When I'm trying to create the entity model in Visual Studio 2010, I want to connect to a database that my current windows user can't access, how can I specify different login/password to access the database ?
Two ways that I can think of off the top of my head.
Use SQL Server Mixed Mode Authentication and have the application use a username and password controlled by SQL Server. That way you can create accounts on the SQL Server and connect as who ever you like when needed.
Have your application run under a different user account (Run As...). That way you can continue to use Windows Authentication on SQL Server and not have to open it up to additional ways of authenticating to it (i.e. mixed mode authentication)
There are pros and cons to each, it really depends on what you are trying to achieve.
Related
I have two databases on the same SQL server. One for an ERP database that I am able to read tables and one I created in MS Access. A store procedure on the MSAccess database is updating some tables from the ERP DB. The MS Access DB from here on is independently running.
When I installed on other computers, the Access Database is giving me a connection error when I am logged in as another user than myself.
- Are permissions from the ERP database affecting me in my Access Database? Should I worry about them?
- Is Windows Authentication enough to make the connection happen?
- Do I need to Map the users over from the ERP database?? if so, how do I do it?
- Can I grant every user on the Server permission to access my tables using Windows Authentication? do I need to go down this road? How do I do it?
I am just not too sure what to do from here on. Here is some more information about the issue.
-In my database I have a ODBC stringconnection that looks like this:
Driver={SQL Server Native Client 11.0};Server=SERVER;Database=DATABASENAME;Trusted_Connection=yes;
-I am packaging an exe file using SSESETUP which is awesome.
-I am installing on the new computer and able to launch when I am logged on as myself however, I am getting a connection error when I am logged in as another user on the same computer. (Note: I am not able to debug from here on and see the vba because I am running under Access runtime 2013 only.)
I would appreciate if someone can assist me in narrowing my search for a solution.
Bottom line, it sounds like you need to set up database permissions on your SQL Server for each Windows account that will be using your Access db.
Here are specific answers to your questions:
Are permissions from the ERP database affecting me in my Access
Database
Yes, of course they are. Regardless of how you connect to the database the permissions will always be in effect.
Should I worry about them?
Yes, of course you should. Otherwise you won't be able to work with the data.
Is Windows Authentication enough to make the connection happen?
To make the connection, yes. SQL Server supports Windows authentication in both security modes (Windows only and mixed mode). But, this is just the connection. You also need to take the database permissions into consideration. Your Windows login needs to be granted the appropriate permissions within the specific database in order to do anything.
Do I need to Map the users over from the ERP database?
Map to what? Access? Based on the connection string in your question you're using Windows authentication to connect Access to SQL Server, so Access will connect to SQL Server under the security context of whoever is running Access. So the SQL Server permissions will need to be configured for each user who will be running your Access db.
Can I grant every user on the Server permission to access my tables
using Windows Authentication?
Access to the SQL Server tables? Sure, you could. But you should limit it to only the necessary permissions. Granting access for everyone is likely overkill and not best practice.
I'm trying to create a database when deploying my WPF application. I don't have any problem if the user of Windows is the admin user. But if the user uses Windows as a guest, the system doesn't allow me to create the database. I get a "permission denied" error.
Is there any way to get this permission when deploying the application or should the admin user give this permission manually before deploying?
Thanks in advance!
A guest account can only create files in it's own user folders.
Meaning they'd have to create the database in appdata or on their desktop ( which sounds like a bad idea ).
I'm not sure they'd even be able to install sql server express. Never tried to on a guest account.
Whether that's practical or not depends on what you're doing in what context.
Sql server express is a service based dbms with the service running in it's own context. You could maybe install sql server and a database on the machine for them and they connect to that.
If this is just a fairly simple application which grabs a small amount of input then maybe serialisation would be a better approach than a database.
I have implemented an audit table in my sql server 2008 database using this technique which works exactly as I would want.
However, it relies on SYSTEM_USER to determine the username to write to the audit.
I am connecting to the database through an ASP.NET application, and am impersonating the windows user account in IIS to pass with the database using an integrated security = true connection. To enable the user to access the database I have had to grant them db_datareader and db_datawriter access.
This allows the audit to work as desired, however, I am concerned about security. How can I prevent a user connecting to the database using excel and reading all data?
Basically I want to accomplish 2 things:
Easily log audit records the windows user
Secure data access from anywhere other than my application
From my understanding I can have one or the other, not both.
If I allow access from the windows user I can easily audit, but data is insecure. If I connect with a specific service account the data is more secure, but the audit would not work as required.
Can anyone suggest a way of accomplishing both?
I have a .NET application which connects to SQL Server 2008 for storing some data. I use SQL Server authenthication providing an sq username and a password to my end-user in app.config file. If something more needs to be changed I give to the end-user some other credentials.
How can I limit the sql user to only have permission to read/write data and executing existing stored procedures and everything else to be forbidden?
What is the best practice for setting permisions for a sql user that an application is using to connect to a database? Can I prevent somehow the user from logging in Management Studio and mess with my data?
I'm not searching for the perfect 100% reliable solution, but the best existing practice to do this. Thank you very much in advance.
Update: I work on a shared hosting SQL Server environment.
You'll need to create a new SQL user, something like 'LimitedUser'. To do this in SSMS, select the Security Folder of the server you are using, right-click, select New, select Login.
Select your authentication type (SQL server authentication is easily managed), and set the Default database to your database.
You'll need to set Server Roles so this new user only maps to your DB, and in the last page (Status), set Login to false so they cannot use these credentials to login to SSMS and 'mess with your data'.
Click OK, and you're done creating your limited user.
Assign it to your database, and then in SSMS, right-click on your db, select Properties, Permissions.
Select your user or role, and in the permission grid below, switch on only what need to be switched on.
As I see, your question is fully concerned with SQL server security.
You can limit user permissions on server, database or object scope, using GRANT statement, server or database roles. For example, you can assign db_datareader role for user, and then grant EXECUTE permission to this user for some stored procedures (or for entire database).
The current practice in my organization is to create the database roles (e.g. application admin, operator, and so on), adding the appropriate permissions to these roles and then assign these roles to database users.
I'm not completelly sure that you can prevent login into SQL Server Managent studio (SSMS), but SSMS wll not display information that must be invisible for user with user current permissions.
Shared SQL Server hosting where a single instance is shared among multiple customers is not compatible with with typical client-server applications. You are expected to perform all operations through a middle tier server such a WCF Data Service and maintain user accounts within your database in a table with Forms Authentication etc.
For your client-server application you need VPS hosting with your own instance of SQL server where you can create server-level logins. Without creating server-level logins there is no method to secure a client-server application. Any workarounds are just pseudo-security.
I'm want to create a SQl Server login for a IIS web application. Since the Web Application using IIS 7.5 identity, and in addition in production the Sql Server may be in a separate machine, I'm looking for use a user and password based connection string.
Now, I'm a little confused how to create this login in Sql Server 2008 R2. Should I use databawse specific User, or a global login? Should I Database Role or Application Role?
What are the best practices to get a login for an IIS application that don't use Stored Procedures, but makes a use of an ORM tool, like NHibernate?
The following article:
http://msdn.microsoft.com/en-us/library/bb882673.aspx
recommends using Integrated Security to connect to the database.