If a user is not authorized to see a database can I exclude that database from even appearing in Management Studio for that user
TIA,
Barkingdog
Hi,you would need to revove the permission 'VIEW ANY DATABASE' from the role PUBLIC.
HTH, Jens K. Suessmeyer.
http://www.sqlserver2005.de|||
I found the server-level permission "View any database", denied it to the test user, and found exactly that. The user couldn't see (under SSMS) any databases whatsoever including the one he is the DBO of! How can I assign him permissions to see that one database but no others in the SSMS tree?
TIA,
Barkingdog
P.S. The evidence is if I removed that permission from "public" then no one -- maybe even the sa? - could see any databases in SSMS.!
|||How are you making the user an owner? Are you making him a member of db_owner or are you using the alter authorization statement to make the user the actual owner of the database?
You can tell by looking at the owner_sid in sys.databases - the sid should point to the owning login. If the login is the owner of the database, denying that user view any database will not prevent him from viewing the database in sys.databases or Management Studio.
Jack Richins
SDE Sql Server
I made him a member of the db_owner.
When I run
sp_helpuser <DBName>
it returns x01 as the SID for the username dbo.
When I run
use DBName
select * from sys.databases
it returns.......
0x010500000000000515000000AAB950D6A501....
for the owner sid of the database.
So the user is not the DBO (though he belongs to that role).
Then back to my original question. How can I deny a user from seeing any databses in the SSMS tree that he does not have permission to access?
TIA,
Barkingdog
|||
DENY VIEW ANY DATABASE to the test login. This prevents the user from seeing any databases for which the user is not the DBO. You can make the user a DBO by using ALTER AUTHORIZATION DATABASE::<database> TO <login>. Being a member of db_owner is not sufficient to see the database if "view any database" was denied.
This is not very clean and may not work for you if you can't make this user login the actual DBO of the database you want him to administer or have multiple logins you want to secure in this manner as only a single login can be the actual DBO of a database.
This is something we're investigating for future improvements. So if you could provide some details on what you would like this login to be able to do and what you don't want the login to see or do, it could help us better solve your problems as we design future versions of SQL Server. Also whether you use SQL Logins or Windows Integrated Logins - how many different logins you'd like to secure in this way, and anything else you think might be relevant.
Thanks,
Jack Richins
SDE SQL Server
Dear Jack,
This whole issue took me by surprise. In our shop we have three teams of developers and all the development datbases are in a single sql instance. One of the group leaders asked me if there is any way to prevent those not in his group from even seeing the database display name under SSMS and sql tools (e.g. query editor, via OLEDB). I don't know the reason for his concern -- developers outside his group are not authorized to even view his databases but from a security perspective it seems reasonable: If a user does not have access to a databse, why should the database even "exist" for that user. This applies regardless of the form of Windows authentication used.
TIA,
Barkingdog
|||Thanks, this isn't a scenario we'd been discussing so I'm glad you brought this up. I'm sorry we don't have a solution for you now, but hopefully in the future we can do something to enable this.
Thanks,
Jack Richins
SDE SQL Server
The main issue here is that determining what databases a user can see is an expensive check, as the permissions to access the database are stored in the database itself, so verifying them requires a database access. This prevents a general solution from being available through SSMS - some customers manage hundreds of databases on a single server, which would make such checks prohibitive.
You can still write a view in SQL Server 2005 that could filter rows using "has_dbaccess() = 1" as a predicate, but you should only do this if you have a limited number of databases, as it would be too expensive otherwise.
I also want to add that we're aware of this request and we're looking at ways to address it.
Thanks
Laurentiu
No comments:
Post a Comment