Database Security Considerations

Owned by Chris Grigsby
May 28, 2018
2 min read

Introduction

All Framework relational databases are managed within Microsoft SQL Server (MS-SQL) and are accessed via either ODBC data sources or directly configured database connections. This applies to office-based databases and mobile databases, such as those employed by Construction Logistics on Tablet PCs. In all cases Framework solutions adhere to MS-SQL security and only authorised user credentials, as defined by MS-SQL, can interact with a database.

Best Practice & Database Administration

It is considered best practice to review, implement, and maintain a comprehensive security strategy for databases across all applications, environments, users, etc. Installation and configuration of Framework does not implement a specific or restrictive approach to database security and does not directly change MS-SQL security in any way.

It is the responsibility of Framework licensees to asses and implement their own security policy and requirements for MS-SQL, Framework, and all information systems. For all information on implementing security within MS-SQL server, please consult your MS-SQL documentation.

Minimum Security Access Requirements

As a typical/initial installation of security would see user credentials granted the "db_owner" database role, no changes are needed for such credentials to perform all operations in Framework. As assigning the ownership role is not ideal for normal users, a tighter security implementation should be considered. There is a minimum security requirement for normal user credentials of Framework databases:

Configure Database Role Membership for the credentials to be only "db_datareader" and "db_datawriter". 


In addition to the required roles, the credentials must be granted the database "EXECUTE' permission.

Note: Before changing a MS-SQL environment (in any way) please consult your MS-SQL documentation, for your specific MS-SQL version/environment, and test any change before implementation into a Production environment.

An example of granting the execute permission to an MS-SQL user called "NormalUser":   GRANT EXECUTE TO NormalUser