EntityFramework Best Practices RE: Database Security

Question

I have a situation where I want to use permissions on database objects, but not allow users who are smart enough to make connections through excel and access to manipulate data. We want to require a user to make a connection through our Web Application this ensures validation of data in one place. Is there a way to ensure that when a user makes a connection to the database and has the permission set that allows him to Insert, Update, or Delete that he is doing in through the Web Application?

If there is not A way, then what are your opinions on dealing with this situation without using a master user for the web application connection?

Ladislav Mrnka · Accepted Answer

You can either use master account which is what most system does because there is no reason to give user access to database if you want to use another tier (your web application) for data validation, rules checking, etc. That is a way to not allow user accessing database directly.

Once you give user access to database he can do whatever his permission allows him. There will be nothing which will stop user from accessing the database directly. Moreover if you don't use master account in web application you will have to delegate user through the web application (it requires windows domain and Kerberos if database server doesn't sit on the same machine as web application). This delegation will give your user exactly same permissions in your application as the user have without your application.

EntityFramework Best Practices RE: Database Security

Answers (2)

Related Questions