|
Home > Archive > MS SQL Server > November 2006 > Locking down access when a vendor application package doesn't
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Locking down access when a vendor application package doesn't
|
|
|
| We have a situation where a vendor requires all users to be in a role.
Good, right? Well, it's a single role with all access to all tables and
sprocs within the database. The vendor then controls specific access levels
from within their application (i.e. if the application says the user can
read only, then the user can read only). This is fine if the user ONLY
uses the application to access the database.
However, if the user users EM or Query Analyzer - the database is wide open.
How can we lock this down? The vendor package is a requirement that the
business needs - but this back door stuff is 'bothersome' to say the least.
Anyone? Anyone? Thanks!
| |
| Tibor Karaszi 2006-11-16, 7:12 pm |
| You need to talk with your vendor about this. You can't "fix" it if the app is crap. The vendor has
three options (as I can see):
Read about "application roles". This is possibly the most straight-forward to implement and requires
only very minor adjustments in the app.
Make the app use some secret login. Your users do not know the login name or password. You will of
course lose traceability regarding who did what inside the SQL Server - all uses the same login.
Make sure the vendor uses stored procedures for data access. Your users now only need EXEC
permissions to the stored procedures, so the damage they can do using query tools is a bit limited.
--
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www. solidqualitylearning
.com/
"Steve" <pezguy@mn.rr.com> wrote in message news:2dN6h.55$gl5.40@tornado.rdc-kc.rr.com...
> We have a situation where a vendor requires all users to be in a role. Good, right? Well, it's a
> single role with all access to all tables and sprocs within the database. The vendor then
> controls specific access levels from within their application (i.e. if the application says the
> user can read only, then the user can read only). This is fine if the user ONLY uses the
> application to access the database.
>
> However, if the user users EM or Query Analyzer - the database is wide open. How can we lock this
> down? The vendor package is a requirement that the business needs - but this back door stuff is
> 'bothersome' to say the least.
>
> Anyone? Anyone? Thanks!
>
|
|
|
|
|