In VB6 I've got the following code when opening a connection to sql server:
With cn
.ConnectionString = "MyConnectionString"
.ConnectionTimeout = 10
.Properties("OLE DB SERVICES") = -2
.Open
'Had to allow execute for sps against the windows group until we can
suss app role
.Execute "EXEC sp_setapprole 'MyApp',{ENCRYPT N 'MyPassword'},'ODBC'"
End With
In sql server I've added a windows group to the database to allow the users
of the application to open the connection. I gave the windows group no
permissions of any kind. I added an application role and gave it select,
insert etc. permissions on the tables and execute permissions on all stored
procedures
When the application runs under a windows user (who is in the windows group
I added to the databse), the application can select data from the database
but gets 'execute permission denied' on any stored procedure that it tries t
o
run.
If I examine the permissions of one of these stored procedures, there is a
grant on it for the application role (there are no denies on it at all). If
I
then explicitly grant permission on one of these stored procedures to the
windows group containing the windows user, they are able to access it.
Ok, I think, it looks like it is ignoring the application role, so I deleted
the application role from the database and amended the VB code, the user is
then unable to access any data.
My conclusion then becomes the application role was giving the user access
to table data, but not to stored procedures, and when I granted permission t
o
the windows group this somehow overrode the application role. This is clearl
y
rubbish, because as I understand it, once an application role takes over, no
other permissions matter.
Anybody see what I'm doing wrong?
Thanks
PaulPlease ignore - accidentally posted twice
"Paul Whittaker" wrote:
> In VB6 I've got the following code when opening a connection to sql server
:
> With cn
> .ConnectionString = "MyConnectionString"
> .ConnectionTimeout = 10
> .Properties("OLE DB SERVICES") = -2
> .Open
> 'Had to allow execute for sps against the windows group until we c
an
> suss app role
> .Execute "EXEC sp_setapprole 'MyApp',{ENCRYPT N 'MyPassword'}
,'ODBC'"
> End With
> In sql server I've added a windows group to the database to allow the user
s
> of the application to open the connection. I gave the windows group no
> permissions of any kind. I added an application role and gave it select,
> insert etc. permissions on the tables and execute permissions on all store
d
> procedures
> When the application runs under a windows user (who is in the windows grou
p
> I added to the databse), the application can select data from the database
> but gets 'execute permission denied' on any stored procedure that it tries
to
> run.
> If I examine the permissions of one of these stored procedures, there is a
> grant on it for the application role (there are no denies on it at all). I
f I
> then explicitly grant permission on one of these stored procedures to the
> windows group containing the windows user, they are able to access it.
> Ok, I think, it looks like it is ignoring the application role, so I delet
ed
> the application role from the database and amended the VB code, the user i
s
> then unable to access any data.
> My conclusion then becomes the application role was giving the user access
> to table data, but not to stored procedures, and when I granted permission
to
> the windows group this somehow overrode the application role. This is clea
rly
> rubbish, because as I understand it, once an application role takes over,
no
> other permissions matter.
> Anybody see what I'm doing wrong?
> Thanks
> Paul
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment