Deny users to change data through backend
-
Hi Folks, I have a ASP.NET Web intranet application that allows users to access tables and add, modify,view, or delete records. The tables, stored procedures are present in SQL 2005 on Windows 2003. Each of my client boxes has SQL Server Management Studio. The authentication mode is Windows. What I want is any user other than administrator should not have permission to change data through back-end. The real question is he should be able to change data only through the front-end application. If he accesses database from the Management Studio he should not be allowed to alter tables and stored procedures. My main concern is would denying permissions on tables in back-end affect the functionality of adding, modifying, and deleting data through front-end. Please help me out. Regards, V1i9n6o7d
-
Hi Folks, I have a ASP.NET Web intranet application that allows users to access tables and add, modify,view, or delete records. The tables, stored procedures are present in SQL 2005 on Windows 2003. Each of my client boxes has SQL Server Management Studio. The authentication mode is Windows. What I want is any user other than administrator should not have permission to change data through back-end. The real question is he should be able to change data only through the front-end application. If he accesses database from the Management Studio he should not be allowed to alter tables and stored procedures. My main concern is would denying permissions on tables in back-end affect the functionality of adding, modifying, and deleting data through front-end. Please help me out. Regards, V1i9n6o7d
It is far simpler than locking down tables, though any lock down is user specfic so it won't effect your web application if done correctly. On the database holding the back-end for your app, only add the administrator, and the website execution account as having access to the database. If you want to be doubly sure then lock down that entire SQL instance to just those two users so that no-one else can get in and add themselves. Don't forget to add yourself though, or you won't be able to maintain the database when they ask for the enevitable changes. :laugh:
If you have knowledge, let others light their candles at it. Margaret Fuller (1810 - 1850) [My Articles] [My Website]
-
Hi Folks, I have a ASP.NET Web intranet application that allows users to access tables and add, modify,view, or delete records. The tables, stored procedures are present in SQL 2005 on Windows 2003. Each of my client boxes has SQL Server Management Studio. The authentication mode is Windows. What I want is any user other than administrator should not have permission to change data through back-end. The real question is he should be able to change data only through the front-end application. If he accesses database from the Management Studio he should not be allowed to alter tables and stored procedures. My main concern is would denying permissions on tables in back-end affect the functionality of adding, modifying, and deleting data through front-end. Please help me out. Regards, V1i9n6o7d
v1i9n6o7d wrote:
My main concern is would denying permissions on tables in back-end affect the functionality of adding, modifying, and deleting data through front-end.
Yes of course it will. You need to formulate another strategy or refine you current one. Personally I use SQL standard credentials when my app connects to the database and give the AD connections read only access. You may be able to lock down read only by credential/app, I know profiler is aware of the application so it may be there.
Never underestimate the power of human stupidity RAH
-
It is far simpler than locking down tables, though any lock down is user specfic so it won't effect your web application if done correctly. On the database holding the back-end for your app, only add the administrator, and the website execution account as having access to the database. If you want to be doubly sure then lock down that entire SQL instance to just those two users so that no-one else can get in and add themselves. Don't forget to add yourself though, or you won't be able to maintain the database when they ask for the enevitable changes. :laugh:
If you have knowledge, let others light their candles at it. Margaret Fuller (1810 - 1850) [My Articles] [My Website]
-
Each application runs under some credentials. The ASP.NET application runs on a different user-account than the one that you use to log into your Windows machine. This is done to enhance security - the application doesn't need all those permissions that you have. The builtin ASP.NET[^] account is the one that runs the application. Alternatively, you could switch your database to use "SQL Server authentication[^]".
I are Troll :suss: