473,387 Members | 1,529 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > microsoft sql server > questions > application roles for cross-database joins

Join Bytes to post your question to a community of 473,387 software developers and data experts.

Application Roles for Cross-Database Joins

I have an application that segregates data into two different
databases. Database A has stored procs that perform joins between
tables in database A and database B. I am thinking that I have reached
the limits of Application Roles, but correct me if I am wrong.
My application creates a connection to database A as 'testuser' with
read only access, then executes sp_setapprole to gain read write
permissions. Even then the only way 'testuser' can get data out of the
databases is via stored procs or views, no access to tables directly.
Anyone know of a solution? Here is the error I get:

Server: Msg 916, Level 14, State 1, Procedure pr_GetLocationInfo, Line
38
Server user 'testuser' is not a valid user in database 'DatabaseB'

The system user is in fact in database A and B.

thanks

Jason Schaitel

Aug 25 '05 #1
4 5739
Jason_Schaitel (ja************@hotmail.com) writes:
I have an application that segregates data into two different
databases. Database A has stored procs that perform joins between
tables in database A and database B. I am thinking that I have reached
the limits of Application Roles, but correct me if I am wrong.
My application creates a connection to database A as 'testuser' with
read only access, then executes sp_setapprole to gain read write
permissions. Even then the only way 'testuser' can get data out of the
databases is via stored procs or views, no access to tables directly.
Anyone know of a solution? Here is the error I get:

Server: Msg 916, Level 14, State 1, Procedure pr_GetLocationInfo, Line
38
Server user 'testuser' is not a valid user in database 'DatabaseB'

The system user is in fact in database A and B.


Books Online says:

When an application role is activated, the permissions usually
associated with the user's connection that activated the application
role are ignored. The user's connection gains the permissions
associated with the application role for the database in which the
application role is defined. The user's connection can gain access to
another database only through permissions granted to the guest user
account in that database. Therefore, if the guest user account does not
exist in a database, the connection cannot gain access to that
database.

That is, once you have set the application role in A, you are someone
else, and your access outside A is limited.

The one way I can think of to sort this out - beside uniting the databases
into one - is to enable the server configuration parameter "Cross DB
Ownership Chaining". This option was added in SP3 is off by default.
If there no other databases from other applications on the server,
there is no problem to enable this option. However, on consolidated
server that hosts databases for unrelated applications, this is not
recommendable.

For cross DB chaining to work, the databases must also have the same
owner.

--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp

Aug 25 '05 #2
>
The one way I can think of to sort this out - beside uniting the databases
into one - is to enable the server configuration parameter "Cross DB
Ownership Chaining". This option was added in SP3 is off by default.
If there no other databases from other applications on the server,
there is no problem to enable this option. However, on consolidated
server that hosts databases for unrelated applications, this is not
recommendable.

Jason could instead enable the 'db chaining' database option for only those
databases needed by the application rather than turning the cross-database
chaining server-wide.
For cross DB chaining to work, the databases must also have the same
owner.
This is true, assuming the objects are owned by 'dbo', because database
ownership determines the dbo user mapping. In the case of non-dbo-owned
objects, the object owners in the different databases need to map to the
same login in order to maintain an unbroken ownership chain.
The user's connection can gain access to
another database only through permissions granted to the guest user
account in that database. Therefore, if the guest user account does not
exist in a database, the connection cannot gain access to that
database.


To expand on this BOL excerpt, it's necessary to enable the guest user in
the non-application role databases so that users have a security context
after the application role is enabled. However, no permissions need to be
granted to guest or public in Jason's situation because access is done only
through views and procs from application role database.

--
Hope this helps.

Dan Guzman
SQL Server MVP
Aug 26 '05 #3
I have tried to look in BOL and Google Groups for the how to enable the
cross database ownership chaining option at the database level and not
having much luck. Can you point me to it?

thanks

Jason

Aug 30 '05 #4
Jason_Schaitel (ja************@hotmail.com) writes:
I have tried to look in BOL and Google Groups for the how to enable the
cross database ownership chaining option at the database level and not
having much luck. Can you point me to it?


exec sp_dboption yourdb, 'db chaining', true

This option is not in the original Books Online, as it was added in SP3.
But it is in the updated Books Online, see link below.

--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp

Aug 30 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
Application roles
by: Prashant Thakwani | last post by:
Can anybody tell, how to implement the application roles in SQL Server 2000. Basically, I want to Implement the application roles in our application, so that it can be application specific. Its'...
Microsoft SQL Server
4
Server Error in '/' Application. -> web.config
by: tommy | last post by:
hello everbody, i write a little asp-application with forms-authentication. i copy my aspx-files with web.config to my webspace and i get the error above... i tried to set the...
ASP.NET
3
Server Error in '/' Application.
by: Sean | last post by:
HI There, I am having trouble deploying my .aspx pages to a remote server, I have made changes to the config file and it still returns an error. I have also contacted the server administrator to...
ASP.NET
7
web application security
by: Stephen | last post by:
I have my intranet setup on our web server. It contains multiple applications, but none are set up in the default application pools. In other words, I create a webform and plop it into a...
ASP.NET
5
SQL Server Application Roles
by: Jonathan Allen | last post by:
Is this the correct way to use application roles? Public Function GetDBConnection() As SqlConnection Dim oCon As New SqlConnection(myConnectionString) oCon.Open() Using oCmd As SqlCommand =...
C# / C Sharp
5
application roles
by: bill | last post by:
I am looking for examples and assistance in configuring application roles using SQL Server 2000 and VB.NET, both web forms and windows forms. Are there any suggestions? Thanks Bill
Visual Basic .NET
1
Implementing SSO for Smart Client Application which uses Web Servi
by: Rasheed | last post by:
We are building a smart client application (.NET 2.0) which uses Web Services to access the business objects. Services: The Web Services have been secured by brokered authentication using X509...
.NET Framework
0
ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.
by: Douglas J. Badin | last post by:
Hi, The problem with Authorization is it stops at the first match and doesn't permit Grouping. On the Web Site, I am trying to Secure Page Access and SiteNaviagation by implementing the...
ASP.NET
0
MenuitemDataBound With roles
by: sidhuasp | last post by:
Hi everyone I am using a mainmenu witeh sitemap provider with folowing sitemap <siteMapNode> <siteMapNode url="" title="Master Data" description="Enter Master data" roles ="Admin,PM"> ...
.NET Framework
2
Application Roles and SQL Server 2005 - DDL?
by: JimL | last post by:
Hello group, We have recently come up with a problem where SQLServer 2005 differs from 2000. We have an application role, which needs to run DDL to alter tables etc. The documentation for...
Microsoft SQL Server
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!