I am reading up on my security and have a general question. In a database, users should be granted the only the attributes that they require i.e. select, read, delete etc.
When using Entity Framework as the ORM how can I implement this? The entities have no concept of permissions.
Thanks
The way you implement least privilege for Entity Framework is that you use a database login for your connection to the database from EF (typically this would be set in the connection string). Depending on how you use EF, that login should only be allowed to do certain things.
Obviously it will need CRUD access to the tables (or views), unless you're using stored procedures for inserts/updates/deletes. It'll need execute on any functions or stored procedures you use.
Also, if you intend on using Code First Migrations, it will have to basically have ownership because it will be adding/removing tables and columns.
Now, that is how you implement least privilege for EF, which might not be what you're even looking for. If you're wanting to know how to implement it for your Users, then that would be a question of authentication and authorization, which would be outside the scope of the database and would be more of an issue for your Application. (I guess technically you could use a method where the user has to log in using a database login, which would be used to configure EF's connection to the database, but I think that would tend to be very error prone, especially if it's in a web application.)
Let me know if that helped you out. :)