<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
Article Discussions
»
Article Discussions by Author
»
Discuss content posted by R Glen Cooper
»
Row Oriented Security Using Triggers
29 posts, Page 3 of 3
««
«
1
2
3
Row Oriented Security Using Triggers
Rate Topic
Display Mode
Topic Options
Author
Message
Glen Cooper
Glen Cooper
Posted Friday, April 23, 2010 3:16 PM
SSC Rookie
Group: General Forum Members
Last Login: Monday, May 06, 2013 10:20 AM
Points: 47,
Visits: 221
The database coordinator doesn't write triggers - just filters.
For example, the coordinator in the Dean's office might want to allow Department heads in Pathology and Pediatrics to view those faculty that have appointments in both departments (all departments share the same database).
So she'd write a filter on the demographic table selecting those faculty belonging to both departments, set up a new role, assign it to that filter, and then add that role to the roles each Department head already has.
The fixed triggers do all the rest. So if someone is no longer a member of both departments, or the filter is replaced with another one that just selects recent appointments to both departments, then the two department heads will see different people when they log in again.
Only single-record changes are triggered, because only single-record changes are made by the users (eg. adding new person, changing existing address, etc.).
R Glen Cooper
glencooper.tel
Post #909837
RBarryYoung
RBarryYoung
Posted Tuesday, April 27, 2010 1:39 PM
SSCrazy Eights
Group: General Forum Members
Last Login: Saturday, May 04, 2013 11:13 AM
Points: 9,855,
Visits: 9,374
I am a little confused as using client-based code to implement
any
security is strictly contra-indicated in any valid security model that I know of.
For instance, what keeps your desktop users from firing up Excel or worse, Management Studio, connecting directly to your database, and bypassing this security scheme?
-- RBarryYoung
,
(302)375-0451
blog:
MovingSQL.com
, Twitter:
@RBarryYoung
Proactive
Performance Solutions, Inc.
"Performance is our middle name."
Post #911415
Glen Cooper
Glen Cooper
Posted Tuesday, April 27, 2010 2:08 PM
SSC Rookie
Group: General Forum Members
Last Login: Monday, May 06, 2013 10:20 AM
Points: 47,
Visits: 221
The model was originally developed for a Citrix farm, where the front-end apps aren't available on anyone's desktop and where users aren't able to see behind the data entry forms.
In the deployment currently under development, users do have the apps on their desktops but only the apps (not users) may connect to the database that's on a remote server.
R Glen Cooper
glencooper.tel
Post #911447
RBarryYoung
RBarryYoung
Posted Tuesday, April 27, 2010 3:13 PM
SSCrazy Eights
Group: General Forum Members
Last Login: Saturday, May 04, 2013 11:13 AM
Points: 9,855,
Visits: 9,374
Glen Cooper (4/27/2010)
...
In the deployment currently under development, users do have the apps on their desktops but only the apps (not users) may connect to the database that's on a remote server.
...
How is that accomplished?
-- RBarryYoung
,
(302)375-0451
blog:
MovingSQL.com
, Twitter:
@RBarryYoung
Proactive
Performance Solutions, Inc.
"Performance is our middle name."
Post #911490
doofledorfer
doofledorfer
Posted Tuesday, April 27, 2010 4:04 PM
SSC-Enthusiastic
Group: General Forum Members
Last Login: Friday, April 26, 2013 10:40 AM
Points: 103,
Visits: 129
Glen Cooper (4/27/2010)
The model was originally developed for a Citrix farm, where the front-end apps aren't available on anyone's desktop and where users aren't able to see behind the data entry forms.
In the deployment currently under development, users do have the apps on their desktops but only the apps (not users) may connect to the database that's on a remote server.
That probably would have been useful to mention in your article. It's not a typical architecture.
Post #911518
Glen Cooper
Glen Cooper
Posted Tuesday, April 27, 2010 4:29 PM
SSC Rookie
Group: General Forum Members
Last Login: Monday, May 06, 2013 10:20 AM
Points: 47,
Visits: 221
Yes, I should have been more explicit when I indicated that users may access the database through approved applications only.
R Glen Cooper
glencooper.tel
Post #911532
Glen Cooper
Glen Cooper
Posted Tuesday, April 27, 2010 4:44 PM
SSC Rookie
Group: General Forum Members
Last Login: Monday, May 06, 2013 10:20 AM
Points: 47,
Visits: 221
The app's fixed login string is not accessible to the user.
The lkpUser table checks user name/pwd which are passed by the app after the user enters a name/pwd when starting it (not part of the demo program).
R Glen Cooper
glencooper.tel
Post #911542
L' Eomot Inversé
L' Eomot Inversé
Posted Saturday, July 30, 2011 9:01 AM
SSCertifiable
Group: General Forum Members
Last Login: Yesterday @ 3:07 PM
Points: 7,096,
Visits: 7,156
Glen Cooper (4/27/2010)
The app's fixed login string is not accessible to the user.
The lkpUser table checks user name/pwd which are passed by the app after the user enters a name/pwd when starting it (not part of the demo program).
Means you trust your users never to run a network monitor, never to write a proxy for the tcp api, etcetera (since you've said current deployment has the apps on desktops but only the apps, not the users, are allowed to connnect). It is very easy to get a connection string! If you are going to trust the users that much, why not just trust them not to access data they are not supposed to? I imagine these users are not professional programmers, but are none of them amateur computer enthusiasts with skills that would allow them to drive cart and horses through the obvious security hole?
Tom
Que conclure à la fin de tous mes longs propos? C'est que les préjugés sont la raison des sots. (Voltaire, 1756)
Post #1151437
L' Eomot Inversé
L' Eomot Inversé
Posted Saturday, July 30, 2011 9:20 AM
SSCertifiable
Group: General Forum Members
Last Login: Yesterday @ 3:07 PM
Points: 7,096,
Visits: 7,156
message in wrong forum. Deleted. Sorry
Tom
Que conclure à la fin de tous mes longs propos? C'est que les préjugés sont la raison des sots. (Voltaire, 1756)
Post #1151440
« Prev Topic
|
Next Topic »
29 posts, Page 3 of 3
««
«
1
2
3
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
