App Security - front-end or back-end? 
Author Message
 App Security - front-end or back-end?

We are migrating an old Foxpro app to VB/SQL Server 7. The original app uses
boolean values stored in a table to enable/disable app functionality
depending on the user.  Certain menu options/command buttons would be
enabled or disabled depending on how a user is set up in via the applicaion.

Would I be better off continuing this approach? I was thinking of logging on
to the server with admin privileges (via code)and just letting the app's
(front end) security model handle what can and can't be done to the
database. All database access/changes will be done via stored procedures.

I would appreciate any comments or advice, as well as links to where I can
find more information on this.

Thanks,
Jim



Wed, 14 May 2003 03:00:00 GMT  
 App Security - front-end or back-end?
Hi,

One idea , I can give you is what I have done before.That is have your app
open up a connection to sql server
the same for all users, then have a table created with the users privileges,
and query the table to return
info based on the user.Then set up the front end program to turn on/off
features based on the return of the query.
You then only have to build a management form , to add records to the table
, and set the flags for each user.
for example , when the program starts , it creates a connection to sql
server , then pops up a dialog for the user to log in
then do a select like .. select * from userpriv where user = luser and
password = lpassword.You can have collums like
user,password,invoice,customerservice etc ..and if the user is found in your
table , and the invoice bit is true , you enable the invoicing section of
your front end etc ...

Hope that helps .

- Joe -
Joe Povilaitis
Webmaster
www.SQLwarehouse.com


Quote:
> We are migrating an old Foxpro app to VB/SQL Server 7. The original app
uses
> boolean values stored in a table to enable/disable app functionality
> depending on the user.  Certain menu options/command buttons would be
> enabled or disabled depending on how a user is set up in via the
applicaion.

> Would I be better off continuing this approach? I was thinking of logging
on
> to the server with admin privileges (via code)and just letting the app's
> (front end) security model handle what can and can't be done to the
> database. All database access/changes will be done via stored procedures.

> I would appreciate any comments or advice, as well as links to where I can
> find more information on this.

> Thanks,
> Jim



Wed, 14 May 2003 03:00:00 GMT  
 App Security - front-end or back-end?
Thanks for the response Joe. I am actually considering your approach. You
say:

"...when the program starts , it creates a connection to sql
 server , then pops up a dialog for the user to log in"

When opening your connection, do you use the same userid/password entry for
all logins, or  do you use one for each user?  As I understand it,  this
part  is just to establish the connection to the DB while Another login
process determines app functionality.

Thanks,
Jim


Quote:
> Hi,

> One idea , I can give you is what I have done before.That is have your app
> open up a connection to sql server
> the same for all users, then have a table created with the users
privileges,
> and query the table to return
> info based on the user.Then set up the front end program to turn on/off
> features based on the return of the query.
> You then only have to build a management form , to add records to the
table
> , and set the flags for each user.
> for example , > then do a select like .. select * from userpriv where user
= luser and
> password = lpassword.You can have collums like
> user,password,invoice,customerservice etc ..and if the user is found in
your
> table , and the invoice bit is true , you enable the invoicing section of
> your front end etc ...

> Hope that helps .

> - Joe -
> Joe Povilaitis
> Webmaster
> www.SQLwarehouse.com



> > We are migrating an old Foxpro app to VB/SQL Server 7. The original app
> uses
> > boolean values stored in a table to enable/disable app functionality
> > depending on the user.  Certain menu options/command buttons would be
> > enabled or disabled depending on how a user is set up in via the
> applicaion.

> > Would I be better off continuing this approach? I was thinking of
logging
> on
> > to the server with admin privileges (via code)and just letting the app's
> > (front end) security model handle what can and can't be done to the
> > database. All database access/changes will be done via stored
procedures.

> > I would appreciate any comments or advice, as well as links to where I
can
> > find more information on this.

> > Thanks,
> > Jim



Wed, 14 May 2003 03:00:00 GMT  
 App Security - front-end or back-end?

Jim,

We also recommend with today's issues about security, that you enforce good,
solid standards for passwords and access keys.    A couple of other things
that can really make your app shine in this area is to use the built in
Windows security systems for users and groups.   This will take a bit of
work but once you have it up and running, it does make your application much
more easy to administer for users and access rights.    One other suggestion
is that you add encryption to your passwords that are stored in the DB.
This will protect not only the system and data, but the individual users.
With encrypted passwords, it becomes extremely hard for someone to obtain a
users password and use it for unauthorized purposes.

--
Sincerely,

Todd B - CEO - Agendum Software

(608) 837-6736  Voice                (419) 821-9599 Fax

 ** New Version of AgWindowWatch, AgOnlineUpdate and AgFastform released!
Visit our website for more information!


Quote:
> Thanks for the response Joe. I am actually considering your approach. You
> say:

> "...when the program starts , it creates a connection to sql
>  server , then pops up a dialog for the user to log in"

> When opening your connection, do you use the same userid/password entry
for
> all logins, or  do you use one for each user?  As I understand it,  this
> part  is just to establish the connection to the DB while Another login
> process determines app functionality.

> Thanks,
> Jim



> > Hi,

> > One idea , I can give you is what I have done before.That is have your
app
> > open up a connection to sql server
> > the same for all users, then have a table created with the users
> privileges,
> > and query the table to return
> > info based on the user.Then set up the front end program to turn on/off
> > features based on the return of the query.
> > You then only have to build a management form , to add records to the
> table
> > , and set the flags for each user.
> > for example , > then do a select like .. select * from userpriv where
user
> = luser and
> > password = lpassword.You can have collums like
> > user,password,invoice,customerservice etc ..and if the user is found in
> your
> > table , and the invoice bit is true , you enable the invoicing section
of
> > your front end etc ...

> > Hope that helps .

> > - Joe -
> > Joe Povilaitis
> > Webmaster
> > www.SQLwarehouse.com



> > > We are migrating an old Foxpro app to VB/SQL Server 7. The original
app
> > uses
> > > boolean values stored in a table to enable/disable app functionality
> > > depending on the user.  Certain menu options/command buttons would be
> > > enabled or disabled depending on how a user is set up in via the
> > applicaion.

> > > Would I be better off continuing this approach? I was thinking of
> logging
> > on
> > > to the server with admin privileges (via code)and just letting the
app's
> > > (front end) security model handle what can and can't be done to the
> > > database. All database access/changes will be done via stored
> procedures.

> > > I would appreciate any comments or advice, as well as links to where I
> can
> > > find more information on this.

> > > Thanks,
> > > Jim



Fri, 16 May 2003 15:11:29 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. A2k: Controlling a back-end MDB from its FRONT-end MDB

2. A2K Updating Back End with new fields from Front End

3. Compact the back-end data from the front-end

4. Corrupted back end corrputs all front ends!

5. Splitting db in front end and back end

6. Compact back-end front-end

7. Trying to Create a communicator for VB.net Front End and SQL 2000 back end

8. VB Front end dll loses connection to back end SQL server db after an hour

9. Front-End & Back-End

10. Packaging a VB front end/Access back end application

11. Access Back End, VB Front End -- Why?

12. Access Back End, VB Front End -- Why?

 

 
Powered by phpBB® Forum Software