SQL Server Security: Pros and Cons of Application Roles

  • Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/bkelley/sqlserversecurityprosandconsofapplicationroles.asp

    K. Brian Kelley
    @kbriankelley

  • Fair coverage of the issues. We're in the process of creating a new system running on SQL Server and ARs are the only way I could see to sensibly enforce security. We've hit the issue of cross-database access, but in a way it was good as the developer was calling xp_cmdshell which was going to introduce more problems than it solved.

    SJT


    SJT

  • The issue with cross-database access also applies to cross-database ownership chaining with respect to valid users. If a login doesn't have a valid user in a second database (and guest isn't enabled), they'll still be blocked. So it shows up again and again in the SQL Server security model.xp_cmdshell? *shudder* There is a reason it's not given out by default.

    K. Brian Kelley
    @kbriankelley

  • We hit another “gotcha” with connection pooling with a web application a long time back.

    The ASPs called a DLL that uses SQL authentication (I know, I know) to access the database. We implement all database access through stored procedures, but there was this one routine where the developer decided to build and submit a SELECT statement within a stored procedure. Rather than harass him to do it differently I set up an application role with access rights to support the query, and the application acitvated the role if and as necessary.

    This, however, messed up other ASP pages, as the application role didn’t have execute stored procedure rights (as I am always harsh over database access privileges), but it took a while to figure out. Say we had 20 connections open in the pool to support the web site; at any point in time, 0 to 20 of them could be working under the context of this application role, and this status is “undetectable” by the pool manager. It’d assign a connection based on server, login, database (and/or whatever else), but was completely unaware of application role status, resulting in a connection being assigned with inappropriate rights.

    In the end I dumped the application role and harassed the developer to change his code. If there were a way to “undo” or roll back the application role setting, this would not have been a problem.

    Philip

  • quote:


    In the end I dumped the application role and harassed the developer to change his code. If there were a way to “undo” or roll back the application role setting, this would not have been a problem.


    I agree wholeheartedly. While a simple stored procedure can reset client settings, nothing exists to reset an app role back to the base user. Not sure why as it would make resource pooling more friendly.

     

    K. Brian Kelley
    @kbriankelley

  • Nicely written Brian and shares many of my same views. I've tended to handle inappropriate access (like not using the applicaiton) administratively. A chewing out, a writeup, or a termination if people see the need to use Access or some other tool to change data.

    However, I'm curious about a couple things. What if you used a "shared login" for all users that had minimal right before invoking the app role? Would that eliminate one of the cons?

    Also, for pooling issues, an app could potentially just hold a connection open. For quite a few client/server apps, this might make sense. Alternatively, you could set a semaphore of some sort in the app when the role is invoked and not reissue "sp_setapprole" if the semaphore is set. A simple check could determine "which role" you had.

    Lastly, not sure the server roles item applies for this. The apps where we want to prevent access wouldn't usually have server roles for someone. There are exceptions, but not sure they're enough to mark this as a "con", more as an FYI.

    Again, great article.

    Steve Jones

    sjones@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/sjones

    http://www.dkranch.net

  • quote:


    I'll try and be fair and balanced in this article, but I've provided this disclaimer in case I'm not.


    I think Fox News will be starting another lawsuit because you used the phrase "fair and balanced." First Al Franken, now Brian Kelley...

  • Funny you mentioned that.  I read the judge's comments and I don't think my article could in any way be construed with O'Reilly so I think I'm safe. If not, us DBAs aren't exactly full of money so it's like trying to squeeze blood out of a turnip.

     

    K. Brian Kelley
    @kbriankelley

  • With Standard VB6 it needs a normal login-procedure and the a switch to the

    application-role executing the sp_setapprole.

    Is there a .Net-framework-based integration for SQLServer application roles?

    If not : are application roles obsolete ?

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me

  • We're thinking of using application roles, but I don't quite get how to give it permissions.  We currently have a sql login that's being used & abused. It has dbo access, and I want to use an app role that also has dbo access so that it can create work tables via an application. I can see how to grant access to specific tables and SPs, but I don't want to have to manually manage specific objects.

    What am I missing ?

  • I'm starting to set up reports in Reporting Services.  The MS book "SQL Server 2005 Reporting Services" recommends setting up an "application role" for accessing data within the context of the Reporting Services packages.  On first observation, it seems to produce a "workaround" on SQL Server Security.

    To me this introduces some problems...

    1.  It actually adds more complexity to SQL Server security since the Reporting Services security model does not seem to be tied to SQL Server Security.

    2.  As more reports are added, more "report roles" need to be added to restrict access to sensitive reports.

    3.  Granted I have not fully researched this but...There does not seem to be a way to use SQL Server security tools and then tell the Reporting Services tool to use Windows Integrated security...when I attempt to do this, I cannot get in through the browser on my pc (even though I have full access priviledges)...only the administrative account on the local SQL server machine appears to be able to get in.  I tried using the prompt for username/password using Windows Integrated security which does work.  However, I do not want to require the user to key in username/password for every single report...clunky!!!

    It would appear that managing the data connection/access for Reporting Services will require Application Roles in order to manage security and keep the Reporting Services app from being clunky to the end user.

     

    Just my observation at a very early point on the learning curve.

  • There are some gotchas with app roles, but I think the major pro of letting users perform actions through an application without giving them any rights to the data or procedures outweigh all the cons.

    Loosing your server role rights, such as sysadmin, after activating an activation role seems like a non-issue.  The app role is intended for use by an application, not by a sysadmin issuing ad-hoc queries, and the application shouldn't be capable of attempting to perform actions that the app role doesn't have rights to.

    Connection pooling is based on an exact match of the entire connection string.  I keep app role and non-app role connections in separate pools simply by adding a different "Application Name=;" value to the connection strings.  This does require a check [SELECT USER_NAME()] when you open a connection to see if you got a pooled connection that already has the app role active.

    There is also a "Pooling=No" option that can be used in a .NET SqlConnection.ConnectionString.

  • I think you should also consider using AzMan. Let the windows users and groups define the user population, and the AzMan data store can persist the provisioning data completely outside of the database.

    The microsoft security team built it specifically for application-level provisioning features, it integrates seamlessly with windows users and groups, it comes with an MMC snap in for development and administration, and finally, it can be deployed as a Active directory GPO, XML file, or lightweight active directory application-mode (ADAM) object.

    We use azman for our latest enterprise project, and we have zero database-related concerns for application-level provisioning. Our clients like it because their IT admin can control it through the MMC snapins, deploy it in their own fasion, and we dont have to write an administrator interface.

    I dont have a specific link, but a quick search for 'azman' on google should get you started down the path.

    cheers

    -pete

  • There is a way to reset permissions (in 2005) sp_unsetapprole.  It does take some careful coding to make sure it is always called before returning connections to the app_pool, but it is very doable.

    Warm Regards,Greg Wilsonsolidrockstable.com

  • Yup, and it's a nice feature. This article is back from the SQL Server 2000 days. It is another one I need to update.

     

    K. Brian Kelley
    @kbriankelley

Viewing 15 posts - 1 through 15 (of 28 total)

You must be logged in to reply to this topic. Login to reply