Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

sql server - server level logins for apps

Posted on 2014-04-10
3
Medium Priority
?
460 Views
Last Modified: 2014-04-29
is it common for applications with an underlying sql server database, to have a high number of server level logins for users of the application? Or can this be seen as a security issue? I am not a developer so unsure how the applicaiton and underlying DB typically interact.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 39992731
'High number' is relative.  

When you say server level logins, you mean actual login credentials that exist to allow users to authenticate, and permit database users to be associated?

I don't see many applications which establishes a sql login per user of the application.   I can only think of one application I currently support that does this, and it's been limping along for decades, and will be end of life in 2017.  I'd be surprised to see another application do this, but in some ways it's more secure than some of the other security systems I've seen implemented.  (It is, however, a support challenge, and means that support of the application will require some database server role that I would prefer not to have to hand out.)

Slightly more frequently, an application will take advantage of Windows Integrated (Active Directory) credentials, and I can put a domain group in SQL security, the user can only access the database if they are in the correct group -- then the application has it's own internal authentication system internal to the application.  

Most frequently, I see a web based application which gets a small group of login/users, and the application takes care of all the actual user authentication completely invisibly to SQL.  (And in this case, I have to settle for a login who can read/write to necessary tables, a different login which is only used for updating the schema, and if I'm lucky - a third login which can only read some necessary tables.)   (Tragically, I frequently see third party applications which expect to install it's database as sysadmin, and run all it's communication from it's web application as sysadmin.  My server admins enjoy watching my hair stand up on end when vendors mention that this how their software installs...)

Does that help?  Or did I go off in the wrong direction?
0
 
LVL 3

Author Comment

by:pma111
ID: 39992748
Great help thanks
0
 
LVL 3

Author Comment

by:pma111
ID: 39993590
?>>When you say server level logins, you mean actual login credentials that exist to allow users to authenticate, and permit database users to be associated?


Yep, anything listed in sys.syslogins
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question