App Security - front-end or back-end?
Author |
Message |
Jim #1 / 4
|
 App Security - front-end or back-end?
We are migrating an old Foxpro app to VB/SQL Server 7. The original app uses boolean values stored in a table to enable/disable app functionality depending on the user. Certain menu options/command buttons would be enabled or disabled depending on how a user is set up in via the applicaion. Would I be better off continuing this approach? I was thinking of logging on to the server with admin privileges (via code)and just letting the app's (front end) security model handle what can and can't be done to the database. All database access/changes will be done via stored procedures. I would appreciate any comments or advice, as well as links to where I can find more information on this. Thanks, Jim
|
Wed, 14 May 2003 03:00:00 GMT |
|
 |
Webmas.. #2 / 4
|
 App Security - front-end or back-end?
Hi, One idea , I can give you is what I have done before.That is have your app open up a connection to sql server the same for all users, then have a table created with the users privileges, and query the table to return info based on the user.Then set up the front end program to turn on/off features based on the return of the query. You then only have to build a management form , to add records to the table , and set the flags for each user. for example , when the program starts , it creates a connection to sql server , then pops up a dialog for the user to log in then do a select like .. select * from userpriv where user = luser and password = lpassword.You can have collums like user,password,invoice,customerservice etc ..and if the user is found in your table , and the invoice bit is true , you enable the invoicing section of your front end etc ... Hope that helps . - Joe - Joe Povilaitis Webmaster www.SQLwarehouse.com
Quote: > We are migrating an old Foxpro app to VB/SQL Server 7. The original app uses > boolean values stored in a table to enable/disable app functionality > depending on the user. Certain menu options/command buttons would be > enabled or disabled depending on how a user is set up in via the applicaion. > Would I be better off continuing this approach? I was thinking of logging on > to the server with admin privileges (via code)and just letting the app's > (front end) security model handle what can and can't be done to the > database. All database access/changes will be done via stored procedures. > I would appreciate any comments or advice, as well as links to where I can > find more information on this. > Thanks, > Jim
|
Wed, 14 May 2003 03:00:00 GMT |
|
 |
Jim #3 / 4
|
 App Security - front-end or back-end?
Thanks for the response Joe. I am actually considering your approach. You say: "...when the program starts , it creates a connection to sql server , then pops up a dialog for the user to log in" When opening your connection, do you use the same userid/password entry for all logins, or do you use one for each user? As I understand it, this part is just to establish the connection to the DB while Another login process determines app functionality. Thanks, Jim
Quote: > Hi, > One idea , I can give you is what I have done before.That is have your app > open up a connection to sql server > the same for all users, then have a table created with the users privileges, > and query the table to return > info based on the user.Then set up the front end program to turn on/off > features based on the return of the query. > You then only have to build a management form , to add records to the table > , and set the flags for each user. > for example , > then do a select like .. select * from userpriv where user = luser and > password = lpassword.You can have collums like > user,password,invoice,customerservice etc ..and if the user is found in your > table , and the invoice bit is true , you enable the invoicing section of > your front end etc ... > Hope that helps . > - Joe - > Joe Povilaitis > Webmaster > www.SQLwarehouse.com
> > We are migrating an old Foxpro app to VB/SQL Server 7. The original app > uses > > boolean values stored in a table to enable/disable app functionality > > depending on the user. Certain menu options/command buttons would be > > enabled or disabled depending on how a user is set up in via the > applicaion. > > Would I be better off continuing this approach? I was thinking of logging > on > > to the server with admin privileges (via code)and just letting the app's > > (front end) security model handle what can and can't be done to the > > database. All database access/changes will be done via stored procedures. > > I would appreciate any comments or advice, as well as links to where I can > > find more information on this. > > Thanks, > > Jim
|
Wed, 14 May 2003 03:00:00 GMT |
|
 |
Todd B - Agendum Softwar #4 / 4
|
 App Security - front-end or back-end?
Jim, We also recommend with today's issues about security, that you enforce good, solid standards for passwords and access keys. A couple of other things that can really make your app shine in this area is to use the built in Windows security systems for users and groups. This will take a bit of work but once you have it up and running, it does make your application much more easy to administer for users and access rights. One other suggestion is that you add encryption to your passwords that are stored in the DB. This will protect not only the system and data, but the individual users. With encrypted passwords, it becomes extremely hard for someone to obtain a users password and use it for unauthorized purposes. -- Sincerely, Todd B - CEO - Agendum Software
(608) 837-6736 Voice (419) 821-9599 Fax ** New Version of AgWindowWatch, AgOnlineUpdate and AgFastform released! Visit our website for more information!
Quote: > Thanks for the response Joe. I am actually considering your approach. You > say: > "...when the program starts , it creates a connection to sql > server , then pops up a dialog for the user to log in" > When opening your connection, do you use the same userid/password entry for > all logins, or do you use one for each user? As I understand it, this > part is just to establish the connection to the DB while Another login > process determines app functionality. > Thanks, > Jim
> > Hi, > > One idea , I can give you is what I have done before.That is have your app > > open up a connection to sql server > > the same for all users, then have a table created with the users > privileges, > > and query the table to return > > info based on the user.Then set up the front end program to turn on/off > > features based on the return of the query. > > You then only have to build a management form , to add records to the > table > > , and set the flags for each user. > > for example , > then do a select like .. select * from userpriv where user > = luser and > > password = lpassword.You can have collums like > > user,password,invoice,customerservice etc ..and if the user is found in > your > > table , and the invoice bit is true , you enable the invoicing section of > > your front end etc ... > > Hope that helps . > > - Joe - > > Joe Povilaitis > > Webmaster > > www.SQLwarehouse.com
> > > We are migrating an old Foxpro app to VB/SQL Server 7. The original app > > uses > > > boolean values stored in a table to enable/disable app functionality > > > depending on the user. Certain menu options/command buttons would be > > > enabled or disabled depending on how a user is set up in via the > > applicaion. > > > Would I be better off continuing this approach? I was thinking of > logging > > on > > > to the server with admin privileges (via code)and just letting the app's > > > (front end) security model handle what can and can't be done to the > > > database. All database access/changes will be done via stored > procedures. > > > I would appreciate any comments or advice, as well as links to where I > can > > > find more information on this. > > > Thanks, > > > Jim
|
Fri, 16 May 2003 15:11:29 GMT |
|
|
|