SQL Security Access for WPF Application

I have developed a C# WPF application that implements a role type access to SQL database tables. My application gets the user's Windows identity and manages CRUD from there.

Do I simply setup a SQL User on my DB for my application then pass the Id and password through the App.config connection string? I would rather not have to place the password in the App.config file. Is there a better way?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
First you say you're using the Windows identity, then you want a SQL user..

What are you doing exactly? Do you want to use Windows authentication, thus AD integrated security or do you want separate SQL Server authentication? In the first case you can manage users by using security groups instead of single users, which would be necessary for SQL Server authentication.
rcl58Author Commented:
I'm thinking my application does SQL authentication. I get the user Win Identity when a user opens my app. The app connects to SQL and then the app accesses the role tables I've setup to grant CRUD rights based on the user Win Id.
ste5anSenior DeveloperCommented:
The questions is as you're using the Windows user identity already, why not using Windows authentication? I seems like unnecessary work. But it depends on the kind of application and your environment, where and how it is run.

See also Choose an Authentication Mode.
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

rcl58Author Commented:
I'm trying to avoid setting up user permission in SQL. By setting up one "application" User I don't have to manage permissions for all the individual users.

It's an internal WPF app accessing a internal SQL database with 70+ tables.
ste5anSenior DeveloperCommented:
But you do. In your application.

Thus you have taken away the possibility that an administrator can do this. This also prohibits the basic audit trails in Windows and SQL Server, so that you cannot identify your users.

Besides that: You already use a hard-coded password for your application role, don't you? In this case using a SQL users which has only connect permission and using also a hard-coded password is no further drawback.

But you can use application roles also with Windows authentication. Just create "connect" security group in your AD. Then you add the users to that group. In SQL Server you only create one login for that group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rcl58Author Commented:
Got it Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.