473,763 Members | 4,808 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Row-level security and MSSQL

Requirement: managers can login and only see employee data for the
department they manage and any sub-ordinate departments.

The departments are in a table that defines a simple tree structure with
DepartmentID and ParentDepartmen tID.
The Employee table holds the DepartmentID that the employee belongs to.

First issue is how to tie an Access or MSSQL login to an employee
record. In Access this is fairly simple as you just make it part of the
procedure of creating new users to add the login name to a field on the
Employee table. But what about in MSSQL?

I've created Stored Procedures to which I pass the Employee's
DepartmentID. It returns all the employee records for employees
belonging to that department or any sub-ordinate departments. The
problem is a user could pass any value to this stored procedure and get
access to data they should have access to. Any ideas?

Also, I'm wondering what is the best method of applying security. Have a
basic/common MSSQL security level but then use my own username/password
field on the employee table? Or use full MSSQL users/roles? Being able
to add/remove MSQL users from Access would help as is makes it easier to
tie the login to an employee record....

Thanks.
--
regards,

Bradley
Nov 13 '05 #1
5 3183
"Bradley.. .. . . .. .." <no:spam@noemai l:com> wrote:
First issue is how to tie an Access or MSSQL login to an employee
record. In Access this is fairly simple as you just make it part of the
procedure of creating new users to add the login name to a field on the
Employee table. But what about in MSSQL?
A bit of digging around found me the following in Books Online.

DECLARE @sys_usr char(30)
SET @sys_usr = SYSTEM_USER
SELECT 'The current system user is: '+ @sys_usr
GO

which returned me

The current system user is: LAPTOP\ttoews

Not exactly what you are looking for but close. Hmm, ah, LAPTOP is the name of my
domain as I'm logged on locally. So that's even better. But I'm sure there's a bit
of string manipulation you can do in T-SQL and get rid of what's to the left of the
"\".
Also, I'm wondering what is the best method of applying security. Have a
basic/common MSSQL security level but then use my own username/password
field on the employee table? Or use full MSSQL users/roles? Being able
to add/remove MSQL users from Access would help as is makes it easier to
tie the login to an employee record....


Nah, use Windows authentication. Which is what the above T-SQL code is. Use SQL
Server security and such, about which I know next to nothing, to grant access to the
database and queries and such.

Using your own username and password is very much duplicating what is already
available to you and built in to the system. Thus it should be much more secure.
Finally it's one less password for the user to remember and to not write down and put
in the back of their bottom desk drawer. (They used to write down the passwords and
put them in their top desk drawer but after they took a corporate security course
they decided they had to get a bit more secure. You laugh? Not me. That's how
some RCMP members have done things.)

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Nov 13 '05 #2
I worked at a naval base a few years ago (pre PC days) where the typists in the typing pool were required to remove
their typewriter ribbons each night and lock them in safe in case people like you started reading their ribbons!! :-)
On Wed, 14 Jul 2004 14:33:28 GMT, Chuck Grimsby <c.*******@worl dnet.att.net.in valid> wrote: While at a client site awhile back, I was "assigned" a desk to sit at
so I could do my work. While waiting for some query results to pop
up, I idlely started flipping through the rolodex the previous user of
this desk had left. Got to the "P" section and the first card was...
You guessed it... Passwords!


Wayne Gillespie
Gosford NSW Australia
Nov 13 '05 #3
Wayne Gillespie <be*****@NObest fitsoftwareSPAM .com.au> wrote:
I worked at a naval base a few years ago (pre PC days) where the typists in the typing pool were required to remove
their typewriter ribbons each night and lock them in safe in case people like you started reading their ribbons!! :-)


Nowadays they'd be required to remove their PC hard drives and lock them in the safe.
Which is reasonable when you think about it.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Nov 13 '05 #4
Tony Toews <tt****@teluspl anet.net> wrote in
news:8m******** *************** *********@4ax.c om:
Wayne Gillespie <be*****@NObest fitsoftwareSPAM .com.au> wrote:
I worked at a naval base a few years ago (pre PC days) where the
typists in the typing pool were required to remove their
typewriter ribbons each night and lock them in safe in case people
like you started reading their ribbons!! :-)


Nowadays they'd be required to remove their PC hard drives and
lock them in the safe. Which is reasonable when you think about
it.


There was a recent story here in NYC where a private school
discarded a bunch of administrative PCs without wiping the hard
drives. They were sitting out on the curb, somebody checked them out
and was able to find SSNs and grade records for nearly 15K students,
covering decades.

Amazing.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 13 '05 #5
"David W. Fenton" <dX********@bwa y.net.invalid> wrote:
There was a recent story here in NYC where a private school
discarded a bunch of administrative PCs without wiping the hard
drives. They were sitting out on the curb, somebody checked them out
and was able to find SSNs and grade records for nearly 15K students,
covering decades.

Amazing.


Ouch.

1) Americans use SSN way too much.

2) Someone should be charged and do jail time.

Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Nov 13 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
2
2270
how to advance a database resource pointer to the next row in the returned data?
by: lawrence | last post by:
I had some code that worked fine for several weeks, and then yesterday it stopped working. I'm not sure what I did. Nor can I make out why it isn't working. I'm running a query that should return 3 items from the database. I then get a count of the return, which correctly tells me that I've got 3 items. I then go into a for loop which I expect to loop 3 times and print out the 3 items. Here is where things get strange: it loops 3 times and...
PHP
10
22231
adding/deleting dynamic table row, rowIndex
by: AdamG | last post by:
I am trying hard for days now to add and delete rows to a table. I could really use some help... Each row contains two buttons (images) - 'add row' and 'delete row'. When the user clicks add row within a specific cell/row, the index of that row should be passed to a function that creates a new row using that index (the new row should be added directly below the row where the user clicked. The new row should contain all of the cells and...
Javascript
7
16176
how get row number
by: Micha? | last post by:
Hello this is my problem: <script language="javascript"> function Show() { RowNumber="???"; // I trying this.rowIndex CellNumber="???"; // TableID="???"; // :-( alert(RowNumber);
Javascript
0
3134
DataGrid - Error Modifying DataTable rows after adding new row with InsertAt()
by: Dave Elliott | last post by:
After inserting a new data row to a DataTable that is bound to a datagrid, I am unable to change data in a row that is after the newly added row without getting bizarre results. I have added the full code for the test below. Create a project drop in the code and run. Any help would be appreciated. Cheers,
.NET Framework
2
9926
Problem with datagrid row select
by: Chris Plowman | last post by:
Hi all, I was wondering if anyone can help me with a really annoying problem I have been having. I made a derived datagrid class that will select the row when a user clicks anywhere on a cell (multi-select without modifier keys). I got that working fine, but I also wanted to keep rows selected after a sort, which I do by storing the row's id in an arraylist. The idea was to do the sort and then go back and re-select the rows with that...
C# / C Sharp
2
1718
Deleting a row in a datagrid
by: NDady via DotNetMonster.com | last post by:
Hi, I have a datagrid populated from a dataset. On every row in the grid I have a delete button. When the user presses on the delete button I remove the row from the dataset and rebind the datagrid. The problem is that after a couple of delete the index in the dataset does not match the index in the grid and the wrong record i deleted from the dataset. How can I solve this Problem? I am using the following procedure: Private Sub...
ASP.NET
2
14693
Adding a copy of a row in a DataGridView
by: michael sorens | last post by:
I tried to do a simple operation on a Windows Form in VS2005 inside a key_down handler: if (e.Control && e.Shift && e.KeyCode == Keys.V) { int selectedRowIndex = dataGridView.SelectedCells.RowIndex; dataGridView.Rows.AddCopy(selectedRowIndex); } So when the user presses Ctrl-Shft-V, a copy of the first row of a user's
C# / C Sharp
6
2290
Dynamic Page Title - Supposed to Pull from row in DB
by: RoomfulExpress | last post by:
Here's the problem that I'm having- I'm trying to pull in 2 fields from my database and place them in the title of the HTML. I'm connecting to the db and selecting everything exactly the same as I am doing below, and it works fine. For some reason it's not pulling in the fields. Any ideas? Here's the link to the actual page I'm working on. http://www.roomfulexpress.com/newsite/php/familyprofile.php?FAMILY_CD=558167959 Please see below...
PHP
6
2853
DataGridView new row
by: Miro | last post by:
Sorry for the cross post. I am stuck. I have a datagridview for poker rounds. Basically there are 3 columns in this datagridview. "Round" "SmallBlind" "BigBlind" I have an issue when I tab through the new row being added. It does not 'Add' that row, nor setup the 'next blank add row' so I can continue to tab
.NET Framework
4
6013
How to select a gridview row
by: btreddy | last post by:
Hii experts, I've been trying for this but i didn succeeded.The problem is I've a datagird which is having 2 cols displaying name and emial id .wht i want is when i select a paricular row from the gridview i want to capture the emial id value of tht paricular row. I've added this code in the even onrowdatatbound. protected void GridViewParticipants_OnRowDataBound(object sender, GridViewRowEventArgs e) / . . if (e.Row.RowType ==...
Javascript
0
9563
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9386
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10144
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
9997
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
9937
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8821
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7366
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6642
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
3
3522
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us