I’ve done a piece of work using Entity Framework. However, my manager asked me to use Stored Procedures instead. He said at the moment, the database security structure in the company is built on database roles.
For example, we have a roleA which includes the AD users that will access the database, and roleA has only been given Execution rights to relavent Stored Procedures. If I use Entity Framework, queries will be run as the actual users instead of the database role, and therefore those users could potentially connect to the database directly and do something with it.
I’m not too familiar with the database security. Can anyone please explain whether what my manager said is valid?
If so, is there any workaround so that I can still use Entity Framework while not breaking the company’s database security structure?(i.e. use role to execute the queries instead of actual AD users)
Database role is database level object. User account used to run your application must first log in to the server. Then the permissions for this account are evaluated based on database users or database roles. If your application account will be member of roleA it should have permissions “to access the database” but if the access means only that members of roleA can execute SP you can forget about any linq or ESQL queries because database security will simply not allow you calling them (it will throw security exception).
The only advantage of EF in such case is automatic mapping of SP’s result set to entity / complex type / custom type. No linq-to-entities can be used and entities can be modified only through mapped stored procedures.