locked
Security design issues related to multi-tenancy RRS feed

  • Question

  • Hi,

    I'm planning to develoup a saas application, I will have a few users, and its CMS system that stores lots of customer information, I am at planning stage and I have a issue with database, to store all customers data in one DB or create individual DB for each users, as a startup i guess signle DB is a cheaper and easyer way when deploying on azure.

    My question is how to handle security issues related to multi-tenancy (clients sharing the infrastructure such as database).

    Thanks,

    James


    James Pinto
    Thursday, August 11, 2011 4:00 AM

Answers

  • Hi,

    One data should be enough if permission are well configured. For example, each customer has an unique ID and all data is retrieved via stored procedure with unique ID parameter and all customer users are granted only execute stored procedures permission. Here is a comprehensive blog post about giving permission through stored procedures: http://www.sommarskog.se/grantperm.html.


    Best Regards
    Alex Feng | Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    • Marked as answer by jdpinto Tuesday, August 16, 2011 2:39 AM
    Monday, August 15, 2011 5:49 AM

All replies

  • any specific reason why you think multiple databases will be more expensive? Keep in mind that you buy licenses by server / processor and not by number of databases.
    Thursday, August 11, 2011 5:11 AM
  • I have planes to us Azure platform, is one tenancy cap to one DB?
    James Pinto
    Friday, August 12, 2011 8:46 AM
  • Hi,

    One data should be enough if permission are well configured. For example, each customer has an unique ID and all data is retrieved via stored procedure with unique ID parameter and all customer users are granted only execute stored procedures permission. Here is a comprehensive blog post about giving permission through stored procedures: http://www.sommarskog.se/grantperm.html.


    Best Regards
    Alex Feng | Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    • Marked as answer by jdpinto Tuesday, August 16, 2011 2:39 AM
    Monday, August 15, 2011 5:49 AM
  • Hi Alex,

    Thanks


    James Pinto
    Tuesday, August 16, 2011 2:39 AM