May 6, 2010 at 6:03 pm
So im a little confused regarding the sql security model. From what I know a login allows access to the sql server, then a user account allows access to a specific database/tables. But when I setup my odbc connections for applications its using the SA account (required per the application) and each user has their own accounts that I maintain int he application itself. The permissions control what they see and can use/run using the application.
I'm missing the link between the sa user i setup (via odbc) and the users actual privileges setup in the application. According to various sources a login needs to be associated with a user account, but these users are obviously being limited by what I allow them to see using the application.
So how exactly is the SA odbc credentials tied to users individual access that i setup via the application?
May 6, 2010 at 6:15 pm
To add I understand that the application is setting database level security. My confusion is how that database security is tied to the sa account used in the odbc connection.
I can obviously login to the database as sa and see everything. But when a user logs in they only see what I allow. Im just missing the tie between the two.
May 6, 2010 at 9:45 pm
craig-404139 (5/6/2010)
To add I understand that the application is setting database level security. My confusion is how that database security is tied to the sa account used in the odbc connection.I can obviously login to the database as sa and see everything. But when a user logs in they only see what I allow. Im just missing the tie between the two.
That's because there is no tie - there shouldn't be any logins/users for the users that you setup in the application and they shouldn't have any direct access to the database system. There access is fully controlled by the application - and they can only access the data through the application.
Now, if it was me - I would go back to the vendor and demand that they identify the actual permissions required by their application, change the ODBC connection to that login and user and change the sa password so it cannot be used by anyone. But, that is just me...
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
May 7, 2010 at 8:40 am
That makes sense. So the SA account for the odbc connection is just for the application to connect, then all permissions are assigned by it(me)?
I wish it were as easy as asking them to change it, but this is a widely used product at higher education places and its just the way it is.
*edit*
None of my users have direct access to the database. Only access they have is through the application.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply