Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SQL Server Application Role vs. regular logins and users

Tags:

security

sql-server

application-role

What is the advantage of using a SQL Server application role to manage permissions vs. using standard logins/users and granting the necessary permissions to said users?

We have been using application roles which require the following scenario:

  1. Connect to SQL Server using a SQL Server login and password.
  2. Activate an application role by passing the role name and another password to sp_setapprole.

I don't see how that's any better or more secure than just granting the application role's permissions to the login/user. Both passwords must be available to the application and anyone who gains access to the login password can probably gain access to the app role password and call sp_setapprole from their own program or in SSMS. Right?

EDIT: As Ed Harper surmised, all instances of the application use the same login in my scenario.

like image 684
markltx Avatar asked Nov 17 '25 11:11

markltx

2 Answers

I've never used application roles (CREATE APPLICATION ROLE).
I really can't see the point of them

I have used database roles and added users as members

CREATE ROLE WebUsers AUTHORIZATION dbo;
ALTER ROLE WebUsers ADD MEMBER Tom;
ALTER ROLE WebUsers ADD MEMBER Dick;
ALTER ROLE WebUsers ADD MEMBER Harry;

CREATE ROLE WebAdmins AUTHORIZATION dbo;
ALTER ROLE WebAdmins ADD MEMBER Tom;

Roles have the permissions, not the user

GRANT EXEC TO WebAdmins;

GRANT EXEC On SCHEMA::WebCode TO WebAdmins;
like image 163
gbn Avatar answered Nov 20 '25 16:11

gbn

It's not completely clear from your description, but it sounds like you might be using a SQL login assigned at application level - i.e. all instances of the application (assuming there is more than one instance) use the same login/password. In that scenario, using an application role adds very little value.

As I understand it, application roles are intended to be used where each user has their own login in SQL Server (perhaps in a scenario where access to the database is granted by AD authentication), but you don't want to grant users the same rights as applications they use; this assumes the application connects to the database with the AD user's identity, then elevates its permissions by using sp_setapprole. I've never seen this approach used in a production system.

like image 32
Ed Harper Avatar answered Nov 20 '25 15:11

Ed Harper
Sign in to Comment

Related questions

Double of Total Problem
Experience with SQLExpress for a multi-user commercial application?
What is the simplest, most maintainable way to create a SQL Server ODBC Data Source?
Exporting SharePoint usage log files into a database using LogParser
SELECT result as parameter in user defined table-parameter function
Does full backup work with simple recovery mode? [closed]
SQL Server developer Edition License and CAL [closed]
Create column which increases from last index [duplicate]
Transaction management using TransactionScope ()
Not able to connect any remote database server after installing Visual studio 2012
Token retrieval failed with an error In Azure Data Studio
Sql Parameters supplied for object 'Firm' which is not a function
Is there a program that will display a SQL schema diagram from an existing database?
Is it safe to manually copy native DLLs to a Shadow Copy directory?
How to find continuous zero in a column?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!