ID: Q185175
The information in this article applies to:
From a design perspective, you can put user authorization checking anywhere. In fact, you can put it everywhere. Impersonation leads to just that. Consider a three-tier application of clients, middle-tier, and databases. Putting authorization everywhere is extremely hard to design and manage.
If you want to make three-tier applications easier to design, you have to ask whether you can authorize locally rather than globally and still maintain security. The answer is yes. If you control your servers and not your clients, authorization must happen on the server. You authorize users when they enter the middle-tier. Then you authorize the middle-tier applications at the database. This model works regardless of whether you control both the middle-tier and the databases, or just one. It is important to note that this authorization model is much easier to design and manage, and is a natural fit with the three-tier model. The server applications authorize users at entry to the middle-tier. The database-tier authorizes server applications. Because user authorization only occurs on entry to the middle tier, n-tier applications are feasible to design and manage as well. This model makes sense because you dramatically reduce authorization complexity at each tier. Besides being easier to design and manage, the model is also more efficient. For example, if 1,000 users access a database, there are 1,000 unique identities present, and 1,000 connections are necessary. However, if those 1,000 users access 10 server applications that access the database, only 10 unique identities are present. With some intelligent management of connections, far fewer connections are required, resulting in greater efficiency. Microsoft Transaction Server has intelligent management of database connections built- in, which allows components running in Microsoft Transaction Server to take advantage of it transparently.
Keywords : kbfaq
Version : WINNT:2.0
Platform : winnt
Issue type : kbinfoLast Reviewed: August 14, 1998