Re: Removing the sa and other users
From: Martin de vroom (martindevroom_at_hotmail.com)
Date: 05/21/03
- Next message: jrm: "Re: ERROR: [SQL-DMO] The name 'dbo' was not found in the users collection..."
- Previous message: Maryam Teimourian: "windows authentication"
- In reply to: Ray H: "Removing the sa and other users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 May 2003 21:59:12 +1200
May be application roles is what you need.
as long as a user has permission to access the database and execute a single
sp then the permission that are assigned to that app role will kick in and
the database will forget about any permisssion assigned to an NT user. This
way you can give an application role any access you like, but if the same
user sits down at QA they won't get very far because the permissions are via
the application role and NOT to the user account.
I am no expert on this but you may want to check it out.
cheers
martin
"Ray H" <rayhigdon@colliergov.net> wrote in message
news:052301c31f29$65383b10$a501280a@phx.gbl...
> You can remove the builtin admins and domain admins and
> make the SA password impossible to guess. Then you have
> to determine which account to run the service and what
> level of security it needs.
>
>
> >-----Original Message-----
> >The issue is actually that when delivering an
> application
> >together with a database, one does not have any control
> >over the client's admin users or logins, and yet how do
> I
> >protect the database from tamper by those very users?
> >
> >>-----Original Message-----
> >>If you are not using Windows Authentication I don't
> >>believe you can remove the SA account, but you could
> >>remove administrators and builtin admins and make the
> SA
> >>password impossible to guess.
> >>
> >>
> >>>-----Original Message-----
> >>>HI All,
> >>>
> >>>Appologies if this has already been asked and answered.
> >>>
> >>>Is it possible to remove all access to a database and
> >>its
> >>>objects from all users (including sa etc.), only
> >>allowing
> >>>read and write access to custom users created in the
> DB.
> >>>
> >>>The idea is to prevent all users from reading the
> >>database
> >>>structure or objects, when installing the database as
> >>part
> >>>of an application on a target server. Ideally I would
> >>only
> >>>want to allow Backup/restore permissions on the DB.
> All
> >>>other access MUST be via the application.
> >>>
> >>>I would appreciate any pointers in this regard.
> >>>
> >>>Regards
> >>>
> >>>Bryan
> >>>savanna@webmail.co.za
> >>>
> >>>.
> >>>
> >>.
> >>
> >.
> >
- Next message: jrm: "Re: ERROR: [SQL-DMO] The name 'dbo' was not found in the users collection..."
- Previous message: Maryam Teimourian: "windows authentication"
- In reply to: Ray H: "Removing the sa and other users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
