App Security - front-end or back-end?
| Author |
Message |
|
Jim
#1 / 4
|
 App Security - front-end or back-end? We are migrating an old Foxpro app to VB/SQL Server 7. The original app uses boolean values stored in a table to enable/disable app functionality depending on the user. Certain menu options/command buttons would be enabled or disabled depending on how a user is set up in via the applicaion. Would I be better off continuing this approach? I was thinking of logging on
to the server with admin privileges (via code)and just letting the app's
(front end) security model handle what can and can't be done to the
database. All database access/changes will be done via stored procedures.
I would appreciate any comments or advice, as well as links to where I can
find more information on this.
Thanks,
Jim
|
| Wed, 14 May 2003 03:00:00 GMT |
|
 |
|
Webmas..
#2 / 4
|
App Security - front-end or back-end? Hi, One idea , I can give you is what I have done before.That is have your app
open up a connection to sql server
the same for all users, then have a table created with the users privileges,
and query the table to return
info based on the user.Then set up the front end program to turn on/off
features based on the return of the query.
You then only have to build a management form , to add records to the table
, and set the flags for each user.
for example , when the program starts , it creates a connection to sql
server , then pops up a dialog for the user to log in
then do a select like .. select * from userpriv where user = luser and
password = lpassword.You can have collums like
user,password,invoice,customerservice etc ..and if the user is found in your
table , and the invoice bit is true , you enable the invoicing section of
your front end etc ...
Hope that helps .
- Joe -
Joe Povilaitis
Webmaster
www.SQLwarehouse.com
Quote: > We are migrating an old Foxpro app to VB/SQL Server 7. The original app uses > boolean values stored in a table to enable/disable app functionality > depending on the user. Certain menu options/command buttons would be > enabled or disabled depending on how a user is set up in via the applicaion. > Would I be better off continuing this approach? I was thinking of logging
on
> to the server with admin privileges (via code)and just letting the app's
> (front end) security model handle what can and can't be done to the
> database. All database access/changes will be done via stored procedures.
> I would appreciate any comments or advice, as well as links to where I can
> find more information on this.
> Thanks,
> Jim
|
| Wed, 14 May 2003 03:00:00 GMT |
|
|
|
Jim
#3 / 4
|
App Security - front-end or back-end? Thanks for the response Joe. I am actually considering your approach. You say: "...when the program starts , it creates a connection to sql
server , then pops up a dialog for the user to log in"
When opening your connection, do you use the same userid/password entry for
all logins, or do you use one for each user? As I understand it, this
part is just to establish the connection to the DB while Another login
process determines app functionality.
Thanks,
Jim
Quote: > Hi, > One idea , I can give you is what I have done before.That is have your app
> open up a connection to sql server
> the same for all users, then have a table created with the users
privileges,
> and query the table to return
> info based on the user.Then set up the front end program to turn on/off
> features based on the return of the query.
> You then only have to build a management form , to add records to the
table
> , and set the flags for each user.
> for example , > then do a select like .. select * from userpriv where user
= luser and
> password = lpassword.You can have collums like
> user,password,invoice,customerservice etc ..and if the user is found in
your
> table , and the invoice bit is true , you enable the invoicing section of
> your front end etc ...
> Hope that helps .
> - Joe -
> Joe Povilaitis
> Webmaster
> www.SQLwarehouse.com
> > We are migrating an old Foxpro app to VB/SQL Server 7. The original app
> uses
> > boolean values stored in a table to enable/disable app functionality
> > depending on the user. Certain menu options/command buttons would be
> > enabled or disabled depending on how a user is set up in via the
> applicaion.
> > Would I be better off continuing this approach? I was thinking of
logging
> on
> > to the server with admin privileges (via code)and just letting the app's
> > (front end) security model handle what can and can't be done to the
> > database. All database access/changes will be done via stored
procedures.
> > I would appreciate any comments or advice, as well as links to where I
can
> > find more information on this.
> > Thanks,
> > Jim
|
| Wed, 14 May 2003 03:00:00 GMT |
|
|
|
Todd B - Agendum Softwar
#4 / 4
|
App Security - front-end or back-end? Jim,
We also recommend with today's issues about security, that you enforce good,
solid standards for passwords and access keys. A couple of other things
that can really make your app shine in this area is to use the built in
Windows security systems for users and groups. This will take a bit of
work but once you have it up and running, it does make your application much
more easy to administer for users and access rights. One other suggestion
is that you add encryption to your passwords that are stored in the DB.
This will protect not only the system and data, but the individual users.
With encrypted passwords, it becomes extremely hard for someone to obtain a
users password and use it for unauthorized purposes.
--
Sincerely,
Todd B - CEO - Agendum Software
(608) 837-6736 Voice (419) 821-9599 Fax
** New Version of AgWindowWatch, AgOnlineUpdate and AgFastform released!
Visit our website for more information!
Quote: > Thanks for the response Joe. I am actually considering your approach. You > say: > "...when the program starts , it creates a connection to sql
> server , then pops up a dialog for the user to log in"
> When opening your connection, do you use the same userid/password entry
for
> all logins, or do you use one for each user? As I understand it, this
> part is just to establish the connection to the DB while Another login
> process determines app functionality.
> Thanks,
> Jim
> > Hi,
> > One idea , I can give you is what I have done before.That is have your
app
> > open up a connection to sql server
> > the same for all users, then have a table created with the users
> privileges,
> > and query the table to return
> > info based on the user.Then set up the front end program to turn on/off
> > features based on the return of the query.
> > You then only have to build a management form , to add records to the
> table
> > , and set the flags for each user.
> > for example , > then do a select like .. select * from userpriv where
user
> = luser and
> > password = lpassword.You can have collums like
> > user,password,invoice,customerservice etc ..and if the user is found in
> your
> > table , and the invoice bit is true , you enable the invoicing section
of
> > your front end etc ...
> > Hope that helps .
> > - Joe -
> > Joe Povilaitis
> > Webmaster
> > www.SQLwarehouse.com
> > > We are migrating an old Foxpro app to VB/SQL Server 7. The original
app
> > uses
> > > boolean values stored in a table to enable/disable app functionality
> > > depending on the user. Certain menu options/command buttons would be
> > > enabled or disabled depending on how a user is set up in via the
> > applicaion.
> > > Would I be better off continuing this approach? I was thinking of
> logging
> > on
> > > to the server with admin privileges (via code)and just letting the
app's
> > > (front end) security model handle what can and can't be done to the
> > > database. All database access/changes will be done via stored
> procedures.
> > > I would appreciate any comments or advice, as well as links to where I
> can
> > > find more information on this.
> > > Thanks,
> > > Jim
|
| Fri, 16 May 2003 15:11:29 GMT |
|
| |
|
