The authorization process establishes if a user can retrieve and manipulate specific data. There are two approaches: your data access code can use authorization to determine whether or not to perform the requested operation, and the database can perform authorization to restrict the capabilities of the SQL login used by your application.
With inadequate authorization, a user may be able to see the data of another user and an unauthorized user may be able to access restricted data. To address these threats:
Restrict unauthorized callers.
Restrict unauthorized code.
Restrict the application in the database.
Figure 14-3 summarizes the authorization points and techniques that should be used.
Figure 14-3. Data access authorization, assembly, ...