Web服务帐户的权限 [英] Permissions for web services account
问题描述
我正在尝试保护连接到网络应用的网络服务帐户。我想知道帐户应该拥有哪些权限的最佳做法是什么? Web服务是否已执行全部或应该限制访问权限?
b
我试图通过仅分配所需的商店流程和架构来限制访问权限每次添加新的商店proc时都需要更新访问权限。这是最佳做法还是帐户应该执行所有操作?
I'm trying to secure the web services account that connects to the web app. I wanted to know what is the best practice for what permission the account should have? Should the web services have execute all or should the access be limited?
I've tried to limit the access by assigning only the store proces and schema it needs but that requires updating the access every time a new store proc is added. Is this best practice or should the account just have execute all?
推荐答案
什么是适合您的应用程序取决于您的应用程序的性质。
What is exactly right for your application depends on the nature of your application.
但是,通常,应用程序不应与提升的权限连接,理想情况下,它应该没有其他权限来运行存储过程。但是,许多Web应用程序不使用存储过程,在这种情况下,应用程序
登录将需要SELECT,INSERT,DELETE和UPDATE权限。
Generally, though, an application should not connect with elevated permissions, and ideally it should have no other permissions that to run stored procedures. However, many web applications do not use stored procedures, and in that cases the application login will need SELECT, INSERT, DELETE and UPDATE permissions.
至于授予存储权限程序,它们只应授予直接从应用程序调用的过程,但正如您所指出的,这意味着您对添加的每个新过程都有授予权限。所以,是的,在
很多情况下,人们说
As for granting permissions on stored procedures, they should only be granted on procedures intended to be called directly from the application, but as you have noted, this means that you have grant permission for every new procedure you add. So, yes, in many cases people say
GRANT EXECUTE TO app_login
GRANT EXECUTE TO app_login
并完成了它。
在我看来,更好的选择是在模式级别上授予权限:
A better option, in my opinion, is to grant permission on schema level:
GREC EXECUTE SCHECMA :: dbo TO app_login
GRANT EXECUTE ON SCHECMA::dbo TO app_login
这允许您在单独的模式中进行特殊维护过程,以便它们无法用于应用程序登录。
This permits you to special maintenance procedures in a separate schema, so that they are out of reach for the application login.
这篇关于Web服务帐户的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
