role with just table data read access so that they could just select the data only nothing more than that.
Also another role with dataread and ability to create the DTS packages from other servers by accessing this data. Anotherthing we need is With this role the users could create Database schema.
This is an urgent request. Please advise me ASAP.
Thanks
Hi,can anybody tell me the script for how to find out for a particular login n for a particular database ,what are the database roles they have??
View 10 Replies View RelatedHi,
I have added two roles to sql server. One called Officeusers. The other AdminUsers
Added the appropriate logins to these roles. For example; james, john, ahmad to OfficeUsers and Mat, Nick to AdminUsers.
How can these roles be now used in a connectionstring? I can use each user login and his relevant password in a connectionstring to connect to sql server but not sure how/where/when the Roles come in to development.
i.e. do I need to use the role in the connectionstring? if so then what happens to the password.
Not quite clear about all these.
Thanks
Hi all,
I have developed a website that and configured a role for my users. I also want to write a windows application, but how can I let my windows application use the role based I have on the same database where the website runs? Thanks
i'm not sure to put this in data or security, so i'll put it in both and put on my flame suit.....I'd like to setup the security to use the one single DB that i've setup to use for my inventory, instead of the ASPNETDB.MDF that accompanies the normal setup.If i need to include more info, please ask.
View 1 Replies View RelatedHello readers
I have a problem with the following:
I made a login page in Visual Web Developer 2005 and I used the ASP.net Configationtool in the Website menu. Made some couple test accounts to login and made a role: "Beheerders". Made 1 of my test accounts a "Administrators".
So my problem is when I log in with the account with the "Beheerders" role, i go to the page of the "normal user". I tried to look in many sites, I could find some nice aid but not 100% the one that could solve my problem.
This is my code i programmed in the seperatefile of Login.aspx
Imports System
Imports System.Data
Imports System.Data.SqlClient
Imports LoginPartial Class Login
Inherits System.Web.UI.PageProtected Sub Login1_LoggedIn(ByVal sender As Object, ByVal e As System.EventArgs) Handles Login1.LoggedIn
Dim userinfo As MembershipUser = Membership.GetUser(Login1.UserName)
Dim UserRol() As String
UserRol = Roles.GetRolesForUser(userinfo.UserName)
If (Roles.IsUserInRole("Beheerders") = False) ThenResponse.Redirect("~Index.aspx")
End If
End SubProtected Sub Login1_LoggedIn()
End SubProtected Sub Login1_LoginError(ByVal sender As Object, ByVal e As System.EventArgs) Handles Login1.LoginError
'Parameters instellen voor InvalidCredentialsLogDataSourceInvalidCredentialsLogDataSource.InsertParameters("ApplicationName").DefaultValue = Membership.ApplicationName
InvalidCredentialsLogDataSource.InsertParameters("UserName").DefaultValue = Login1.UserNameInvalidCredentialsLogDataSource.InsertParameters("IPAddress").DefaultValue = Request.UserHostAddress
InvalidCredentialsLogDataSource.InsertParameters("Password").DefaultValue = Login1.Password
'Er was een probleem bij het aanmelden
'Nakijken of gebruiker bestaat in de databankDim userInfo As MembershipUser = Membership.GetUser(Login1.UserName)
If userInfo Is Nothing Then
'Ongeldige gebruikersnaam...
LoginErrorDetails.Text = "Geen gebruiker met naam """ & Login1.UserName & """ in de databank !"
Else
'Nakijken of gebruiker Lockedout of Approved is
If Not userInfo.IsApproved Then
LoginErrorDetails.Text = "Uw account is nog niet goedgekeurd!"
ElseIf userInfo.IsLockedOut Then
LoginErrorDetails.Text = "Uw account is geblokkeerd wegens te veel mislukte aanmeldpogingen!"
Else
'Het wachtwoord was verkeerd
LoginErrorDetails.Text = "Verkeerd wachtwoord - """ & Login1.Password & """"
End If
End If
'Record wegschrijven naar datasource
InvalidCredentialsLogDataSource.Insert()End Sub
End Class
Thanks for your help.
Regardings
Griffin1987
Hi all,
I am facing some trouble in my asp.net application. We have decided to add some more security at the DB. Every user gets his own login in SQL-server. (I know for connection-pooling it is better to use the exact same connectionstring, but security is the most important fact in our project).
What I want to do is add sql-server roles to new created sql-server users. I can create sql-server users from my code and I can GRANT or DENY rigths to a specific table, but I don't know how to give a user a role.
Any ideas?
Thx,
BKT