pricerc wrote:Is there a special reason why we *can't* specify alternate credentials for a SQL connection in the Connection Wizard, when we *can* in the Database Wizard?
Mike.Sheen wrote:Is there a reason why you want to supply SQL credentials within the connection wizard?
pricerc wrote:But mostly it's because I don't want to use a default password. That's really bad for security.
pricerc wrote:I'd put money on there being many customers whose JiwaLogin user has waaaay more privileges on the SQL server than they're supposed to (unless you've got code that's changing it!), which means a well known user with a well known password is a dangerous thing.
pricerc wrote:This also would provide better security silos for primitive 'multi-tenant' scenarios - here I'm thinking of the potential for a type of hosted environment for really small clients (one or two users) where the cost of a SQL Standard instance can be shared instead of having multiple SQL Express or localdb instances.
Mike.Sheen wrote:But this was all stored in a local file - which is bad for security. Not storing it an prompting the user all the time we were told was unacceptable.
Mike.Sheen wrote:I don't think so - at least not with what I've been exposed to. Everyone tends to use their JiwaUser or JiwaReports SQL credentials for 3rd party integrations, I've never seen anyone use JiwaLogin for anything so I doubt anyone is going to the effort to mess with the privileges for that login.
Mike.Sheen wrote:Contained database authentication in 7.3 of Jiwa will achieve this. No more server-wide credentials, just users in the database.
Return to Technical and or Programming
Users browsing this forum: No registered users and 11 guests