Security For Application Role
We have an application use Approle to read from database. If the client login to windows as administrator or a name that has the administrator rights, the application can get all data. If the client login to windows as a domain user that has limited rights, the application can't get all data.
I run profiler and found that it seems, when application use approle to access a database, the login name is the domain user that log into windows. Is there anybody know what type of right the window login name should have in order to get all data from a database?
Second question, when I log in to window as domainusername( username is not administrator, but has administrator rights). In the profiler, I can see the application use this domainusername access database. However, under sql server login node, I didn't find domainusername. Is this because, the domainusername belongs to buildinadministrator?
Thanks
View Complete Forum Thread with Replies
Related Forum Messages:
Use An Existing AD DL Security Group For Security Role
I want to use an Active Directory security group that is a Distribution List for a new role assignment for an existing report. Can someone tell me if this is possible? I get an error each time I try: The user or group name <DLName> is not recognized. (rsUnknownUserName)"
View Replies !
Application Role, App Role
Hi all, I am trying to connect to the database using application role. But gives an error An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) for the given connection string Dim connstring As String = "Data Source=Northwind;Initial Catalog=OrderProcessing;Persist Security Info=True;UserID=application_login;Password=wewewe;" Dim cmd As SqlCommand Dim param As SqlParameter Dim cookie As Byte() Dim cn As New SqlConnection(connstring) If (cn.State = ConnectionState.Closed) Then cn.Open() End If Please help.. Thanking you, Nirmala
View Replies !
Application Role
I am confused . What is considered an application and how SQL would know ? If I have a web site accessing SQL VIA IIS will SQL Server treat it as an application ? How about MS Excel ? Also , If I was to use the application of Power builder , using app role , how do control which user can use the app ? Thanks
View Replies !
Application Role
With reference to Mr. Eric Charron's article about Implementing Application Roles in SQL7, I have used this tips in my application. But I am facing the following problems. I am looking for some solution from this User's Group. Problem: I am using application (VB6/SQL7) role. I have number of reports. To display reports I follow the following steps. 1) Open Connection 2) Set application role 3) Execute procedure for the report 4) Close the connection Since I have no. of reports, I go through the aboue steps no. of times. For first 2 times it works fine but 3rd time, it gives error ie. application role not set properly. RM Joseph
View Replies !
Application Role
hi all ! first time i created application role with read and write permissions , once application accessing automatically it assigns rd and wr permissions to that users or previously wht permissions are there in logins will it be reflected to that application role. once we create the appliation role , is there any changes we have to do in coding part pls clear my doubt. regards manoj
View Replies !
Troubleshooting A New Application Role
Hi all, This one is a real X FIle, just without Mulder, Scully or the Lone Gunmen! I have a database, to which access must be restricted via a sole application. So, I have to use an application role. I go in the database and run these statements to add and activate the roles, respectively; Exec sp_addapprole 'Sirius', 'password' (The system confirms the role is created.) Exec sp_setapprole 'Sirius', 'password' 'odbc' (The system confirms the role is activated.) Right, now I should not be able to connect using anything but this role, agreed? But here's where things go wrong. I can then successfully connect from another computer by using MS query from Excel, from a login that is not even a member of the Public Role! I tried again, started and stopped the Server/DTS/Agent services and dropped the old role after each successful login before recreating it. I've checked my syntax exhaustively. I must be doing something wrong, or overlooking something, otherwise MS has a major security problem! (Just hope the Cancer Man doesn't find out!!) Thanks in advance everyone, Jaishel.
View Replies !
Application Role And SSRS
Hi dear reader I made an application that uses a Sql Server 2005 Express DataBase. In the database I made a application role. When the user logs into my application I run this procedure: If Not sqlConnectionCR Is Nothing Then If Not sqlConnectionCR.State = ConnectionState.Open Then sqlConnectionCR.Open() SqlConnection.ClearAllPools() ConsultasSqlCommand = New SqlCommand ConsultasSqlCommand.CommandType = CommandType.Text ConsultasSqlCommand.CommandText = "sp_setapprole 'appRole', 'drowssap" ConsultasSqlCommand.Connection = sqlConnectionCR ConsultasSqlCommand.ExecuteNonQuery() End If Else.... I understand that this procedure connects to my sqlserver database as my application role Ok, so far no problems in reading and manipulating data. The problem comes with the reports in my application. For example: I have a reportviewer with a serverreport but when I try to show the report gives an error about permissions and grant access.... I think that is because the Server Report uses the user account (domain/user) to read the database. No user (besides admin) has access permissions in the database (only admin and application role). So, my cuestion is: How can I tell Report Server to use the application role to display reports? Thank you for your time and help. Giber
View Replies !
BULK INSERT And APPLICATION ROLE
I want to add bulkadmin permission to my applicatio role. Is it aposible.My windows account havo only public permission on database.I'm using application roleEXEC sp_approlepassword 'MyRole', 'password';Therefore I want to BULK some data with BULK INSERT command.Error is:The current user is not the database or object owner of table'tablename'. Cannot perform SET operation.Thanks in advance.
View Replies !
Use SQL 7.0 Application Role With Crystal 8.0 Crpe32.dll
using vb6 and crystal global32.bas to make function calls to the crpe32.dll and there doesn't seem to be any calls to pass the application role id with password. ap roles must be passed at the ad hoc level, which means i have to execute the system stored procedure for the ap role thru crystals connection to the sql server. HELP....seagate has tried to help, but want me to use odbc dsn, which is exactly what i'm trying to avoid. oledb provider works like a champ, except for app roles with crystal.
View Replies !
Connecting To A Database From VB Using An Application Role
I know how to create an Application role in SQL server 7. Now how do I connect to the database from VB using that Application Role? I can't find anything about this topic anywhere. Is this the purpose of an Application role or am I way off? Thanks for the help Steven Abt StevenA@grsgroup.com
View Replies !
Application Role And SQL Express (2005)
Hello, Can I confirm whether pooling=false in the connection string is still required for SQL Server 2005 (Express Edition)? Various google searches say pooling has to be turned off for SQL Server 2000, but I was just wondering whether it is still a limitation for SQL Server 2005 Thanks John
View Replies !
Create Database With Application Role...
Hi, I want my application to create database and I do the following things: 1)Create application role 2)Grant create database to application role 3)Activate application role 4)Create database and I get the answer: CREATE DATABASE permission denied in database 'master'.
View Replies !
Application Role Losing Connection?
Hi, I'm testing the use of application roles for security. The customer I work for has still a lot of ASP intranet applications running. We're migrating the databases to a SQL Server 2005 server. I've changed the connection string to a user without any permissions but to log on. After that I use an application role for permission to select different tables and to execute Stored Procedures. The first queries do execute but after that I get "Permission denied", like I haven't got the application role anymore. Any ideas? Adrian
View Replies !
SECURITY - Sysadmin Role
Hi all, Our SQL2000 server now allows all member of the Windows 2000 local administrators group log in with SysAdmin role. I only want couple of people with sysadmin role. What should I do to prevent that. I was told once that I should delete the BUILTINAdministrator ID and manually add each window login ID to SQL server. Am I on the right track? Thank you for your help.
View Replies !
Web Application And Role Management In Sql Server 2005
Hi every body I'm developing a web application and i like to use the sql server 2005 role management features istead of developing a role management package in my program, I can do it on my tables and othe database items but I have no idea about using database access rights in my web pages to permit some one viewing or updating a web form... Is there any system table or system stored procedure showing access rights in my data base? or is there another idea to do this?? by Thanks Javaneh
View Replies !
SQL Server 2005 Application Role's Problem
Hi all. I have developed a VB6 program which will activate an Application Role to UPDATE and INSERT some tables in SQL Server 2005. My program will login with a username, say USER and then run with the rights of the Application Role which will SELECT, UPDATE and INSERT the following tables: 1) Table A 2) Table B 3) Table C The USER login is a restricted user which has only SELECT permission to Table A, B and C. I encounter a problem in which my program can only UPDATE table B and table C but Table A. I have double checked the settings of Table A, Table B and Table C. Theirs are all same. Fyi, the column which can't be updated is of type "datetime". Once i grant USER login UPDATE permission to Table A, my program works perfectly in which it can UPDATE all the tables including Table A. I have tried for almost 2 days but am still clueless. Any ideas? Thank you so much.
View Replies !
Sending SQL 2005 Dbmail When Using Application Role
I am attempting to use dbmail from an application that logs in to my database using an application role. Since the application role does not exist outside the database, I created an spSendEmail in the database with "execute as login='mailagent'" in it: I set the database to trustworthy, created a 'mailagent' account and added it to the msdb database with the databasemailuser role rights. Email works just fine on the server when I use the execute as login='mailagent' to fire off the msdb..sp_send_dbmail. But from the .NET application, I get the error: "Cannot execute as the server principal because the principal 'mailagent' does not exist, this type of principal cannot be impersonated, or you do not have permission." When I run my spSendEmail stored procedure from the calling database, I get the same error.
View Replies !
Get Sql Err Message 15422 When Activating Application Role.
Running VB 2005 Express Edition and Sql Server 2005 Express Edition (SQLX). Developing a desktop application which calls a local instance of ".sqlexpress". This app needs to set data base options and add/del various table columns. When activating the application role, I get the following message: HariCari SQL Error/s 15422 - Application roles can only be activated at the ad hoc level. Anyone know what this message means? I have searched SQL Server Books On-Line and been unable to find a list of Sql err numbers. Either I have missed the obvious or Books On-Line has missed the obvious. Thanks Gary
View Replies !
Login Failed For 'user' (Application Role)
I've created a database in SQL Express and I have a Windows form attempting to connect to it through SQL Authentication. Connection string: private string connString = @"Data Source=.sqlexpress;Initial Catalog=SQLTestDatabase;User ID=SearchAppRole; Password=password;"; The role I have added to the database is an Application Role. It has been added to the Database permissions with Grant checked for "Select" and "Authenticate". If I test this with query analyzer, it returns expected results (if I remove Grant from 'Select', it fails) sp_setapprole 'SearchAppRole', 'password' select * from recipe If I edit my connection string (for testing purposes) to use the sa account, the application can connect and run the Select statement: private string connString = @"Data Source=.sqlexpress;Initial Catalog=SQLTestDatabase;User ID=sa; Password=sa_password;"; However, I cannot get the application to successfully logon and run the select statement when using the user id and password of the Application Role. I get error: System.Data.SqlClient.SqlException: Login failed for user 'SearchAppRole'. at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj I can't find much information on Application Role...I just want one basic permission for the application as a whole. Any help is appreciated. Thanks.
View Replies !
Role Based Security Issues
I am attempting to set up a new user that has only the ability to run reports in the report manager. I have created a new ActiveDirectory entry for DOMAINReportUser. I have a created a new folder with the reports, and have set this user as a Browser role on this directory, and all reports in the directory. I have made it throught the security maze to gain access to these reports as this user, but I cannot dynamically run the reports. As the BUILTINAdministrator (content manager), I get a grayed background on the parameters and can run the reports. As this DOMAINReportUser, I get what looks like HTML parameter items, and cannot run a dynamic report. Even if I change the role of this user to Content Manager, I still cannot run a dynamic report. How do you properly set up a user to be able to dynamically run, and only run, a report in Report Manager, and have this user only see reports in a single folder? I have been fighting the security issues of creating a RS site and properly setting up access, and have yet to find a single site or person explaining the entire process in any coherant method. Mark
View Replies !
Folder And Role Security Question
On our report server I have several folders. I would like to set up security such that a user doesn't see any folders except the "My Reports" folder (I enabled the My Reports site option) and a few other folders I specify. These are a shared folder and the models folder. Is there a way to create a system level role that by default can't browse any folders except My Reports and ones I specifically grant? I would also like this person to default to having the item level security role of report builder to create reports off of report models. The only way I have been able to accomplish this so far was to add the user to the the system users site level role and then go to every undesired folder and delete the item level role assignments for the user. It seems odd for the user to have access to every folder then to remove permissions from each folder. Should I create a role with no tasks and then selectively add in the permissions to the desired folders? I did try creating a new system level role that only had the Execute Report Definitions task assigned and assigned the user exclusively to this role but they could still see all of the folders and their My Reports folder. When I created a new folder the user had been defaulted to item level roles of Browser and Report Builder. I suspect these defaults are what caused the new folder to be visible as soon as I created the folder. I searched the forum for my question so hopefully I am not causing a re-answer of this question. Thanks in advance, Sean
View Replies !
Application Role How Query A View Whose Reference Table Is In Another Db?
Hi everybody. I created an application role in a database (DB1) and gave it all the rights on a view in DB1 which refers to a table located in another db (DB2). I also gave the rights to the app role on a table of DB1 I tried to use this app. role through the sp_setapprole launched by a user (server principal?) which is SQL Server administrator (and local administrator (Win 2003 Server)). With the following query SELECT USER_NAME() I see that the approle is being used. Than, if I query the table on DB1 everything works, but if I query the view, referring a table in db2 I get following error: The server principal "NameOfServerPrincipal" is not able to access the database "DB2" under the current security context. What should I do to make it work? The table in DB2 has the same schema of the view in DB1 which refers to it. I put the DB1 TrustWorthy and both the database have the db_chaining option activated. Any idea on how to solve the problem would be widely appreciated. Thank you very much. Vania
View Replies !
SQL Server 2000 And 2005 - Application Role - Sp_setapprole
Hi All, Is there any limitation for setting password to an approle (like it should be 8 character long, should not start with numbers) ? If so, what are those limitations ? Does the same is applicable for sp_setapprole which uses the same password ? please confirm, for both SQL Server 2000 and 2005 versions. thanks in advance, Regards, Kailai
View Replies !
Role Based Security And Child Groups
Hi All, I have a report running and I am attempting to assign role based security. I added a group to the site level security. The group I added contains child groups. It doesn't seem that report server is looking into the child groups to see if the logged in user is a member of the child group. Is there anyway to get this to work instead of adding all the groups directly? I suspect that report server is using cominterop and cominterop is not traversing the directory tree? Thanks, Darren
View Replies !
Report Builder Role Based Security
From Books Online Help: In the role-based security model that is implemented for Reporting Services, users who are assigned to the Content Manager role can create and edit reports in Report Builder. Local administrators are automatically assigned to this role. If you want other users to be able to work with a Report Builder report, you must create a role assignment for them that includes the default role "Report Consumer." Alternatively, you can create a custom role definition. As long as the customized role includes the "Consume reports" task, users who are assigned to that role will have sufficient permission to create and modify reports using Report Builder --------- However, when I try to give a contact those rights, the "Report Builder" link still does not show up for my users. Is there any other place where I can examine the security rights to see why the Report Builder permission is not granted to my users?
View Replies !
Public Role And Guest Security Concern In SQL 2000 SP4
Hi all, I have setup a new SQL 2000 SP4 and internal auditor query about revoke permission from Public role and remove guest from all databases. 1. Can I revoke all default permissions (select on system tables in all DBs) from "Public" role? I am concern any error after such action. 2. I found that guest account in DB -- master, tempdb and msdb. According to Microsoft documents. The account should not remove and can't from master and tempdb. How about msdb? Thanks, Regards, Edwin
View Replies !
Inheritance Of Security Role In Folder Structure Of Reports
Hi, I have a folder structure of reports like this Home | / A B Now, suppose I have created this folder, A first and user, say A_User is given permission to view this folder. I am expecting this user to browse from 'Home' to A folder but as you know to browse folder 'Home' he must also be added to 'Home' folder . So I add him to 'Home' now. The problem comes when I add new folder B, for user B_User. The moment I add this folder A_User is also added to folder B because of the inheritance of users to child folders. So user A is able to see both A and B folder....and thats my problem, he is supposed to only A folder and not B Is there any way to disable this inheritance feature ?? I tried deleting A_User from B with a script using "InheritParentSecurity" method of ReportingService but it says that it can not delete inherited users. How can I fix the problem ? without need to manually delete users from folders ??/ thanks prashant
View Replies !
Uploading SQL Express To SQL Server 2005 - Role's Causes Application Error With SSE Provider
I am very frustrated. Everything works on the local host but when I upload to server I can login to the admin role I created, but when I try to access pages that have role priveleges I get the following error: The SSE Provider did not find the database file specified in the connection string. At the configured trust level (below High trust level), the SSE provider can not automatically create the database file. The ASPNETDB.MDF database was uploaded using the Database Publishing Wizard. Please help!
View Replies !
Advice On Security Model For XML Web Services For Many Users In Active Directory Role
I am working on the security model for an application that will be used by 100s of users with a dedicated SQL 2005 database for this application and access via SQL XML Web Services. The client has asked to make it "open" during alpha testing such that anyone can access the web services without having to set them up first. Is there a way to do this? The best I can figure is to use mixed mode security and hard code a login and password. Any method using Windows authentication would require that I add every user at a minimum to the database. In production, all users will have an active directory role specified that determines if they should have access to the web services or not. However, it is my understanding that to use Windows authentication, I would still need to add each individual user at a minimum as a Login to the SQL Server, and under best practices also as database users with permissions granted to the endpoint. Am I correct in the above, or is there a more efficient way to achieve these results? Thanks -L
View Replies !
DB Security Vs. Application
We are rolling out mssqlxpress to our development staff and would prefer to alter their permissions so that they can only make changes using mssqlxpress (since it integrates nicely with VSS). So are choices are to uninstall SQL Enterprise Manager and SQL Query Analyzer, or more preferably, alter their NT Permissions so that they do not have the capability to change anything in the DB's. My concern is that it seems we can only set their permissions from DB level and not the application, does that sound correct? Has anyone else had to deal with this predicament and is there an alternative to uninstalling the SQL Client tools?
View Replies !
Designing Security In An Application
With my next application, I'm thinking about establishing a new security paradigm for my programs, with respect to SQL Server. In all my previous applications, connections are established using SQL Server authentication. So, all my users may log-in under a single log-in, mapping to a single user in a database. My application then has to use its own security arrangement to determine who has access to what forms within the application. There are three major problems with this design: 1) the user name and password to connect to the SQL server have to be resident as strings somewhere in the application code (or ancillary files), 2) everyone connecting to the SQL Server "looks" the same, and 3) you have to give the broadest rights to everyone with the same login and then pare those rights down within the application itself. By implementing multiple SQL Server Authentication logins I can mitigate problems 2) and 3), but the only way to eliminate problem 1) is to move to Windows Authentication. Windows Authentication would allow me to resolve all three design constraints, but there is one problem that I see coming as a result. If I use Windows Authentication, each user must have an independent login to the SQL Server. If I have an application that may have 4,000 to 6,000 users, does that means I have to have 4,000 to 6,000 logins set up on SQL Server? Is that true? I could, of course, generate a script to build all 4,000 to 6,000 users, but I am concerned about this. Is this a "normal" arrangement that SQL Server has no problem-with?
View Replies !
Security- Application Roles
We are looking to make our applications as secure as possible. I am interested in how well Application Roles work to make security tighter. Have you used Application Roles. If you have, I'd like to know if it helped provide better security or not and if it did, how was it implmented in you production environment. I already know how to get it set up, I'm just wondering if it's really worth the trouble. Thanks!
View Replies !
Yet Another Question On Application Security....
Ok, i have read a few articles regarding application security and it sems to me the Microsoft just doesn't get it. As others have posted, Vendor packages are not normally controlled by the IT staff... they do what they do. When an application is used for mission critical data, it becomes important to lock down that data as best as it can be under the limits of that application. Yet what is often lacking in a vendor package is thought about what opening up the database means. We are using a Vendor package that does not allow for application security to be set. In other words, it uses windows authentication to grant Database access. As many others here have noted, this opens the database to manipulation via any other tool the user has at their disposal. It seems that the general reply here is that we should get the vendor to change their package to allow for Application level security. Good Luck! I am not a DBA (must be obvious at this point) and i do not know all the what's up and coming, but generally as a system support person, i must deal within the environment i am given. Here's what I see as the environment I am working under, the problem and the preferred solution. Application only allows windows authentication. The users must be allowed full access to the database in order for the application to perform updates as needed. Security to specific data by company is controlled within the application to determine what a specific user can change. Granting security to a user ID allows them to access and change data at will through an alternate product (E.G. Enterprise manager, MS Access etc.) without regards to the security built in to the application. SQL Server knows what ID is requesting data and knows what application is generating the request (I have seen screen prints of the list of who is logged into the database and right alongside the UserID is the Apllication Name). If SQL server knows these two bits of info, why is it so difficult to allow SQL server to append the Application name onto the user ID and allow access to the DB only via this combination? The permissions can be set up with some combination of UserID/Application name and no special security, no messing with special application passwords/aliases, no pleading with Vendors to make changes and best of all.... satisfying SEC rules for locking down DBs. Am i missing something? Does anyone know how i can accomplish this simple task without stressing out the DBAs? Thanks for all your help and creative ideas! Rob
View Replies !
Good DB Practice For Application Security
Heres the problem. Say I'm writing a bulletin board - a user can be a moderator, regular poster, part of a group, have access to some threads but not others etc. In other words, there is a lot of application security kicking about. Right, my database is chock full of tables with structures like "userthreadsecurity(user_id, thread_id, accesslevel)", "usercategorysecurity(user_id, category_id, accesslevel)". I feel the need to do it like this because the database needs to have a definable foreign key for predictable indexing. What I could do is have a single table with a field denoting the object that a security policy is being accessed i.e. a thread, the user_id and the access level. However, this would screw the indexing as the predictive indexer in SQK2k for example, wouldn't have any FK constraints applied to it. What do most people do? Rob
View Replies !
Linked Servers And Application Security
I am developing a SQL based SQL server centric application. ( SQL 7 )Applications is using a multiple linked servers to a different sources ( i.e. Oracle; DB2; Sybase ) located on different machines; multiple stored procedures based on the dynamic SQL. If the particular linked server is down, - the dynamically generated SQL string, should be changed. That all was relatively simple :-). The complicated question is: how to define that the linked server is down? Glen P.S. Please do not submit suggestion like : "Use @@ERROR" ; "Open BOL and read" etc... The question is not as simple as it looks :-)
View Replies !
Application Login And Integrated Security
Hello, We're having a bit of a problem getting Integrated Security to work with a .Net 2.0 application and SQL 2005. While we're tweaking permissions on the SQL-side, we came across an account "Application Login" and wondered what its role is. First, our problem: Currently, the users in the AD group get a connection error. This group is defined as follows at the instance level: role: public user mapping: to the database without any default schema securables: none status: grant and enabled At the database security level: general: none securables: execute on all (100+) stored procedures And we gave them "Execute" on the database itself. A little background: we had detached and copied this database from one server to another. So we suspect that the Application Login may have been modified/corrupted, even though it appears to be identical between the original and the copied databases. So we redefined it on the copied DB to match the original. Another group, which is defined as dbo on the database, has no problem at all connecting and running the application. The Application Login has Execute permissions on all stored procedures and Delete, Insert, Select, Update, and View Definition on the ChangeLog table. It also has db_DataReader, db_DataWriter, and db_ddlAdmin roles associated with it. Is there another SQL login required for initial connection to the database even though Integrated Security=SSPI is used in the connection string? Does anyone see where we may be missing a security setting for the non-dbo user group to connect to the database? Thanks very much for any suggestions, ideas .... Cheers, Tess
View Replies !
Application Access With Integrated Security Model
Hi, does anyone have a solution for this situation? Multiple Custom applications that need to have a common profiles for varying permission levels and still be able to maintain an audit trail using integrated security. I know that I can set up aliases and then map the login to an alias to achieve the common profiles . What I do not understand how to do is to discriminate between indviduals using the alias. This is a requirement for the audit trail using the login name. What is the best way to accomplish this ? Thanks Bob
View Replies !
SQL Server Security Setup For Web Application Access
All: I am writing an Internet/Extranet based (ASP.Net 2.0) web application that uses SQL server 2005 as the database. I am using forms authentication on my web application. I am also storing the connection string to SQL server in my web config file. The conn string is encrypted using DPAPI with entropy. I currently have created a SQL login account on my SQL server for use by the web application. This is the user ID I am using in my conn string. The reason for this is because all persons using the application will NOT have a windows login. Here is my question: The login I created currently has defaulted to the "dbo" role and therefore has "dbo" rights to the database. I want to setup up this login account so that all it can do is execute stored procedures. I dont want this SQL login to be able to do anything else. In my application I am using stored procedures for ALL data access functions, via a data access layer in my application. Can someone guide me step by step as to how to setup this type of access for this SQL login. Thanks, Blue.
View Replies !
Unauthorized Operation Setting Application Security Through VS2005 (Why?)
I'm attempting to setup the defaco MS security for membership and roles, using a newly created database under SQL 2005 (not express). I created the database using the aspnet_regsql.exe utility and that worked fine. I created my provider connection string logging in as 'sa' wit the proper password. All that seemed to work okay too. However when I attempt to change any of the settings like setting the authentication type or enabling roles, I get the follwing error message: The following message may help in diagnosing the problem: Attempted to perform an unauthorized operation. at System.Security.AccessControl.Win32.SetSecurityInfo(ResourceType type, String name, SafeHandle handle, SecurityInfos securityInformation, SecurityIdentifier owner, SecurityIdentifier group, GenericAcl sacl, GenericAcl dacl) at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, SafeHandle handle, AccessControlSections includeSections, Object exceptionContext) at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, AccessControlSections includeSections) at System.Security.AccessControl.FileSystemSecurity.Persist(String fullPath) at System.IO.File.SetAccessControl(String path, FileSecurity fileSecurity) at System.Configuration.Internal.WriteFileContext.DuplicateTemplateAttributes(String source, String destination) at System.Configuration.Internal.WriteFileContext.DuplicateFileAttributes(String source, String destination) at System.Configuration.Internal.WriteFileContext.Complete(String filename, Boolean success) at System.Configuration.Internal.InternalConfigHost.StaticWriteCompleted(String streamName, Boolean success, Object writeContext, Boolean assertPermissions) at System.Configuration.Internal.InternalConfigHost.System.Configuration.Internal.IInternalConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext, Boolean assertPermissions) at System.Configuration.Internal.InternalConfigHost.System.Configuration.Internal.IInternalConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.Internal.DelegatingConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.UpdateConfigHost.WriteCompleted(String streamName, Boolean success, Object writeContext) at System.Configuration.MgmtConfigurationRecord.SaveAs(String filename, ConfigurationSaveMode saveMode, Boolean forceUpdateAll) at System.Configuration.Configuration.SaveAsImpl(String filename, ConfigurationSaveMode saveMode, Boolean forceSaveAll) at System.Configuration.Configuration.Save(ConfigurationSaveMode saveMode) at System.Web.Administration.WebAdminPage.SaveConfig(Configuration config) at ASP.security_setupauthentication_aspx.UpdateAndReturnToPreviousPage(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)Anyone have any clue why this is happening? Do I need to add something to the database as far as users/roles go? I figured 'sa' would have free roam, but something permission-wise just isn't jiving.
View Replies !
Security Error When Execute Sp From An Application, But Not From SQL Management Studio.
Hello, I am facing a very odd behavior with SQL server 2005. I have a database role with specific permissions to execute only some of the stored procedures in the database. I also have a SQL login/user attached to the role. If I execute one of the stored procedures from the application (web application, with Microsoft enterprise library database block) I am getting a security error stating that I need select permission for the schema. However, If I execute the same sp with the same parameters from SQL management studio, connecting with the same SQL login as in the application I can execute the sp without any security errors. The SQL management studio is in on a different server than the targeted database. Are there any differences between executing stored procedures from SQL MS and from application when using the same SQL login? Thanks, IT
View Replies !
SQL Server 2005 Security Setup For ASP.Net Web Application Data Access - HELP!
Here is my situation: I am creating a database driven ASP.Net web application that will be used over the internet. My ASP.Net application connects to my SQL server 2005 database/server by using a SQL server login. I am using the DPAPI API to encrypt my connection stings with a hidden entropy value for extra security. I am using the SQL login for obvious reasons, as my users will not have a windows login. What I am trying to do: I want to limit this SQL login account to be able to just run/execute stored procedures and NOT access the tables or views directly. In my ASP.Net application I am using the MS applications data block, and I am using stored procedures for every single database access action. There is no inline SQL being executed from my web application. What I have tried so far: I created a new schema and made the above SQL login account owner of this schema. I then granted "Execute" permissions to the SQL login and DENY permissions to all other permissions. I created an database role with "Execute" only permissions and DENY permissions to all other permissions. What Happened: In BOTH of the above scenarios I tested a direct SQL statement against one of my tables, from my ASP.Net application and I was able retrieve data back, NOT GOOD, exactly what I am trying to STOP. If someone could give me (Step-by-Step) guide on how to setup the situation I am looking for, I would be very grateful! Thanks to all that help!
View Replies !
Application/Security Design: Stored Procedures Versus SQL Queries
Hello everyone, I don't know what category would be appropriate for this question but security seems to be close enough. I have this case scenario: I am running an automated application that extracts data from a web site and stores the data into a table on SQL server 2005. This information is not confidential in the extreme of social insurance #'s, bank account #s, but should not be seen by a typical employee (it has no use for them). After the data has been stored, it retrieves the data from the same table, processes it, and updates the same table. This application runs every hour infinitely. Should all the insert, update, and select queries be stored under a stored procedure? I am not concern with performance. My concern would fall under design and security. Is it worth to hide the details of inserting/updating/selecting behind a stored procedure? Or should I just allow the program to send select/update/insert SQL queries? No employee (other then the developer and the DB admin) or customer ever access this table (They do not have permission from SQL). The username and passwords were created with security in mind. Any thoughts or ideas? Thanks for your time, Adrian
View Replies !
Advice Needed (Enterprise Level Application Security With Merge Replication)
I am involved in a development project of an enterprise level hosted application. The main product is a smart client application, and will soon have an embedded sql express option. At the moment I am building the WM 5.0 mobile application and have been advised against using merge replication to syncronize the databases. The reasons have been that our main SQL 2005 database is on a hosted server that would have to open ports directly to the internet for the merge replication to do its thing. So far I have built some realy pain in the *** manual synchronization that loops through every table it needs to sync looking for a last modified time... pushing and pulling this way. This way it can pass DataSets through a web service just like the smart client app is working today. Is Merge Replication acceptable or even safe in a situation like this? Any advice or opinions would be appreciated. Thanks.
View Replies !
|
TRACKER
