Is it possible to prevent underprivileged users from accessing Settings even if they are in Read-Only mode?
No, there isn't the security setting to achieve that.
All users who have access to the project have access to view the permissions and settings. As there is no conceivable security risk from this, as they can't change anything. It is available to all.
You can set the permissions based on your requirements to restrict them to certain accesses. See permissions-access for details.
If you want to have that feature you can submit a user voice on http://visualstudio.uservoice.com
Related
How to permission a document that can be modified by client but not deleted ?
Does RavenDB have notion of document permission for admin & non-admin users like in other Relational Databases ?
I have a set of documents which will be created only from the RavenDB Dashboard. I want to prevent these handful of documents to be deleted by the client.
Although client should be able to "modify" them, by "modify" I mean append only.
I am assuming we are talking about 4.x version of RavenDB.
On short, no, it is not possible with out of the box functionality.
Authentication and authorization in RavenDB is based on certificates, and functionality-wise is different from what you would typically find in major RDBMS databases.
You can assign roles per client certificate, and those roles would have pre-defined set of operations they can access. You can also restrict which databases certain certificate can access.
But you cannot restrict certain client certificates from deleting a document while allowing to do other operations.
Take a look at the documentation article for more information : https://ravendb.net/docs/article-page/4.2/csharp/server/security/authorization/security-clearance-and-permissions
If I needed to implement such functionality, I would probably place such logic in DAL layer of the application itself.
Please help me with my case.
We have SAP HANA implemented in our company.
There were few custom roles created based on this doc provided by SAP:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c02c2004-899d-3110-8488-b3ff8362bbf6?QuickLink=index&overridelayout=true&59180354403522.
We have few test users created with different roles assigned (like: transport executor, transport manager). What is the recommended way for testing if these roles are properly configured?
We were thinking about XSUnit, but we have no clue what checks should be performed in order to verify the priviliges.
Is this approach proper?
Checking privileges is a bit tricky.
Since the 'proof of the pudding is the eating' to properly test if your privilege setup is working as expected, you would need to
set up a user
set up your role
assign the role to the user
logon as or impersonate the user so that the role becomes the current role and therefore the current execution privilege setting
try to do whatever the role allows --> this should obviously work
try to do things that shouldn't be possible with the role --> here you should receive the right error messages
tear down everything afterwards
There is nothing build into SAP HANA for that. And depending on what kind of privileges should be tested, it might be difficult to test all of them (dropping tables, deleting DBs, shutting down the system... all that is not easy to contain in a single unit test).
So, I'd recommend to use system views EFFECTIVE_PRIVILEGES and EFFECTIVE_ROLES instead and just check for operations that are allowed once the to be tested role has been granted.
Lars
I've already created a Welcome page where a user chooses amongst 3 user types (buttons). Each button takes the user to their own login forms. After they login they are each taken to their own switchboard.
The problem is they can still see the options on the left. I "unchecked" the option in options menu, but they can just check those if they wanted to, to see them.
I want some users to be locked out from accessing those navigation options permanently because there's sensitive information in some of the tables.
Is there any way to do that?
If you want to accomplish your objective using just Access then you'll need to store the tables in an .mdb file and configure it to use user-level security. However, that approach has at least two significant disadvantages:
User-level security can be a nuisance to set up and maintain, and
That security model (encrypted .mdb files and associated .mdw "workgroup" files) is deprecated.
If you're serious about your security requirements then you'd be better off using something like Microsoft SQL Server (perhaps the Express Edition) for your back-end data store.
We have a Power User who knows the database very well and has become a great asset since we gave him access with SQL Server Management Studio. Unfortunately, we also gave him a user/pwd used by all Development which carries ability to change data.
Without going into all the wrongs behind having such a privileged db-user and giving such access an end user, is there a tool that would give the user ability to query without any ability to update/insert/drop/ or anything else?
My guess is that the user probably does not want to change the database -- for his/her protection as well as yours.
Just enable this user's login using Window to have read-only access. Or, set up another read-only user and give it to the power user. At the extreme, you may need to change the password of your super user account.
I would recommend in the mean time that you set up a development group, give the group privileges, and assign the developers to the group. They can then login through that id. Perhaps one day, you'll be able to disable your super user account. For now, you should think about ways to work around it.
I have read a lot, but still i can't find the point that i want which is the following:
If i can connect to sql via windows authentication mode, then that mean after i install my software with it's database the user can easily look and manipulate my database, and if i want to revoke any role i will be limiting my program when it's going to access the database.
Is there a way to limit the user access on the database while my program can have a full access without any problems.
The application doesn't have to login to sql using the account that it's being run from. So create a seperate user account for the application that has all the rights it needs and login using that account from the application.
Alternatively, you can just setup a seperate login using sql server authentication and then you won't need another user account.
If this isn't your application and you can't modify it to use a different account to login with, then you could run the application itself under another account. When you hold shift and right click an icon you'll see it gives you an option to do so. However, I don't know how you would set the application up to automatically run that way without the user having to know the password to type in. I think it's possible though.
Also, I think when you set the account up you can set it as a special type that users can't actually login with. So they could know the password to it to run the application, but they wouldn't be able to actually login under that account to do anything with it. This wouldn't prevent someone smart enough from gaining access, but it's a good safeguard.