Re: Removing the sa and other users

From: Martin de vroom (martindevroom_at_hotmail.com)
Date: 05/21/03


Date: Wed, 21 May 2003 21:59:12 +1200


May be application roles is what you need.

as long as a user has permission to access the database and execute a single
sp then the permission that are assigned to that app role will kick in and
the database will forget about any permisssion assigned to an NT user. This
way you can give an application role any access you like, but if the same
user sits down at QA they won't get very far because the permissions are via
the application role and NOT to the user account.

I am no expert on this but you may want to check it out.

cheers

martin

"Ray H" <rayhigdon@colliergov.net> wrote in message
news:052301c31f29$65383b10$a501280a@phx.gbl...
> You can remove the builtin admins and domain admins and
> make the SA password impossible to guess. Then you have
> to determine which account to run the service and what
> level of security it needs.
>
>
> >-----Original Message-----
> >The issue is actually that when delivering an
> application
> >together with a database, one does not have any control
> >over the client's admin users or logins, and yet how do
> I
> >protect the database from tamper by those very users?
> >
> >>-----Original Message-----
> >>If you are not using Windows Authentication I don't
> >>believe you can remove the SA account, but you could
> >>remove administrators and builtin admins and make the
> SA
> >>password impossible to guess.
> >>
> >>
> >>>-----Original Message-----
> >>>HI All,
> >>>
> >>>Appologies if this has already been asked and answered.
> >>>
> >>>Is it possible to remove all access to a database and
> >>its
> >>>objects from all users (including sa etc.), only
> >>allowing
> >>>read and write access to custom users created in the
> DB.
> >>>
> >>>The idea is to prevent all users from reading the
> >>database
> >>>structure or objects, when installing the database as
> >>part
> >>>of an application on a target server. Ideally I would
> >>only
> >>>want to allow Backup/restore permissions on the DB.
> All
> >>>other access MUST be via the application.
> >>>
> >>>I would appreciate any pointers in this regard.
> >>>
> >>>Regards
> >>>
> >>>Bryan
> >>>savanna@webmail.co.za
> >>>
> >>>.
> >>>
> >>.
> >>
> >.
> >



Relevant Pages

  • Re: code access security
    ... Error 1 CREATE ASSEMBLY for assembly 'GmsSqlClr' failed because assembly ... owner has EXTERNAL ACCESS ASSEMBLY permission and the database has the ... make sure the database owner is mapped to the correct login on ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: MS Access OLEDB connection problem
    ... You have a file system permission issue. ... The user account under which ... folder containing your database. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: low permission cannot convert from A97 to A2000/2003
    ... Delete is a separate permission. ... You need open exclusive permission on the database to ... > The admin user has full privileges. ... > as we wont be importing those files from them, and the contractor will be ...
    (microsoft.public.access.conversion)
  • Re: low permission cannot convert from A97 to A2000/2003
    ... Delete is a separate permission. ... You need open exclusive permission on the database to ... > The admin user has full privileges. ... > as we wont be importing those files from them, and the contractor will be ...
    (microsoft.public.access.security)
  • Re: Windows Power User SQL
    ... The guest user must have connect permission in master and tempdb. ... When I run from the master database for example testing against user bill ...
    (microsoft.public.sqlserver.security)