Monday, February 20, 2012

Question on Application roles.

sql2k
Im comparing a username/ password to an App role/ password and Im just not
seeing the logic here. An App either needs to supply a username/ password or
a "sp_setapprole @.rolename = 'TestRole' ,@.password ='test'". Either way they
are granted access to the DB. Either way they can only execute what I allow
them too(A user cant run a SELECT if I dont grant him access.). How is this
any safer?
TIA, ChrisR
Even in the case of using an app role, you still need a login to the server.
The benefit of an app role is that you can share server credentials amongst
a variety of apps, while still keeping data security partitioned. It's just
another way of slicing and dicing from a security point of view. I don't
see one method as any safer or less safe than any other method...
Adam Machanic
Pro SQL Server 2005, available now
http://www.apress.com/book/bookDisplay.html?bID=457
"ChrisR" <ChrisR@.discussions.microsoft.com> wrote in message
news:427310C9-210E-4A9F-A893-F8AE89A60E94@.microsoft.com...
> sql2k
> Im comparing a username/ password to an App role/ password and Im just not
> seeing the logic here. An App either needs to supply a username/ password
> or
> a "sp_setapprole @.rolename = 'TestRole' ,@.password ='test'". Either way
> they
> are granted access to the DB. Either way they can only execute what I
> allow
> them too(A user cant run a SELECT if I dont grant him access.). How is
> this
> any safer?
> TIA, ChrisR
|||Users do not have the password of the application role, only the application
has it.
One example is, users can have write access only thru the application role
but not using their Windows account. If they run the application they can
change data. If they use other tools like Query Analyzer or Access they would
not have write permissions.
Ben Nevarez, MCDBA, OCP
Database Administrator
"ChrisR" wrote:

> sql2k
> Im comparing a username/ password to an App role/ password and Im just not
> seeing the logic here. An App either needs to supply a username/ password or
> a "sp_setapprole @.rolename = 'TestRole' ,@.password ='test'". Either way they
> are granted access to the DB. Either way they can only execute what I allow
> them too(A user cant run a SELECT if I dont grant him access.). How is this
> any safer?
> TIA, ChrisR
Posted by terrifyinglyzxct at 11:03 PM
Labels: , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)