Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
KFairchild
Starting Member
3 Posts |
 Posted - 2007-07-26 : 10:55:52
|
| Ideally, I'd like to move away from using SQL-based logins for our internal applications and take advantage of integrated security instead.Defining AD groups and their permissions in SQL is simple and getting the application to work with that is not an issue.Where I'm having difficulty, though, is in isolating the accessibility in integrated security. Because the SQL-based login was isolated from the windows user, they could only get access to the sql server via our app -- their normal windows accounts had no access.If we switch to use only windows authentication, the user would be able connect fine from our application and have rights to various tables. The issue is that they could also connect via Enterprise Manager, Excel, or any other tool. Is there any way to limit the exposure so that we can take use of AD for our access but further limit to allow connections based upon the application? I realize that this could be impersonated, but it's still better than nothing...--Kevin Fairchild |
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2007-07-26 : 11:09:17
|
| A typical way to handle this with web applicaitons is to give users no direct access to the database at all.The web application would verify that they have access to the application, and then the web server would connect to the database with an account setup for that web site.CODO ERGO SUM |
 |
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2007-07-26 : 22:59:21
|
| Possible to use application role? |
|
|
|
KFairchild
Starting Member
3 Posts |
Posted - 2007-07-26 : 23:23:55
|
| Application Role would probably work if we didn't have so many cross-database calls...What I've been thinking of now, though, is to have the VB app impersonate a application-specific domain user account for database calls.It's probably the best compromise I can feasibly make right now without a major rewrite of the legacy code.--Kevin Fairchild |
|
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2007-07-26 : 23:40:32
|
| If it's sql2k5, you can use synonym for cross-database calls. |
|
|
|
KFairchild
Starting Member
3 Posts |
Posted - 2007-07-27 : 00:10:54
|
| Oooh... Didn't know that. Will research it a bit. Thanks.--Kevin Fairchild |
|
|
|
|
|
|
|
|
Limiting Integrated Security Connections?