Post #229,942
10/18/05 1:02:00 PM
|
Is this a good idea?
Let's say you have a web-based application, users on IE6, on a WinXP network. The web application looks up user groups from Active Directory and assigns permissions based on that. Users are also granted specific permissions on SQL Server, so if you go to some pages you can get an error message[1] because the current user doesn't have sufficient permissions on a particular table in SQL Server.
A common method in a Linux environment would be to handle permissions entirely within the web application, and execute all queries with the permissions of the webserver.
Is it a good or bad idea to do permissions at a per-user/per-table level?
[1] Bad error handling is a completely different issue.
===
Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
|
Post #229,947
10/18/05 1:28:46 PM
|
Re: Is this a good idea?
If you do that, you end up with one db/whatever user per actual web application user. This isn't really an issue if it's an internal application. It's untenable with a public/semi-public web application, though.
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #229,949
10/18/05 1:31:01 PM
|
That's a definite maybe...
Depends on the application, but I immediately see the following problems which may or may not be problems for you depending on what you're doing.
- The strategy described indicates that you have to create new database connections for every request, which won't scale very well.
- I'd have concerns about vendor lock-in. Particularly if your implementation is IIS-dependent and your network has problems with viruses and the like.
- How reliable is Active Directory? I've heard bad things over the years and happen to know of a couple of major disasters associated with it. But that's anecdotal, and I don't know what your needs are.
- Usually there are tables (eg ones with user information) where users need to be granted/denied access per row. So you'll likely need to build the usual kind of permission scheme ANYWAYS. Having multiple permission scheme's is a good way to lead to confusion, and confusion is a Bad Thing when it comes to security.
Against all of this I can name at least one big positive - which is that the damage from compromises in your web application are more likely to be automatically contained. For instance if most users don't have permissions on whatever table has credit cards, then an attacker will have a lot more trouble getting that table to dump. A second positive is that you may have to do less work to set up a new user - just let the sysadmins handle it in Active Directory. For a low-volume intranet application at a site that has accepted vendor lock-in, depends on Active Directory anyways and has good Windows administrators, your strategy sounds reasonable to me. But if any of those assumptions are loosened (or you wish them to be loosenable in the future), then I'd not be as happy with it. Cheers, Ben I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #229,960
10/18/05 2:25:45 PM
|
You missed a line
Users are also granted specific permissions on SQL Server ... First the sysadmin creates the user account and assigns groups. Then the DBA (actually a programmer who happens to be an MCDBA) assigns permissions to the tables. Or at least some of the tables ... the ones he knows about. Usually there are tables (eg ones with user information) where users need to be granted/denied access per row. So you'll likely need to build the usual kind of permission scheme ANYWAYS. Having multiple permission scheme's is a good way to lead to confusion, and confusion is a Bad Thing when it comes to security. Yes. Yes. And yes. I also suspect -- but don't know enough about admin-ing Windows to be sure -- that this is actually a Very Bad Idea for SQL Server. I would think you'd want as few users with permissions on the DB as possible. And the one user with permission should be a user that no real user can be. ===
Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
|
Post #229,963
10/18/05 2:32:51 PM
|
Admin, we need another WeeCode...
Bent Silly: Having multiple permission scheme's is a good way... Something like " [AngryFlower]", that points to that BobSomething.GIF, wherever it is.
[link|mailto:MyUserId@MyISP.CountryCode|Christian R. Conrad]
(I live in Finland, and my e-mail in-box is at the Saunalahti company.)
Your lies are of Microsoftian Scale and boring to boot. Your 'depression' may be the closest you ever come to recognizing truth: you have no 'inferiority complex', you are inferior - and something inside you recognizes this. - [link|http://z.iwethey.org/forums/render/content/show?contentid=71575|Ashton Brown]
|
Post #230,168
10/20/05 8:26:42 AM
|
Why not just have another checkbox on the New Comment page
entitled "Silence the language pedants! (fix apostrophes)" and be done with it :)
Two out of three people wonder where the other one is.
|
Post #229,970
10/18/05 3:18:56 PM
|
ICLRPD (new thread)
Created as new thread #229969 titled [link|/forums/render/content/show?contentid=229969|ICLRPD]
--
Steve
[link|http://www.ubuntulinux.org|Ubuntu]
|
Post #229,982
10/18/05 5:06:51 PM
|
Hard to say
Users are also granted specific permissions on SQL Server, so if you go to some pages you can get an error message[1] because the current user doesn't have sufficient permissions on a particular table in SQL Server. In a well written application it shouldn't be possible for a user to get to a page where they don't have permission to access it's contents. On the other hand, security at the SQL layer can provide a good second level of protection, particularly if the security at the web code level is poor. Security is one of those things that you should work to make as simple as it can be and still do what you need it to. The simpler the system, the easier it is to understand, find loopholes, and use correctly. Without knowing more about how your system integrates with AD, I can't say much more. Doing security at the per user/per table level sounds excessive for most systems though. Jay
|
Post #229,984
10/18/05 5:18:13 PM
|
My main issue with it
If security is implemented at that level, you have to manage security at that level. Every other piece of code has to handle permission issues bubbling up from the DB. You have no abstraction layer or API at a higher level than the tables themselves. Sure, you get theoritically finer-grained control, but at the expense of making it unmaintainable. IMO.
===
Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
|
Post #229,997
10/18/05 6:32:56 PM
|
If that is all you have then it is a problem
If the only security you are using is the low level DB security, then that is a problem. Security should be tied to the web application at a higher level, controling which parts of the application the user can access.
DB level security can be a good saftey net, but it doesn't make a good system by itself.
The best systems I have seen work something like this. Each user is mapped to a user class, such as user, manager, or admin. This mapping is done at the application level when the person logs is. This class is used to login to the database, where each class has a set of permissions based on what it needs to access. At the application level this class is used to determine what parts of the application the user can see and access.
Overall this seems the best balance between ease, speed and utility that I have seen.
Jay
|
Post #230,009
10/18/05 8:03:15 PM
|
That's an interesting idea.
I've worked on two LAMP applications now where the security system is entirely in the web pages. The DB user has a wide, but not overly powerful level of access (it can view and modify all data but cannot alter the schema). Having a couple of role-oriented users in the DB as you describe could be interesting, though there's the maintainence aspect.
Wade.
"Insert crowbar. Apply force."
|
Post #230,010
10/18/05 8:39:30 PM
|
What you describe is what I favor
The problem here is that there is per-user security at the DB level, and there is per-user security at the application level, and there is role-based security (via AD groups) at the application level, and there is role-based security (via AD groups) at the server level, and there is user-based security (via AD permissions) at the server level. And which combination of the above is required for a given application depends on who implemented it and when.
===
Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
|
Post #230,016
10/18/05 9:22:53 PM
|
Permission schemes can get complicated, fast
The single worst-performing SQL query that I've ever written was one whose job was to propagate permission rules to figure out exactly who could do what, when. It scaled like O(n^5). I broke it into several pieces and it improved to O(n^4). It got slow again and we moved it to a better machine.
It was a lot more flexible than the one you describe, was simple to use, and was very fine-grained. But the logic behind the scenes to make it work was a bear. But it did work well for a few thousand users with hundreds of permissions each.
The reason that I needed a complex scheme was that I needed to grant access to a lot of people based on the kind of data they were accessing, the kind of company they were associated with, the terms of their subscription (when your term expires, so does your permission), and our decisions about when to change specific parts of our site between being premium and standard. And I had to keep it simple enough for our sales reps to be able to use the system. "Why don't I give you a 30 day free trial..."
Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #230,205
10/20/05 12:13:41 PM
|
Sounds like someone doesn't trust your application's
security.
|
Post #230,207
10/20/05 12:36:59 PM
|
Yup, the same people wrote both
===
Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
|
