Re: View Security

From: A.M (hate-spam@spam.com)
Date: 03/05/03 

From: "A.M" <hate-spam@spam.com>
Date: Wed, 5 Mar 2003 15:03:37 -0500

The user can see list of other users who can login into the database. I would say that is very very sensetive.

  "Tom Moreau" <tom@dont.spam.me.cips.ca> wrote in message news:OrBrn804CHA.2396@TK2MSFTNGP11.phx.gbl...
  By default, you can examine the system objects. I imagine you could revoke SELECT permission on the various tables, procs, etc. Metadata is generally not considered sensitive.

  --
  Tom

  ---------------------------------------------------------------
  Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
  SQL Server MVP
  Columnist, SQL Server Professional
  Toronto, ON Canada tom@cips.ca
  www.pinnaclepublishing.com/sql

    "A.M" <hate-spam@spam.com> wrote in message news:#RQ7P204CHA.1676@TK2MSFTNGP12.phx.gbl...

    So you mean if we give small access to a user then the user will be able to see all database structure ? That is terrible vulnerability.

    We have SCHEMA in Oracle so i can efficiently hide any part of database from user. Do we have similar thing in SQL server? I know SqlServer 2000 has scema capability. Can it solve my problem ?

    Thanks,
    Ali

      "Tom Moreau" <tom@dont.spam.me.cips.ca> wrote in message news:#xtfKY04CHA.2408@TK2MSFTNGP09.phx.gbl...
      Well, yes and no. You can create a view, proc or function and specify the WITH ENCRYPTION option. However, it is quite difficult to prevent users from seeing a list of objects.

      --
      Tom

      ---------------------------------------------------------------
      Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
      SQL Server MVP
      Columnist, SQL Server Professional
      Toronto, ON Canada tom@cips.ca
      www.pinnaclepublishing.com/sql

        "A.M" <hate-spam@spam.com> wrote in message news:O$KCE2z4CHA.2408@TK2MSFTNGP09.phx.gbl...
        Hi,

        Can i limit a user to just run a select statemet on a view, but do not allow
        him see the view definition or list of other database objects?
        If i make a login member of database public role, then that user will be
        able to see all database structue such as view/table/sp definitions.
        We need to restrict a user and hide database structure from him. All we want
        him to do is run a select statement on a view, but we don't want him to see
        view structure.

        Any help would be appreciated,
        Ali

Relevant Pages

  • Re: No db access after publishing web site
    ... GRANT UPDATE TO ... If I detach and attach this database on a different PC (according that PC ... Cannot open database "pago" requested by the login. ... Are you detaching/attaching the SQL Server Express database correctly ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: System Administrator Implied Permissions
    ... > sa login, it assigns it the System Administrator fixed ... > Now, given this, why does SQL Server ... in each database is always a member of the public and db_owner roles. ... Other sysadmin role members have the exact same ...
    (microsoft.public.sqlserver.security)
  • Re: cannot login to the db after...
    ... Jasper Smith (SQL Server MVP) ... I have created a new database, "db_1", using the "sa" ... I then created a new login, "sqluser1" and gave ...
    (microsoft.public.sqlserver.security)
  • Re: Cant view merge agent properties (trying again)
    ... In the List of Actions for the Snapshot Agent History I see this repeated: ... every single database listed. ... So, just now, I went to computername\Administrator Login ID (because it's ... On the computer running SQL Server, ...
    (microsoft.public.sqlserver.replication)
  • Re: Database security design with ASP.net and form-based authentication
    ... Since you already have forms-based security, why not use a single SQL login ... for all database access? ... data entry, guest/view only, admin, report viewer. ... so I'm using SQL Server authentication. ...
    (microsoft.public.sqlserver.security)