Carl writes "I'm currently working on securing an ecommerce application. I have to use SQL server authentication and have had to set up a large number of users in two different roles. However, I understand that sp_setapprole will allow me to grant role permission only through a specific application, in my case, I only want users to be able to log in through the website and not directly onto the server. I've played around with sp_setapprole but with no luck. By the way, using SQLSRV7. Could you please give me a hint on how to use it through the web application?? Is it safe to stick the connection and call to the procedure in a session variable? All help appreciated. Carl"