Pierre
 |
| 10/14/2001 1:36 AM |
 Quote
 Reply
 Alert
|
| Microsoft Project can save projects to an SQL Server database, through ODBC. MSProject's users must have logins and suitable permissions, like datareader and datawriter, for this to work. Is there a way I can prevent these users to access the MSProject's database without using Project, going through directly with ODBC? Thank you. |
|
|
|
|
Chip Andrews
|
| 10/16/2001 9:49 AM |
Quote
Reply
Alert
|
| Normally I would advise you to look into application roles since that is what they were primarily designed to do. However, in the case where you are not the developer of the application (MS Project) you will need to work within the constraints of that app. I will state for the record that I am not familiar with MS Projects con figuration settings but assuming it uses and Integrated security model I would advise you to look at these possible solutions:
1. Place the SQL Server on a separate subnet from the users and only allow direct connectivity to the IIS server which is serving up the MS Project content.
2. Install IPSec on the SQL Server and IIS server and configure IPSec rules to block connections from unauthorized machines.
If another option comes to mind I will post it as well. Good luck!
|
|
|
|
|
Pierre
|
| 10/16/2001 10:24 PM |
Quote
Reply
Alert
|
| Thank you for your answer. Unfortunately MS Project doesn't use an application role. Nor does it goes through IIS to access SQL Server. It simply uses ODBC.
So I'm left with someone's else suggestion: since MS Project provides an application name when it connects to SQL Server, I could run a process in SQL Server to check continuously if there are connections to MS Project's database with other application names. If so, the process would then KILL the appropriate processes.
Do you think this could work? And by any chance would you know where I could find details on exactly how to proceed?
Thanks again. |
|
|
|
|
Chip Andrews
|
| 10/17/2001 9:57 AM |
Quote
Reply
Alert
|
| I find that to be a very poor solution. Besides the obvious latency involved and performance hit of process scanning, the fact is that Application Names can easily be forged by altering the connection string. It's a poor replacement for real security. If you go back to my previous message there are two suggestions that will work in the given situation. They require a bit of work on your part but everything has its price.
|
|
|
|
|
Pierre
|
| 10/17/2001 9:34 PM |
Quote
Reply
Alert
|
| IIS is not involved at all. And since the connection goes directly from the MS Project user's computer to SQL Server, I have the feeling that I can't really block anything. You're right about the application name forging, though.
Any more ideas? |
|
|
|
|
Chip Andrews
|
| 10/18/2001 5:57 PM |
Quote
Reply
Alert
|
| My apologies - I just saw a MS Project install that was nothing more than a website where users go and post hours etc. and there was no client code. Would this not suit your needs?
If you simply MUST use the client-server setup then you are stuck since the client must connect directly to server to get their work done. Does MS Project in client/server mode use stored procedures at least?
|
|
|
|
|
Chip Andrews
|
| 10/18/2001 5:57 PM |
Quote
Reply
Alert
|
| My apologies - I just saw a MS Project install that was nothing more than a website where users go and post hours etc. and there was no client code. Would this not suit your needs?
If you simply MUST use the client-server setup then you are stuck since the client must connect directly to server to get their work done. Does MS Project in client/server mode use stored procedures at least?
|
|
|
|
|
Pierre
|
| 10/18/2001 11:13 PM |
Quote
Reply
Alert
|
| The website you saw is part of something called MS Project Central. People working on a project use it to get information on the tasks they have to do and, like you said, to post hours. They don't need to have MS Project to do this, only a web browser. The project's manager, however, MUST use MS Project to manage the project since MS Project Central has not been designed for this.
We're using both MS Project and MS Project Central. Everything seems fine with Central but we have to make sure that none of the projects managers is messing with MS Project's data on SQL Server without using MS Project.
As for the use of stored procedures, I'm quite sure that MS Project doesn't use them, using ODBC's API calls instead. Would that have been of any help? |
|
|
|
|