Security: Data level or function level?

[Lawrence Mak]

Our company has a fair amount of data on our MSSQL server
and I'm planning to use either VB or Access to write some
frontend applications to access them.

However, I'm not sure whether I should establish my
security model on the data level (relying on SQL's
security and policies) or rely on a function-based model.
By that I mean I control who gets to use which function
in order to access the data. I can create another table
in SQL to store which group of users can have specific
access rights to a function.

The pros and cons I have come up with on the function-
based model so far:

Pros:
Easier to define than SQL's data level
More varied types of access rights

Cons:
WAY less secure than SQL's security model

Comments are most welcomed.

 

[MindwarpLtd]

Hi,

You probably want to rely on SQL Server.
That way you can change your front end in the future without having to
worry.
You may what to add business processes or a web front end. You don't want
to have to re-write this functionality again in your front end application.

Also, its going to be a lot easier to change whats on SQL rather than
changing your function or the way your security table works.

And, whats stopping someone from accessing SQL direct by passing your
program.
There would be no security at all on SQL.

--
Jules.
-------- MDBSecure 2004 - 30 Day Trial -------
Makes MS Access Databases more secure, based on SECFaq.
Imports existing tables, produces jet connection string.
http://www.mindwarp-consultancy-software.com/mdbsecure-free-trial-download.html
Or http://tinyurl.com/yupl5