Security implementation with custom app roles

Security implementation with custom app roles

Post by John Brav » Thu, 08 Jan 2004 08:16:09



Hello,

I have a web application that uses anonymous access and connects to a
SQL server 2000 database using a trusted sql connection.

How can I impersonate the user depending on various predefined
application roles so that I can secure the database objects based on
these roles?

I am not allowed to use mixed mode authentication.

Any ideas will be highly appreciated.

Thanks.




*** Sent via Developersdex http://www.yqcomputer.com/ ***
Don't just participate in USENET...get rewarded for it!
 
 
 

Security implementation with custom app roles

Post by kevm » Thu, 08 Jan 2004 10:06:37

sp_setapprole
Activates the permissions associated with an application role in the
current database

But, if you're using A trusted connection from the Web page, unless it's
using Impersonation, your server won't know which user just connected.
Since, the web site is annonymous this wouldn't work.


Thanks,

Kevin McDonnell
Microsoft Corporation

This posting is provided AS IS with no warranties, and confers no rights.

 
 
 

Security implementation with custom app roles

Post by Dan Guzma » Thu, 08 Jan 2004 13:42:43

To expand on Kevin's response, you'll need to have some sort of application
authentication method so that you can determine to appropriate application
role to activate based on the user's identity.

Note that application roles can be a bit tricky to deal unless you disable
connection pooling and manage connections carefully. See
http://www.yqcomputer.com/ ;en-us;229564&Product=sql.

--
Hope this helps.

Dan Guzman
SQL Server MVP