Best approach for authorisation rules

Question

I'm wonder about best approach of implementation auth. rules in Client-Server app using Business Objects.

I've noticed common tactic is:
- on DB side: implement one role for application, used for all app's users
- definition users right and roles and assign users to proper group
- Client side: add to Business Object's getters/setters rights checker allowing write / display data for particular user

My concern is if this is really good approach from security perspective.
It looks DB sends all information to Client, and then client's logic decide what to display or not.
So, potentially advanced user can make query from their box and see/change anything. Isn't it?

Answer 1

If the DB is sending all information to the client, including information that some users should not see then you have a security problem. You should only return the amount of data which a user is authorized to see.

Design of the authorization tightly linked to your application and database design. If you need very granular (perhaps per user) permissions then you need to be able to specify this fairly deep in your design to ensure it is secure. If you only have simple rules to implement then you can work at a higher level and perhaps block access to certain objects or tables.