we have SAP Business One - Fourth Shift Edition running here at a small manufacturing company. The consulting company that has come in to do the installation/implementation uses the "sa" id/pass to initially connect to the database to get the list of companies. From then on, I have to assume that its the sa id/pass that is being used to connect the client software to the database. Is this appropriate? I dont know where this data is being stored... as an ODBC connection? directly in the registry somewhere? Is it secure? Would it be better to set the users network ID in the database security and then use the "trusted connection" setting instead? Or do most people create a separate login in the database for each user and use that in the client settings?
我们在一家小型制造公司运营SAP Business One - Fourth Shift Edition。进入安装/实施的咨询公司使用“sa”id / pass初始连接到数据库以获取公司列表。从那时起,我必须假设它的sa id / pass用于将客户端软件连接到数据库。这个合适吗?我不知道这些数据存储在哪里...作为ODBC连接?直接在注册表的某个地方?它安全吗?是否最好在数据库安全性中设置用户网络ID,然后使用“可信连接”设置?或者大多数人在数据库中为每个用户创建单独的登录并在客户端设置中使用它?
seems like the easiest way would be to add the users network login to the sql server security so they can use the "trusted connection"... but then wouldn't that allow ANY software to connect to the database from that machine?
似乎最简单的方法是将用户网络登录添加到sql server安全性,以便他们可以使用“可信连接”...但是,那么不允许任何软件从该计算机连接到数据库?
So anyways: what are the best-practices for setting this up?
所以无论如何:设置这个的最佳做法是什么?
4 个解决方案
#1
1
That sa usage sounds like a recipe for disaster.
这种用法听起来像是灾难的秘诀。
In most security models I have seen, regardless of how you connect, the first lookup SPs, views or tables are read-accessible to all authenticated users. Even if the application has a dedicated logon, it's not sa.
在我看到的大多数安全模型中,无论您如何连接,所有经过身份验证的用户都可以读取第一个查找SP,视图或表。即使应用程序有专门的登录,它也不是sa。
Without knowing more about SAPs limitations, I can't be sure, but we always tend to use Windows Authentication and Windows Active Directory Groups. Those groups are allowed in SQL Server roles. So all administration is done at the AD level. The DB is locked down according to those roles - even if an application has a SQL Server login or a domain login, it's going to be in one of the database roles we've created, named and granted rights appropriately.
在不了解SAPs限制的情况下,我无法确定,但我们总是倾向于使用Windows身份验证和Windows Active Directory组。这些组在SQL Server角色中是允许的。因此,所有管理都在AD级别完成。根据这些角色锁定数据库 - 即使应用程序具有SQL Server登录名或域登录名,它也将位于我们创建的数据库角色之一,适当地命名和授予权限。
#2
0
That is very wrong, the sa account should not be used for general use.
这是非常错误的,sa帐户不应该用于一般用途。
A separate ('application' specific) user account should be used so that:
应使用单独的(特定于“应用程序”)用户帐户,以便:
- Security can be applied on a per user (application) level
- If anything goes wrong with the application (e.g. it locks the user account), just that one account is effected and it is easy to diagnose issues
可以在每个用户(应用程序)级别应用安全性
如果应用程序出现任何问题(例如,它锁定了用户帐户),那么只有一个帐户受到影响并且很容易诊断问题
I also agree with Cade Roux's comments.
我也同意Cade Roux的评论。
#3
0
Cade... I dont believe you're able to give roles to "applications" in windows...
Cade ......我不相信你能够在windows中为“应用程序”赋予角色......
By that I think he means you assign roles to a user, then make the application use that user account.
我认为他意味着你将角色分配给用户,然后让应用程序使用该用户帐户。
So what you're saying is, if I had a userId of "MYDOMAIN/nick"... then in AD you would assign MYDOMAIN/nick to a group with other people that use this same app, and then in SQL Server you would add that group to security and assign it a role?
所以你要说的是,如果我有一个“MYDOMAIN / nick”的userId ...那么在AD中你会将MYDOMAIN / nick分配给一个与其他人使用同一个应用程序的组,然后在SQL Server中你会将该组添加到安全性并为其分配角色?
Correct.
my concern is that if I sign into my machine with MYDOMAIN/nick... that activates my entire machine as "trusted" to sql server (through windows authenticatino)... so that means I could fire up Visual Studio and start building any app I want and potentially connect directly to the database and do whatever I'd like to it... which also means any other application I can download/install would potentially have access to that database... correct?
我担心的是,如果我使用MYDOMAIN / nick登录我的机器...将我的整个机器激活为“信任”到sql server(通过windows authenticatino)...这意味着我可以启动Visual Studio并开始构建任何应用程序我想要并可能直接连接到数据库并做我想做的任何事情...这也意味着我可以下载/安装的任何其他应用程序可能有权访问该数据库...正确吗?
Yes that is correct. Because you (MYDOMAIN/nick) are being trusted. SQL Server does not know what you are running on your PC.
对,那是正确的。因为你(MYDOMAIN / nick)受到信任。 SQL Server不知道您在PC上运行的是什么。
However going back to your original question, the program that you are talking about should not connect at MYDOMAIN/nick, it should connect with the username MYDOMAIN/mycustomprogram. This is a user account just for this program. You could run the program from your PC, but in that case it will still use the username MYDOMAIN/mycustomprogram, not MYDOMAIN/nick.
但是回到你原来的问题,你正在谈论的程序不应该在MYDOMAIN / nick连接,它应该用用户名MYDOMAIN / mycustomprogram连接。这是此程序的用户帐户。您可以从PC运行该程序,但在这种情况下,它仍将使用用户名MYDOMAIN / mycustomprogram,而不是MYDOMAIN / nick。
You could then have a second program on your PC, which should then use a second username for authentication to the SQL server, e.g. MYDOMAIN/mycustomprogram2
然后,您可以在PC上安装第二个程序,然后使用第二个用户名对SQL服务器进行身份验证,例如: MYDOMAIN / mycustomprogram2
So on the same PC you would then have:
所以在同一台PC上你会有:
- MYDOMAIN/nick (AD)
- MYDOMAIN/mycustomprogram (SQL or AD user)
- MYDOMAIN/mycustomprogram2 (SQL or AD user)
MYDOMAIN / mycustomprogram(SQL或AD用户)
MYDOMAIN / mycustomprogram2(SQL或AD用户)
Using these custom usernames at an application level overrides the AD authentication.
在应用程序级别使用这些自定义用户名会覆盖AD身份验证。
It also means that if you have an issue with one of the 2 programs, or the program locks a user account, etc. it is easy to diagnose.
这也意味着如果您遇到2个程序之一的问题,或者程序锁定用户帐户等,则很容易诊断。
I learned that SAP client encrypts its connection info and stores it in the registry.
我了解到SAP客户端会加密其连接信息并将其存储在注册表中。
Which part of the connection are you talking about? I am not aware of anything being stored in this way.
您在谈论哪个部分的连接?我不知道有什么东西以这种方式存储。
Does this answer your questions?
这回答了你的问题吗?
Please vote up helpful answers ;-)
请投票给有用的答案;-)
#4
0
I think it really depends on the level of security you're willing to offer/maintain. In SAP Business One, creating a new login needs to add certain privileges like giving db_creator permission to the database and the SBO-Common, or access to read/write tables and specific access to stored procedures, which is kind of a hassle.
我认为这实际上取决于您愿意提供/维护的安全级别。在SAP Business One中,创建新登录需要添加某些特权,例如向数据库和SBO-Common提供db_creator权限,或者访问读/写表以及对存储过程的特定访问,这是一种麻烦。
Anyway, it is really a bad practice to keep the sa login for the users, but you can create other users and just change the login user when you start the application. There's and installation guide in the software CD where you can see that information with a step-by-step guide to do that. If you don't have it, ask your partner!
无论如何,为用户保留sa登录确实是一种不好的做法,但是您可以创建其他用户,并在启动应用程序时更改登录用户。软件CD中有安装指南,您可以通过分步指南查看该信息。如果你没有,请问你的伴侣!
#1
1
That sa usage sounds like a recipe for disaster.
这种用法听起来像是灾难的秘诀。
In most security models I have seen, regardless of how you connect, the first lookup SPs, views or tables are read-accessible to all authenticated users. Even if the application has a dedicated logon, it's not sa.
在我看到的大多数安全模型中,无论您如何连接,所有经过身份验证的用户都可以读取第一个查找SP,视图或表。即使应用程序有专门的登录,它也不是sa。
Without knowing more about SAPs limitations, I can't be sure, but we always tend to use Windows Authentication and Windows Active Directory Groups. Those groups are allowed in SQL Server roles. So all administration is done at the AD level. The DB is locked down according to those roles - even if an application has a SQL Server login or a domain login, it's going to be in one of the database roles we've created, named and granted rights appropriately.
在不了解SAPs限制的情况下,我无法确定,但我们总是倾向于使用Windows身份验证和Windows Active Directory组。这些组在SQL Server角色中是允许的。因此,所有管理都在AD级别完成。根据这些角色锁定数据库 - 即使应用程序具有SQL Server登录名或域登录名,它也将位于我们创建的数据库角色之一,适当地命名和授予权限。
#2
0
That is very wrong, the sa account should not be used for general use.
这是非常错误的,sa帐户不应该用于一般用途。
A separate ('application' specific) user account should be used so that:
应使用单独的(特定于“应用程序”)用户帐户,以便:
- Security can be applied on a per user (application) level
- If anything goes wrong with the application (e.g. it locks the user account), just that one account is effected and it is easy to diagnose issues
可以在每个用户(应用程序)级别应用安全性
如果应用程序出现任何问题(例如,它锁定了用户帐户),那么只有一个帐户受到影响并且很容易诊断问题
I also agree with Cade Roux's comments.
我也同意Cade Roux的评论。
#3
0
Cade... I dont believe you're able to give roles to "applications" in windows...
Cade ......我不相信你能够在windows中为“应用程序”赋予角色......
By that I think he means you assign roles to a user, then make the application use that user account.
我认为他意味着你将角色分配给用户,然后让应用程序使用该用户帐户。
So what you're saying is, if I had a userId of "MYDOMAIN/nick"... then in AD you would assign MYDOMAIN/nick to a group with other people that use this same app, and then in SQL Server you would add that group to security and assign it a role?
所以你要说的是,如果我有一个“MYDOMAIN / nick”的userId ...那么在AD中你会将MYDOMAIN / nick分配给一个与其他人使用同一个应用程序的组,然后在SQL Server中你会将该组添加到安全性并为其分配角色?
Correct.
my concern is that if I sign into my machine with MYDOMAIN/nick... that activates my entire machine as "trusted" to sql server (through windows authenticatino)... so that means I could fire up Visual Studio and start building any app I want and potentially connect directly to the database and do whatever I'd like to it... which also means any other application I can download/install would potentially have access to that database... correct?
我担心的是,如果我使用MYDOMAIN / nick登录我的机器...将我的整个机器激活为“信任”到sql server(通过windows authenticatino)...这意味着我可以启动Visual Studio并开始构建任何应用程序我想要并可能直接连接到数据库并做我想做的任何事情...这也意味着我可以下载/安装的任何其他应用程序可能有权访问该数据库...正确吗?
Yes that is correct. Because you (MYDOMAIN/nick) are being trusted. SQL Server does not know what you are running on your PC.
对,那是正确的。因为你(MYDOMAIN / nick)受到信任。 SQL Server不知道您在PC上运行的是什么。
However going back to your original question, the program that you are talking about should not connect at MYDOMAIN/nick, it should connect with the username MYDOMAIN/mycustomprogram. This is a user account just for this program. You could run the program from your PC, but in that case it will still use the username MYDOMAIN/mycustomprogram, not MYDOMAIN/nick.
但是回到你原来的问题,你正在谈论的程序不应该在MYDOMAIN / nick连接,它应该用用户名MYDOMAIN / mycustomprogram连接。这是此程序的用户帐户。您可以从PC运行该程序,但在这种情况下,它仍将使用用户名MYDOMAIN / mycustomprogram,而不是MYDOMAIN / nick。
You could then have a second program on your PC, which should then use a second username for authentication to the SQL server, e.g. MYDOMAIN/mycustomprogram2
然后,您可以在PC上安装第二个程序,然后使用第二个用户名对SQL服务器进行身份验证,例如: MYDOMAIN / mycustomprogram2
So on the same PC you would then have:
所以在同一台PC上你会有:
- MYDOMAIN/nick (AD)
- MYDOMAIN/mycustomprogram (SQL or AD user)
- MYDOMAIN/mycustomprogram2 (SQL or AD user)
MYDOMAIN / mycustomprogram(SQL或AD用户)
MYDOMAIN / mycustomprogram2(SQL或AD用户)
Using these custom usernames at an application level overrides the AD authentication.
在应用程序级别使用这些自定义用户名会覆盖AD身份验证。
It also means that if you have an issue with one of the 2 programs, or the program locks a user account, etc. it is easy to diagnose.
这也意味着如果您遇到2个程序之一的问题,或者程序锁定用户帐户等,则很容易诊断。
I learned that SAP client encrypts its connection info and stores it in the registry.
我了解到SAP客户端会加密其连接信息并将其存储在注册表中。
Which part of the connection are you talking about? I am not aware of anything being stored in this way.
您在谈论哪个部分的连接?我不知道有什么东西以这种方式存储。
Does this answer your questions?
这回答了你的问题吗?
Please vote up helpful answers ;-)
请投票给有用的答案;-)
#4
0
I think it really depends on the level of security you're willing to offer/maintain. In SAP Business One, creating a new login needs to add certain privileges like giving db_creator permission to the database and the SBO-Common, or access to read/write tables and specific access to stored procedures, which is kind of a hassle.
我认为这实际上取决于您愿意提供/维护的安全级别。在SAP Business One中,创建新登录需要添加某些特权,例如向数据库和SBO-Common提供db_creator权限,或者访问读/写表以及对存储过程的特定访问,这是一种麻烦。
Anyway, it is really a bad practice to keep the sa login for the users, but you can create other users and just change the login user when you start the application. There's and installation guide in the software CD where you can see that information with a step-by-step guide to do that. If you don't have it, ask your partner!
无论如何,为用户保留sa登录确实是一种不好的做法,但是您可以创建其他用户,并在启动应用程序时更改登录用户。软件CD中有安装指南,您可以通过分步指南查看该信息。如果你没有,请问你的伴侣!