From Guidance Share
Jump to navigationJump to search
Your application needs to access a downstream resource, typically a database, and you need to decide where to authorize the original caller who initiates the operation and what account to use to access the downstream resource.
- Where to perform authorization and what account(s) to use access the downstream resource.
- You want to use OS auditing to track an individual's operations in the database.
- You want granular, per-user authorization in the database.
- You don't want to trust the front-end application to perform user authorization.
- Your application will scale enough to satisfy your requirements even without connection pooling.
- Use an authentication mechanism that allows you to obtain delegatable credentials.
- Impersonate the original caller's identity and make downstream calls using that identity.
- Configure per-user ACLs at the back-end (e.g. within the database)