application roles and NT groups

application roles and NT groups

Post by jerr » Fri, 15 Jun 2001 00:57:07



Hi,

I'm trying to create an application role to grant specific access to a
large set of NT users.  Do I have to make each a login on the server
in order for the application to connect, or can I grant an application
role to an NT group?

Thanks,
Jerry Ratner

 
 
 

application roles and NT groups

Post by Charles C. Maracl » Fri, 15 Jun 2001 07:31:06


Hello Jerry,
  I am currently using NT Groups with application roles, this is working
just fine.  The only problem that I have seen is that you are leaving the
security of you database in the hands of your systems people.

  For instance, we are only using 3 groups, IT, Management, & Users.  I
have found that this doesn't provide enough security "options."

Chuck Maracle



Quote:> Hi,

> I'm trying to create an application role to grant specific access to a
> large set of NT users.  Do I have to make each a login on the server
> in order for the application to connect, or can I grant an application
> role to an NT group?

> Thanks,
> Jerry Ratner


 
 
 

application roles and NT groups

Post by jerr » Sat, 16 Jun 2001 07:05:08


My application needs update permission to 2 databases.  If I create an
application role in database 1, the app can access database 2 using
the application role only as guest, who then needs update permission.
My users can then log in as themselves using NT Authentication, and
have update permission to database 2 outside the application through
guest.  This isn't good.  Is there a way around this?

Thanks,
Jerry Ratner


> Hello Jerry,
>   I am currently using NT Groups with application roles, this is working
> just fine.  The only problem that I have seen is that you are leaving the
> security of you database in the hands of your systems people.

>   For instance, we are only using 3 groups, IT, Management, & Users.  I
> have found that this doesn't provide enough security "options."

> Chuck Maracle



> > Hi,

> > I'm trying to create an application role to grant specific access to a
> > large set of NT users.  Do I have to make each a login on the server
> > in order for the application to connect, or can I grant an application
> > role to an NT group?

> > Thanks,
> > Jerry Ratner

 
 
 

application roles and NT groups

Post by Dan Guzma » Sun, 17 Jun 2001 00:18:33


You can create views in database 1 which reference the database 2 tables and
grant permissions on the views only to the application role.

This will work as long if both databases have the same owner.  The
application role and guest user do not need permissions on the tables
referenced by the views because the ownership chain is not broken.

Hope this helps.

-----------------------
SQL FAQ links (courtesy  Neil Pike):

 http://forumsb.compuserve.com/gvforums/UK/default.asp?SRV=MSDevApps
 (faqxxx.zip in lib 7)
 or www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
 or www.sqlserverfaq.com
 or www.mssqlserver.com/faq
-----------------------


Quote:> My application needs update permission to 2 databases.  If I create an
> application role in database 1, the app can access database 2 using
> the application role only as guest, who then needs update permission.
> My users can then log in as themselves using NT Authentication, and
> have update permission to database 2 outside the application through
> guest.  This isn't good.  Is there a way around this?

> Thanks,
> Jerry Ratner