Re: Stopping users from truncating logs



Well, I have not done that particular deny, but in general a login's rights are an aggregate of all the rights granted directly to the login or to any groups to which the login belongs. In that aggregation, the DENY overrides any GRANTs.

So, yes, the deny to a domain group of users should override their rights granted through some other route. (If someone is a sysadmin those rights triumph over everthing, including deny statements.)

RLF


"wcochran" <wcochran@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:028DD7E6-D059-4086-B70B-D65075F7363B@xxxxxxxxxxxxxxxx
That is excellent. I'll discuss this with my team and more than likely go
forward with this trace flag option instead.

I do have a follow up question though...

If for some reason we don't go with the trace flag and opt to use the deny
script instead of the trace flag. Will the deny command work on domain
groups of users as well who also have DBO rights to the databases?

Thanks in advance again for the help!

William Cochran


"Jeffrey Williams" wrote:

Review the article at:
http://sqlskills.com/BLOGS/PAUL/post/BACKUP-LOG-WITH-NO_LOG-use-abuse-and-undocumented-trace-flags-to-stop-it.aspx

At the bottom of that blog, Paul identifies the trace flags that can be set
that will make those commands no ops. This would be a much better option
than trying to make sure privileges are denied.

The trace flag you want to set is 3231.

Jeff

"wcochran" <wcochran@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7A6F70DF-879B-43F3-8FF9-05AB3F845B4C@xxxxxxxxxxxxxxxx
> I need to stop users from doing backup log commands to truncate the > logs
> when
> they fill up. I was testing and wrote this script:
>
> revoke backup log from BillyTest
>
> Where BillyTest is my user. BillyTest has DBO rights to the database > in
> question. Yet then I logged in and was still able to run this command:
>
> backup log testdb with truncate_only
>
> Any insight on what I'm doing wrong? Thanks in advance!
>
> William Cochran


.



Relevant Pages

  • Re: The thinking behind Bruces prop
    ... voted to deny a class of people rights? ... class of people who voted for prop 8 instead of accepting the fact that what ... were trying to buy more than their "fair share of democracy?" ...
    (rec.bicycles.racing)
  • Re: If Obama Supports The Second Amendment....
    ... States bills of rights did not belong to the States. ... to deny it to the people of the Indiv. ... Bama Brian ...
    (talk.politics.guns)
  • Re: Jon Stewart Skewers McCain on his Maverick" Lie
    ... In the case of gay rights, ... couples in any way, you are inflicting harm on another human being. ... If the situation were reversed and gay couples got a $6,387 tax break, ... It's easy to deny rights you have to others. ...
    (soc.retirement)
  • Re: DENY ACLs
    ... how much load it would take in order for the deny ACL's to be ... >> is denied access even though he is a member of Accountants. ... >POSIX.1e ACL evaluation with subtractive rights of the sort ... >if the effective uid == one of the additional users, ...
    (FreeBSD-Security)