I have been working using WPF for a while, but due to lack of resources I used Access Files as Databases. Recently I got the opportunity to get my hands on a SQL Database. When I created my WPF Application (a simple data entry, which writes and read from the database) one of the IT guys where I work started complaining he would have to give full access to everyone who would use this app.
So, here’s my question since you could say I’m new to use WPF Linked to SQL: What is the best approach to achieve the above mentioned example? I have been researching about API’s, ASP.NET, PHP, etc. to see what I could use to send/receive requests from the server, but my understanding is that those previous scripting languages (to just give it a name) are used more for web development, my application is WPF and just runs on the server PC’s like a regular windows application.
I would appreciate any insights as where to shift my attention, what should I learn/research?
Thank you all!
Advertisement
Answer
This is the scenario that Application Roles were designed to help with.
An application role is a database principal that enables an application to run with its own, user-like permissions. You can use application roles to enable access to specific data to only those users who connect through a particular application. Unlike database roles, application roles contain no members and are inactive by default. Application roles are enabled by using sp_setapprole, which requires a password. Because application roles are a database-level principal, they can access other databases only through permissions granted in those databases to guest. Therefore, any database in which guest has been disabled will be inaccessible to application roles in other databases.
Users still need to Connect to the database, but they don’t need to have any permissions beyond that.
If your users are local admins on their desktops they could always discover the application role’s password with a debugger, so this only works in locked-down environments or where you have reasonably trustworthy users.