Just my 2 cents, I agree with this method of authenticating the user at the application level and have one login for the database. I try to make everhitng a stored procedure and give access to those but, I usually give select access on the tables for any ad hoc stuff that they might want.

Eric

>A very common practice for a web app is to have the application implement authentication and authorization. Most apps have a users table that contains the login and password and the app does the authentication.
>
>As for accessing SQL Server, use a single login that is mapped to a database user. Assign the user to a database role, say approle. Remove all permissions to all database objects from all users in the database. Use stored procedures for all data access and grant EXECUTE permission to approle for all stored procedures.
>
>Just my opinion of course.
>
>-Mike
>
>
>>What we are trying to do is create a Web app that users should be able to access with a login. So if we use an ADO, do we need to have the security at the Web only or at both the web and server?
>>
>>Hope I haven't confused you guys more...
>>
>>Nicky