July 30, 2010     |
Home
FAQs
       SQL Server FAQ
       SQL Injection FAQ
       SQL Security Checklist
       SQL Server-Related Products
       SQL Server/MSDE-Based Applications
       SQL Server Version Database
Tools
       Lockdown Script
       Free Tools
       Free Analysis
       Group Policy Templates
       Commercial Tools
Community
       Discussions
       Links
About
Search
Network Toaster
SQL Security Forums
Note: SQLSecurity.com does not allow nor require registration due to privacy concerns for users. SQLSecurity.com is open and anonymous for all. Please report any abuse or profanity.
Reply To Message:
Posted By n/a on 1/1/2001
Subject: Authorization issues
Message: Well, the solution to your problem isn't as simple as flipping a few switches in Enterprise Manager. You need to deny access to all tables and create custom views and stored procedures that restrict data to certain fields and/or rows. For example, when populating a list of projects, you will need to write a stored proc that fetches the data for all rows where the creator of that row is the current user.

Once you have programmaticaly covered all of your data access rules you should consider distributing it as an MDE so that the design tools cannot be used to view your modules. Also - don't use attached tables or give users direct access to ANY SQL Server tables.
UserName: 
Subject:  SQL Server Security
Body:
  
Show Replies:


ActiveForums 3.6
Copyright 1999 by Chip Andrews   |  Privacy Statement  |  Terms Of Use