ifference between revisions of "EMO:Securing Database Access"

From EMO Wiki
Jump to navigation Jump to search
(Created page with "{{#hidens:}} ''EMarketOffer's database'' access parameter handling provides your system administrator with several options for configuring the program to conform with in-house...")
 
Line 8: Line 8:
  
 
John Doe must be established as a valid user of the MarketDB database and have read access to any table referenced by any ''EMarketOffer'' queries using the Connection String.  The Connection String is stored as an .xml file in the '''''Connection data folder'''''.  This file is plain text and the database access details can easily be extracted, posing a potential security risk where ''EMarketOffer'' workstations are located in unsecured areas.
 
John Doe must be established as a valid user of the MarketDB database and have read access to any table referenced by any ''EMarketOffer'' queries using the Connection String.  The Connection String is stored as an .xml file in the '''''Connection data folder'''''.  This file is plain text and the database access details can easily be extracted, posing a potential security risk where ''EMarketOffer'' workstations are located in unsecured areas.
 +
 +
===Prompted Access Details===
 +
To reduce the security risk, access details can be prompted on program launch and embedded into the Connection String.  This is achieved by replacing the plain text access details with embedded variable references, as in the following example:
 +
 +
:Provider=SQLOLEDB;Data Source=MarketServer1;Initial Catalog=MarketDB;User ID=$UserName$;Password=$Password$
 +
[[File:Access Details.PNG|300px|thumb|right|Figure 1: Database Access Parameters Dialogue]]
 +
On launching and finding the variable references ''EMarketOffer'' opens the following Access Parameters Dialogue (this can also be invoked using the '''Test Button''' in the Data Connection Window):

Revision as of 14:23, 17 December 2012

EMarketOffer's database access parameter handling provides your system administrator with several options for configuring the program to conform with in-house IT security policies.

Embedded Access Details

The simplest option is to embed a valid username and password directly into the Connection String. The following example shows a Connection String constructed to allow John Doe access to the 'MarketDB' database hosted on a Microsoft SQL server:

Provider=SQLOLEDB;Data Source=MarketServer1;Initial Catalog=MarketDB;User ID=JohnDoe;Password=JDPassword

John Doe must be established as a valid user of the MarketDB database and have read access to any table referenced by any EMarketOffer queries using the Connection String. The Connection String is stored as an .xml file in the Connection data folder. This file is plain text and the database access details can easily be extracted, posing a potential security risk where EMarketOffer workstations are located in unsecured areas.

Prompted Access Details

To reduce the security risk, access details can be prompted on program launch and embedded into the Connection String. This is achieved by replacing the plain text access details with embedded variable references, as in the following example:

Provider=SQLOLEDB;Data Source=MarketServer1;Initial Catalog=MarketDB;User ID=$UserName$;Password=$Password$
File:Access Details.PNG
Figure 1: Database Access Parameters Dialogue

On launching and finding the variable references EMarketOffer opens the following Access Parameters Dialogue (this can also be invoked using the Test Button in the Data Connection Window):