SQL Security Access for WPF Application

I have developed a C# WPF application that implements a role type access to SQL database tables. My application gets the user's Windows identity and manages CRUD from there.

Do I simply setup a SQL User on my DB for my application then pass the Id and password through the App.config connection string? I would rather not have to place the password in the App.config file. Is there a better way?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
First you say you're using the Windows identity, then you want a SQL user..

What are you doing exactly? Do you want to use Windows authentication, thus AD integrated security or do you want separate SQL Server authentication? In the first case you can manage users by using security groups instead of single users, which would be necessary for SQL Server authentication.
rcl58Author Commented:
I'm thinking my application does SQL authentication. I get the user Win Identity when a user opens my app. The app connects to SQL and then the app accesses the role tables I've setup to grant CRUD rights based on the user Win Id.
ste5anSenior DeveloperCommented:
The questions is as you're using the Windows user identity already, why not using Windows authentication? I seems like unnecessary work. But it depends on the kind of application and your environment, where and how it is run.

See also Choose an Authentication Mode.
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

rcl58Author Commented:
I'm trying to avoid setting up user permission in SQL. By setting up one "application" User I don't have to manage permissions for all the individual users.

It's an internal WPF app accessing a internal SQL database with 70+ tables.
ste5anSenior DeveloperCommented:
But you do. In your application.

Thus you have taken away the possibility that an administrator can do this. This also prohibits the basic audit trails in Windows and SQL Server, so that you cannot identify your users.

Besides that: You already use a hard-coded password for your application role, don't you? In this case using a SQL users which has only connect permission and using also a hard-coded password is no further drawback.

But you can use application roles also with Windows authentication. Just create "connect" security group in your AD. Then you add the users to that group. In SQL Server you only create one login for that group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rcl58Author Commented:
Got it Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.