0

I am implementing the azman role based security in my application.

I have seen how to configure it either using XML or SQL.

But I am not able to understand which one is more secure?

I am using click once deployment for my application.

If I distribute the xml file with the click once deployment, what if some user modify the XML file and perform unauthorized tasks?

The same with SQL server, what if some user connected to SQL Server and update the roles?

I would like to know Which one is more secure(XML Or SQL)? Can some one please clarify me on the above questions?

Thanks,

Venkat.

user521237
  • 1

2 Answers2

0

Both options are dependant upon how and where your application will be used, neither of which can be deduced from your post.

But imho there is no option that is "more secure" than the other. Both of them are dependant on who has access to the system your azman store is located with what rights. To reach a level of security that matches your requirements you will have to take all of that into consideration and probably provide adequate documentation for engineers and/or application managers.

RB.
  • 36,301
  • 12
  • 91
  • 131
Anton
  • 5,323
  • 1
  • 22
  • 25
  • I am using click once deployment for distributing my application. If I use XML configuration for AzMan, the XML configuration file gets download to the users machine after installation. How can I make the XML file secure in that case? Please let me know? – user521237 Nov 29 '10 at 10:37
  • Why would you download an Authorization file to a user's machine? Wether you use Sql or not, most users WILL be able to access it when present on their local machine. In all security scenarios you are dependant on system engineering, but with local authorization stores you are making life difficult for them, imho... – Anton Nov 29 '10 at 11:52
0

Are you distributing the SQL Server database as well (like SQL Server CE) ? you didn't say whether you would have a centrally-owned database or would each user get their own .sdf file....

A centrally-owned SQL Server database would certainly make it easier to put specific security controls on than a lot of distributed XML files, as well as auditing any attempts to perform unauthorized modifications or perform any necessary restorations.

Alan McBee
  • 4,202
  • 3
  • 33
  • 38