I have a new database that I am trying to figure out the best way to secure.
This database will collect input from an ASP web form that feeds into one
specific table in the database. The problem is that I do not want any body
besides the Admins group to be able to see the data within this table. Is
there a way to allow a wide variety of people to update a table without
having read access to that table?
In order for users to add/update data, they must have Read rights on the data (and the table design), so you cannot
remove permissions to the tables IF that is the only method users have to input data. You could possibly implement RWOP
(Run With Owners Permissions) queries to do this and then remove perms from the base tabes, but users must still have
rights on those queries (and could possibly see the data through them).
Of course, users typically don't have the ability to interact directly with the db from an ASP app; this is normally on
a webserver, and internet-based users typically don't have the necessary browse priviliges to get to the database. If
this is on an intranet, that's a different story ...
Users aren't going to be inputting data directly into the table (I hope); the ASP users will enter the data, your ASP
code will insert the data using any account you want (this is coded in the Connection string from your ASP page), thus
your ASP users shouldn't have any access to the database at all. You can disallow ALL access to your table to anyone
other than Admins (just remove all permissions for the table for the Users group), then connect your ASP page to the db
via an Admin account.
This assumes that you've setup ULS correctly on the db, of course, otherwise all bets are off.
Scott McDaniel
scott@takemeout_infotrakker.com
www.infotrakker.com