Re: Row level security in n-tier applications

---

• From: "TOndrej" <tondrej@xxxxxxxxx>
• Date: Fri, 14 Oct 2005 09:44:19 +0200

---

> How do you folks handle the trade-offs involved when architecting
> an n-tier application that has to support row-level security too.
>
> So, the n-tier application should potentially serve hundreds or
> thousands of users (we need to scale linearly, so the idea of
> multiplexing (pooling) the connection object to the database is a
> requirement), but we /also/ need the correct identity to filter
> through to the data access calls per user call/session. How do
> we solve this paradox? :)
>
> Do you use database views? But then how do you manage the
> ever-growing need for new views based on new users/roles? The idea
> should be
> to create a framework where new security requirements do not
> require tinkering with the database, yeah?
>
> Or, do you create some sort of an interception layer in the data
> access tier?

I don't use database or OS security. I have my own tables of users,
passwords and access rights.
The client must first call Login method of the appserver to authenticate the
user and obtain the user ID. The client then passes this ID along with every
subsequent method call (for client datasets, you can use OwnerData). The
appserver filters data and performs operations based on this ID.
For tighter security, you might want to consider using dynamic session IDs
instead of static user IDs, encryption of the communication etc.

HTH
TOndrej


.

---

• Follow-Ups:
  • Re: Row level security in n-tier applications
    • From: Mike Shkolnik
  • Re: Row level security in n-tier applications
    • From: Abdullah Kauchali

• References:
  • Row level security in n-tier applications
    • From: Abdullah Kauchali

• Prev by Date: Re: Have they left?
• Next by Date: Re: Row level security in n-tier applications
• Previous by thread: Re: Row level security in n-tier applications
• Next by thread: Re: Row level security in n-tier applications
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Access 2003 Macro Security Modification ... the desired way to prevent the macro security warning is to ... digitally sign your database. ... Your database fileon the client computer. ... (microsoft.public.access.modulesdaovba) Re: Security ideas for n-tier? ... that have the same signature as stored procedures in the database. ... COM+ security allows you to configure role-based security down to the ... This moves authentication ... client into three layers, a thin client, a middle tier ... (microsoft.public.dotnet.framework.adonet) Re: Internet enabled database design ... VPN between the web front and and the client. ... form and then store that data in a SQL Server Express database. ... Obviously, security of data is ... database is located in the clients Intranet. ... (comp.databases.ms-sqlserver) RE: Security on a Database ... security is not so simple. ... If you your client has Access, simply send the database, security file, ... The form already has open on activate database built into ... (microsoft.public.access.security) lame server messages in named.log ... Mar 30 05:42:30.526 security: info: client 202.52.250.176#1052: ... query (cache) denied ... (RedHat)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)