Database permissions and ORMs

views:

answers:

+1 Q:

Database permissions and ORMs

I've been using .NET's Entity Framework a lot lately and have absolutely no wish to go back to using Stored Procedures. Been shocked though that the company I'm building this project for had a policy where applications were only given accounts that only had permissions to access stored procedures!

Apparently, they believe that there's a security risk involved in allowing applications to access the tables/views directly. I don't get this.

My first question is, can someone enlighten me as to what kind of security risk applications having direct access to the database may pose? AND
If that's the case, are there any other ORM solutions that can provide a workaround to this (I can't think of any logical possibility atm) that would allow me to circumvent the restrictions on the user account to be assigned to me? OR is my understanding that I'd need direct permissions for the tables and views wrong?

+1 A:

Idiotic limited thinking - unless they put the complete access logic into the daabase.,

http://weblogs.asp.net/fbouma/archive/2003/11/18/38178.aspx

has a good explanation on why security is NOT a reason. As I said - unless the complete business logic validating who sees what is in the database.... which is then not a multi tier application anymore.

TomTom 2010-05-12 06:25:19

That's what I thought of too. I could not think of a justifiable reason why my applications should not have access to the tables. And there's no such business logic validating who sees what in the database as you've said.

Jonn 2010-05-12 07:55:51

Then it makes zero sense. We can talk about it all we want for inserts / Updates, but the flexibility of pure SQL is hard to beat for queries. LINQ finally allows that to be exposed natively in the programming language. Giving this up - for nothing to gain in return - is a sign of blatant stupitiy.

TomTom 2010-05-12 08:14:16

A bit harsh, I'd still like to try to understand if there's a good reason behind that reasoning but I couldn't agree with you more. I'd rather not have to use two separate languages for every piece of program functionality.

Jonn 2010-05-12 08:32:28

Actually not harsh. There are good reasons against direct table access - but they mostly can be resolved with views AND mean you HAVE to have filter logic in the database. If that is not the case, nothing is gained security wise - and a lot is lost, speed wise in development (= money). Loosing money for no gain is normally considered stupid ;)

TomTom 2010-05-12 08:50:46

Makes sense, considering all the time lost with sps (perhaps for those who are proficient with it could manage better but not me).

Jonn 2010-05-12 13:40:41

+2 A:

When you think about it, in a certain context, limiting access to stored procedures makes a lot of sense. The procedures expose an API and handle processing (e.g. check complex constraints) which is in theory fine. There's no easy way to declare cross-column constraints like "if column A is null, column B should be one of {X, Y, Z}". Multiple applications might be using the procedure API and all could benefit from the procedures making sure the data is treated the right way.

However, anyone who has tried to write a lot of logic in the database and a lot of logic in an general purpose OOP language knows that the former tends lead to an unmaintainable, DB-locked mountain of unintelligable code, while the later is generally recognized as "the way to write complex applications/systems".

While the stored procedure API approach is far from extinct, I would be genuinely surprised to see a new project started using this pattern. ORMs are far from perfect, but they do provide huge benefits which are more and more taken for granted: the whole application can be written in one language (Python, Java, Groovy, Ruby...), you can usually switch the DBMS in a few minutes (which works wonders e.g. when you're running tests on hsqldb, but use postgresql in production), data packaging from and to the database is a lot simpler (the ORM usually returns domain objects, rather than primitives), there are caching advantages etc.

In light of this, it is perfectly acceptable that an application have full CRUD access to everything in it's database. Also, if you have an account which only allows you to invoke stored procedures, I wouldn't recommend spending time looking into how you can circumvent the access rights: a better use of your time would be to argue for CRUD table access privileges.

Tomislav Nakic-Alfirevic 2010-05-12 07:42:06

Wouldn't multiple applications with cross-column constraints benefit better from implementing SOA rather than have stored procs at the back-end?On "I would be genuinely surprised to see a new project started using this pattern", then you'd be shocked and greatly disappointed as I am as to the number of projects I wish our team would just use an ORM over the traditional stored procs (and the IMO questionable ApplicationBlocks.SqlHelper)

Jonn 2010-05-12 08:09:01

Cross column != cross table. ;)

TomTom 2010-05-12 08:13:32

@Jonn I'm not sure if we're on the same page here, but I _can_ say that yes, I agree with you that SOA is a better approach than stored procedures in the circumstances you describe.

Tomislav Nakic-Alfirevic 2010-05-12 08:20:27

@TomTom Not sure what you mean. My example was for a cross-column constraint. The same would be true for a cross-table constraint and many others, for that matter.

Tomislav Nakic-Alfirevic 2010-05-12 08:21:28

Same, I'd thought it would apply for either column or table.Anyway, what did you mean about not being on the same page Tomislav?

Jonn 2010-05-12 13:46:53

@Jonn: I wasn't clear if you thought that I think a stored procedure API was a good idea or not...mostly due to the fact that only now did I notice that you were the one who opened the question in the first place so that we are in fact on the same page. :)

Tomislav Nakic-Alfirevic 2010-05-12 14:25:06

ansaurus

tags:

views:

answers:

Database permissions and ORMs

related questions