James (jb****@aeci.org) writes:
If I had access to client code, I'd probably use an application role.
But, I do not.
The application gives each user read/write access to all tables
regardless of application security.
I was thinking of checking at login time whether the accessed the
database from the application or not.
This may be a case of just poor choice of words from your side, but permit
be to point out that the application cannot really give access to the
tables, unless it is logging in with a user that has such privileges.
But maybe you mean that the application requires the user to have
read/write access to the tables, because it is not using stored procedures?
In such case it may be a difficult task to handle. To prevent updates
you could add triggers on the tables that checks app_name() and rolls
back if the application is not the right one.
--
Erland Sommarskog, SQL Server MVP,
es****@sommarskog.se
Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp