To secure database access, we recommend using IntegratedSecurity so that the Windows user login is also used to log in to the database management system. This means that it is theoretically possible for users to log on directly to the database server and thus gain unfiltered access to the data in the TiCon database. To prevent this, we recommend reducing the authorization of the Windows users/groups so that only the authorization to connect to the server (role membership public) exists.
▪To avoid direct database access, it must be ensured that users do not have direct access to the database.
▪Windows users/groups only require the authorization to connect to the server (Role membership public).
▪If the database roles db_reader, db_writer, db_owner or explicit Authorizations on tables/views/stored procedures/functions have been assigned, these should be removed.
▪The data in the database should only be accessed via the application role TiConAppRole.
▪The Application Role TiCon has already been created in the database by MTM and is password-protected. This role is inactive by default. To use it, the application role must first be activated.
Activating the TiCon application role
Procedure
Case 1: New database (as of and including TiCon 4.09)
▪Use a user which has no read/write access in the connection string.
▪Activate the use of the Application Role via config.xml by adding: <config name="db.useAppRole" value="true" />
Case 2: Old database before TiCon 4.09
▪Use a user with db_owner authorization in the connection string.
▪Carry out the Conversion with the ticon4converter.exe tool or start TiCon once.
▪Then remove the rights of the DB user or use another user who does not have read/write rights to access the TiCon database.
▪Activate the users of the Application Role via config.xml by adding: <config name="db.useAppRole" value="true" />
The config.xml file is located in the Programdata folder of the installed TiCon version. By default under: "%PROGRAMDATA%\MTM\TiCon 4.XX\Config.xml". |