|
Home > Archive > MS SQL Server > February 2006 > Question on Application roles.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Question on Application roles.
|
|
| ChrisR 2006-02-28, 8:23 pm |
| sql2k
Im comparing a username/ password to an App role/ password and Im just not
seeing the logic here. An App either needs to supply a username/ password or
a "sp_setapprole @rolename = 'TestRole' ,@password ='test'". Either way they
are granted access to the DB. Either way they can only execute what I allow
them too(A user cant run a SELECT if I dont grant him access.). How is this
any safer?
TIA, ChrisR
| |
| Adam Machanic 2006-02-28, 8:23 pm |
| Even in the case of using an app role, you still need a login to the server.
The benefit of an app role is that you can share server credentials amongst
a variety of apps, while still keeping data security partitioned. It's just
another way of slicing and dicing from a security point of view. I don't
see one method as any safer or less safe than any other method...
--
Adam Machanic
Pro SQL Server 2005, available now
http://www.apress.com/book/bookDisplay.html?bID=457
--
"ChrisR" <ChrisR@discussions.microsoft.com> wrote in message
news:427310C9-210E-4A9F-A893- F8AE89A60E94@microso
ft.com...
> sql2k
>
> Im comparing a username/ password to an App role/ password and Im just not
> seeing the logic here. An App either needs to supply a username/ password
> or
> a "sp_setapprole @rolename = 'TestRole' ,@password ='test'". Either way
> they
> are granted access to the DB. Either way they can only execute what I
> allow
> them too(A user cant run a SELECT if I dont grant him access.). How is
> this
> any safer?
>
> TIA, ChrisR
| |
| Ben Nevarez 2006-02-28, 8:23 pm |
|
Users do not have the password of the application role, only the application
has it.
One example is, users can have write access only thru the application role
but not using their Windows account. If they run the application they can
change data. If they use other tools like Query Analyzer or Access they would
not have write permissions.
Ben Nevarez, MCDBA, OCP
Database Administrator
"ChrisR" wrote:
> sql2k
>
> Im comparing a username/ password to an App role/ password and Im just not
> seeing the logic here. An App either needs to supply a username/ password or
> a "sp_setapprole @rolename = 'TestRole' ,@password ='test'". Either way they
> are granted access to the DB. Either way they can only execute what I allow
> them too(A user cant run a SELECT if I dont grant him access.). How is this
> any safer?
>
> TIA, ChrisR
|
|
|
|
|