Re: Application vs database users

kochel_verz_at_yahoo.com wrote:
> Hi.
> Please give some opinion on this:
> Wich is the best approach for managing users in a typical three-tier
> web application, using jdbc:
>
> A) The database has one or two users with the proper grants and
> privileges to manage data(eg. read_user for selects and admin_user for
> inserts deletes and updates) In addition, there is a table with all
> valid application users. The third tier will connect to the database as
> one of the users, depending on the system login user, via jdbc. When
> someone new registers on the site, a new row is added to the users
> table.
>
> B) Database users are also application users. So, when someone new
> registers on the site, a new database user is created with the proper
> privileges. No need for users table because application user equals
> database user.
>
>
> I know A and B have different security approaches, but appart from
> that, what are the benefits/drawbacks of each implementation ?
> When is one better than the other ?
>
> Thanks a lot, and sorry for my english.

The method chosen is wholly dependent upon what the security needs of the organization and the application are.

My experience with security written by front-end developers is that they are remarkably ignorant. So I would always err on the side of protecting the data which means each and every user has a user-id and password that uniquely identifies them.

I would only deviate from this when circumstances so dictate.

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)