`  <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0 Transitional//EN'>
  <html>
  <head>
  <title>Printed Icetips Article</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  <meta name="Generator" content="Edit Plus">
  <meta name="Author" content="Icetips Software">
  <meta name="Keywords" content="">
  <meta name="Description" content="">
  <meta http-equiv="X-UA-Compatible" content="IE=Edge"><link rel="stylesheet" type="text/css" href="icetips.css">
</head>
<body class="print">
<center>
<table bgcolor="White" width="700"><tr><td valign="top">
  <table border=0 width="100%" cellpadding="0" cellspacing="0">
    <tr valign="bottom">
      <td width="99%">
        <h1>Icetips Article</h1>
      </td>
      <td>
      </td>
    </tr>
  </table>
<hr>
<font class="story">
    <br>
</font>
<font class="story">
<font class="newshdg12">SQL Related Articles:  Security access to SQL databases</font><br>
<font class="newshdg9">2002-07-21 -- Michael Gould</font><br>
<font class="halfline">&nbsp;</font><br>
<font class="ngcodeprint"><pre>Newsgroups: softvelocity.products.c55ee

Dan,

With our application, we have a userid that our user's never see.  It has
DBA rights when they first log's into the DB. Before actually logging into
the db though, we put up a login window.  The first thing that happens is
our unseen ID logs into the db, then does a SetUser which is used by ASA to
that name.  At that point, it locates the user record in our security tables
and validates their password.  From that point on, the user only has access
to the tables and views that they are given rights to via our application.

On the DB side, the user id that the user originally logged in with is
totally unknown to the end user.  Other tools don't have access because they
don't have the rights to get to the db with those other tools.  We will
allow read access to certain views within the db from outside programs, but
we give them the "read only" id to use.

Michael Gould

"Dan Pressnell" <dan_pressnell@yahoo.com> wrote in message
news:3d3ae779$1@news.softvelocity.com...
>
> "Bharat" <bharat@no_spam.com> wrote in message
> news:3d3ad887@news.softvelocity.com...
> > I'm looking at buying SECWIN for user access levels etc.
> >
> > As I will use SQL more and more is this a bad move ??
> >
> > What alternative are there ??
>
> Secwin might work for you, but I think more word would be involved.
>
> Maybe I should clarify my point.
>
> If you use an add-on security tool, it will secure your application fine,
I
> think.  But if after all is said and done, your application is written so
> that it tries to access tables the user can't access, template generated
> code will give you one error message after another.
>
> One way around that is to secure just your application, but give full
access
> to the user logged in with the app.  But by giving so much access to the
> user, you have a security problem, because with MS Access, a VB program,
or
> many simple free query tools, that user can gain access that he can't
using
> your app.
>
> So you are between a rock and a hard place.  To prevent your programs
> constant "access denied" (or whatever) error messages, you give full
access.
> But full access leaves a security hole for other apps and tools.  On the
> other hand, securing the database with user permissions causes your app to
> choke.
>
> The solution, as I said, can be messy.  But it's important.
>
> Dan
>
>
></pre></font>

<br><font class='newsstory'><br>
<hr>
Printed May 5, 2024, 10:26 pm <br>This article has been viewed/printed 35113 times.
<br><a href='http://www.google.com' target='_blank'>Google</a> search 
has resulted in 31 hits on this article since January 25, 2004.
</font>
<br><br>
  </td></tr></table>
</center></body>
</html>