Michael Valentine Jones (7/25/2008)
I don’t think there is much use for Application roles except for client server applications.Most of our applications are web based and end-users do not have logins in the database. Access to the database is only given to the service account that the web site is running under, and this account does not have any elevated privileges. Security is handled by limiting access to the web app to specific Windows groups. Finer grained security is handled within the application by letting an application administrator grant or revoke access to specific application functions.
I agree with you for the most part. Using a service account means you can take advantage of connection pooling, etc. There may be cases where it's important to record what user actually logged in using tracing (and not relying on the application). Other than that, I can't think of a realistic situation where you'd want to use the credentials of a user and switch to an app role unless you're running some web application that can't use Windows auth (for instance, hosted on Apache or Tomcat) and there are corresponding SQL Server based logins for access, which you're also relying on to permit the security check for the web application. I don't like those kinds of designs, but I have seen them.
K. Brian Kelley
@kbriankelley