i have an ASP.net (.net 4, c#) web application (Backend: SQL Server 2012). The permission concept (what data is each user allowed to see) is processed within the web application.
The permissions come from different sources:
-AD group memberships:
AD group name is linked to properties of the records
-Underlying database:
-Users are assigned to different criteria
Organizational structure
Location structure
Direct assignment
Currently all this is processed within the web application. So I collect all the users permission and then I query the database for the data he is allowed to see.
Now I need to bring the permission concept to database level.
The target is that the users can query the database (pre defined views) almost directly (Reporting Services, Excel and so on)
Any idea how to solve such an issue?
Thought about joining the user’s permission on the foreign keys. But that’s not possible for the AD permissions.
Or maybe creating a dll and calling this dll from a stored procedure. Then the view joins the stored procedure.
You should look at defining roles in the database http://msdn.microsoft.com/en-us/library/ms188659.aspx .
Then grant permissions on different tables or views depending upon your requirement. I have seen data being exclusively read from views. So, that could also be an option.
EDIT:
So, it looks like you need row level security. Please read this guidance from Microsoft.
http://technet.microsoft.com/en-us/library/cc966395.aspx
Related
Thanks in advance for reading!
Note: I've read everything else I could find about this on SO, but don't see this particular question asked.
I don't want to muddy (or break) our 3rd party production ERP database ("B") with objects of my own, so I created a database ("A") in another instance and use it as the home of various objects that serve our custom applications.
I have a stored procedure in A that selects from tables in B, and returns a dataset. It works beautifully for me from my app using Windows authentication, because I am an admin on both servers. But I am one of the rare users who have Windows Authentication in the ERP db. By default, users in the ERP are created with SS authentication.
If it's a reasonable practice (and because maintenance of my objects would be simpler than with certificates), would it make sense/be possible to create a SQL authenticated user on A (and maybe B) that has execute permissions on the sp in A and read permissions on tables in B?
If not, and in order to avoid dealing with certificates whenever I modify a procedure, I'll probably create server logins on A and B for new Active Directory groups, and create database roles for the groups.
Thanks again for your interest!
The Problem
Good Morning! I work on an application team that supports a few applications which utilize SQL Server for data storage. Recently, our Database Support team decided that SQL Authentication was no longer permissible (for security and logging reasons) and so my team was forced to convert all connections to Windows Authentication including several dedicated Service IDs that our applications had been utilizing for data retrieval.
First, let me say there most certainly are advantages to moving to Windows Authentication, I am not trying to dispute that. But this change has raised a huge problem for us... by switching our Service IDs to Windows Authentication we have now opened up our back-end databases to every internal business user with front-end application access.
MS Access is pushed out to every user desktop and a few superusers even have access to SSMS. At this point we are relying entirely on user ignorance to prevent internal users from accessing the back-end database directly. And given that certain roles have elevated DML rights, this presents a possibility for some nasty data consequences.
This new enterprise standard has left my team stuck between a rock and a hard place at this point so we looking for any database, account or architecture solution that would allow us to restrict user access to front-end only.
Questions
Has anyone else run into this problem? Is there an architectural solution we are missing that would allow us to eliminate SQL Authentication without exposing our databases?
Does anyone know of a way to restrict access to a SQL Server database to only certain connection methods? I'm wondering if there is a way to designate a specific ID (or role) as only allowing a connection through a front end (and eliminate ODBC connections entirely).
Does anyone have any clever workarounds?
-------------EDIT---------------
A couple people brought up a good point about role access so I wanted to clarify our former and current solution... Previously, all role access was managed on the front-end and data retrieval was handled entirely by private system SQL Authenticated IDs to which end users had no visibility.
When we were forced to eliminate these SQL Auth IDs, we created a similar role-based setup on the back-end database as existed on the front end. Active Directory Groups were created to house different groups of users and these groups were assigned specific role privileges in the database. So currently access is limited by role as much as feasible.
The problem is that even the lowest privileged roles have INSERT, UPDATE and DELETE access to some tables (access which is normally controlled through code). So while we were able to mitigate risk somewhat by utilizing database roles, we still have areas where a user can bypass front end protections by logging directly into the database.
EDIT: Question clarification makes this answer obsolete, but leaving it for reference since some comments discuss it.
Assuming you mean that you have to (based on your architecture) allow access to the DB to each windows user account, one options is to use database roles.
You disable public access to your database, then define a set of database roles, depending on your use cases. Each role is granted permissions such that members of that role are able to manipulate the data they need and or work with the objects they need. Users are then mapped into the roles they require. When connecting to your database, the user will be granted permissions according to the roles they are members of.
For example, we have a role in one of our databases named MyAppUser (our name is actually related to the app which uses the db), which is designed for end users to read and insert data only. These can be created simply as follows:
CREATE ROLE [MyAppUser]
The role is granted just the permissions it to the relevant schemas or tables (assume all our "public" tables are in dbo schema for now).
GRANT SELECT ON SCHEMA::[dbo] TO [MyAppUser]
GRANT INSERT ON SCHEMA::[dbo] TO [MyAppUser]
GRANT DELETE ON SCHEMA::[dbo] TO [MyAppUser]
Each user who should have this public read-write access is then mapped into the relevant role.
ALTER ROLE [MyAppUser] ADD MEMBER [UserName]
This separates users and roles / permissions within your database and allows you to have a single point of entry to control who has access to what in your databases.
By having the "View Definition" permission denied by default (to end users), they won't be able to "explore" the database / view table definitions etc using access, or even SSMS.
NB: SSMS provides wizards for managing and viewing permissions and memberships which are very handy for getting things initially setup / tested / fiddled around with.
When I attach a database I would like for several users to be created on it and for them to be assigned to certain fixed database roles. Any way to ensure that this happens automatically (potentially for hundreds of databases being attached at one time) or are there any tools / utilities out there for this sort of thing?
If there's no way to do this for attaching databases, is there a way to do it for newly created databases? For example, if I add the users and the roles to the model database, will those objects and membership be inherited by newly created databases? It doesn't seem to work so far.
A way to handle this by an activation initiated via the SQL Server Service Broker Event:
Implementing Internal Activation
I having trouble understanding some core concepts in SQL Server 2008. Until recently I haven't had to care much about security, users, schemas etc.
What is the difference between a Login and a User?
How do these relate to roles
What is a schema? (Until I started reading about security I thought a schema was just a database design?!)
I'd like to be able to create a script to create my Users, Logins, especially as IIS attempts to connect to SQL Server as it's app pool. Can anyone point me in the direction of some examples of scripting this kind of thing?
Thanks in advance!
P.S:
I've been trying to read some MSDN articles about this stuff and getting a bit lost for example this seemed out of my depth:
http://msdn.microsoft.com/en-us/library/ms190387.aspx
A login is the principal that is used to connect to the server. A user is the principal that is used to connect to a database. The security context on the instance itself is dictated by the login, it's roles and the permissions granted/denied. The security context on the database is dictated by the user, it's roles and the permissions granted/denied.
Like all other role based systems, the roles are logical groupings of permissions. Roles can be applied to users and logins. There are fixed server roles and fixed database roles for frequently used sets of permissions.
A schema is a database object that is used for two things: logical separation of database objects (tables, stored procs, functions, views), and security separation. A schema contains these objects. And users can be granted/denied rights on schemas, implicitly granting/denying rights on the objects contained within.
4 doesn't really seem like a question. Can you reword??
I've done a piece of work using Entity Framework. However, my manager asked me to use Stored Procedures instead. He said at the moment, the database security structure in the company is built on database roles.
For example, we have a roleA which includes the AD users that will access the database, and roleA has only been given Execution rights to relavent Stored Procedures. If I use Entity Framework, queries will be run as the actual users instead of the database role, and therefore those users could potentially connect to the database directly and do something with it.
I'm not too familiar with the database security. Can anyone please explain whether what my manager said is valid?
If so, is there any workaround so that I can still use Entity Framework while not breaking the company's database security structure?(i.e. use role to execute the queries instead of actual AD users)
Database role is database level object. User account used to run your application must first log in to the server. Then the permissions for this account are evaluated based on database users or database roles. If your application account will be member of roleA it should have permissions "to access the database" but if the access means only that members of roleA can execute SP you can forget about any linq or ESQL queries because database security will simply not allow you calling them (it will throw security exception).
The only advantage of EF in such case is automatic mapping of SP's result set to entity / complex type / custom type. No linq-to-entities can be used and entities can be modified only through mapped stored procedures.