Re: Restrict sysadmin database access?

From: Dejan Sarka (dejan_please_reply_to_newsgroups.sarka@reproms.si)
Date: 03/18/03

• Next message: Dejan Sarka: "Re: Create Database"
• Previous message: Dejan Sarka: "Re: Error when booting up"
• In reply to: Paul Ritchie: "Restrict sysadmin database access?"
• Next in thread: Paul Ritchie: "Re: Restrict sysadmin database access?"
• Reply: Paul Ritchie: "Re: Restrict sysadmin database access?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Dejan Sarka" <dejan_please_reply_to_newsgroups.sarka@reproms.si>
Date: Tue, 18 Mar 2003 08:12:54 +0100

Paul,

You have to trust sysadmins, that's it. The only thing you can do is to
encrypt the confidental data, but you have to do it without help of your
sysadmin.

-- 
Dejan Sarka, SQL Server MVP
FAQ from Neil & others at: http://www.sqlserverfaq.com
Please reply only to the newsgroups.
PASS - the definitive, global community
for SQL Server professionals - http://www.sqlpass.org
"Paul Ritchie" <pritchie@xtraREMOVE.coREMOVE.nzREMOVE> wrote in message
news:uNF79cQ7CHA.2984@TK2MSFTNGP11.phx.gbl...
> People tell me there are ways to stop even the sysadmin from looking at a
> confidential column value (such as an employee pay rate field) in a SQL
> Server database, but I just don't see how this can ever happen.
>
> Even if you remove the database rights of the sysadmin user inside the
> database, a malicious sysadmin will always be able to either a) add
another
> user that is dbo for example, or b) restore a backup to a server and/or
> database over which he has total access.
>
> I'm sure there are many other ways you as a sysadmin could look at fields
in
> a database that you are restricted from viewing.
>
> Is there really any way at all that a sysadmin can be stopped from seeing
> restricted data in a database?
>
> TIA
>
> cheers,
> Paul Ritchie.
>
>

---

• Next message: Dejan Sarka: "Re: Create Database"
• Previous message: Dejan Sarka: "Re: Error when booting up"
• In reply to: Paul Ritchie: "Restrict sysadmin database access?"
• Next in thread: Paul Ritchie: "Re: Restrict sysadmin database access?"
• Reply: Paul Ritchie: "Re: Restrict sysadmin database access?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Sharepoint index problems in SQL Server. ... The Administrator account is a sysadmin and have all the access to all the ... > database is master and language US_English? ... >> I've set back the account localsystem for both SQL Server and Microsoft ... (microsoft.public.sqlserver.fulltext) Re: Restricting Access priviledge on SQL2000 ... The "Application-Administrators" are neither members of sysadmin nor ... their respective database, but as well as to the defaults database (master, ... then make them members of the db_owner role in that database. ... then add the real SQL Server admins specifically to the ... (microsoft.public.sqlserver.security) Re: db_denydatawriter ... perhaps this also gives read write access on the database to this user? ... Resrictive permissions overrides in its own level. ... However, if she has sysadmin right, then she'll be able to modify that data. ... Is it possible she has some admin rights which override DenyWriter (though ... (microsoft.public.sqlserver.security) Re: Disable Sysadmin to view metadata in SQL2005 ... given the fact that they have sysadmin rights to that box? ... If the permissions are not granular enough, ... I think it's View Any Database / View Server State/ View ... the metadata? ... (microsoft.public.sqlserver.security) Re: New install of Windows 2003 EE sp1 and Sql Server 2000 sp3 full text problem ... i'm the database guy and I didn't alter it. ... default db is master and it belongs to the ... > database with sysadmin rights? ... > exec sp_defaultdb N'NT Authority\System', ... (microsoft.public.sqlserver.fulltext)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)