Re: master and msdb database permissions
From: Sue Hoegemeier (Sue_H_at_nomail.please)
Date: 10/29/03
- Next message: Sue Hoegemeier: "Re: Updating a User and giveing him access to different db"
- Previous message: Jerry Medina: "Updating a User and giveing him access to different db"
- In reply to: Randy: "master and msdb database permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Oct 2003 15:03:31 -0700
Not a stupid question at all. The users gain access to
master and msdb through the guest account. Then there are
permissions granted to the public role, guest is a member of
the public role...and that's how the users access certain
objects in those databases. And that's where the default
permissions come from - whatever permissions have been
granted to public would be the default permissions.
You can delete the guest user account from msdb and it won't
really hurt any functionality but you can't delete guest
from master (or tempdb for that matter). The guest user
isn't essential for msdb but it is for the master database.
If you were to revoke permissions in master, you'd need to
add the user to the master database and then explicitly deny
whatever you want to deny from this user. But if you deny
access to certain objects, stored procedures, things will
break so you should be very aware of whatever ramifications
this action would have.
You can find some of this in BOL under guest user. Some is
also in different security topics if you do a search on
security or permissions along with guest or public. Some
other links that might help would be:
Microsoft SQL Server 2000 SP3 Security Features and Best
Practices
http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sp3sec/default.asp
SQL Server Security Resources Site:
http://www.microsoft.com/sql/techinfo/administration/2000/security/default.asp
And this SQL Security Website:
http://www.sqlsecurity.com/DesktopDefault.aspx
-Sue
On Wed, 29 Oct 2003 15:15:30 -0500, "Randy"
<rgeater@nospam.com> wrote:
>Stupid question, I'm sure this has been answered before, but I cannot find
>anything about it........
>
>Is it possible to revoke permissions to master and msdb databases? I have a
>client that is asking that question. My instincts tell me that this cannot
>be done, but I have bad instincts. Since a user is not given explicit
>permissions to these databases, how would one revoke permissions if they can
>be revoked?
>
>When our script creates the login, and grants access to the application
>database, the login created can login with QA and also see master and msdb
>databases in the drop down list of databases, and can select from tables.
>What permissions does a user have to these databases by default? SELECT,
>INSERT, UPDATE, DELETE????? I need to help the client (and myself)
>understand the level of risk associated with having access to these
>databases. If there are online articles, or something in BOL that I can
>look into, please advise.
>
>Thanks!
>
>
- Next message: Sue Hoegemeier: "Re: Updating a User and giveing him access to different db"
- Previous message: Jerry Medina: "Updating a User and giveing him access to different db"
- In reply to: Randy: "master and msdb database permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
