January 12, 2005 at 8:29 am
I'm working on some bank project, were in client not intreted even DBA'S (with Sysadmin) permission to view some of his table data.
Can any one had answer for this ??? - URGENT
Venkat,
January 12, 2005 at 1:28 pm
You can't stop someone with SA privileges from viewing the data. You can however encrypt it. Actually if you don't trust your DBA's (they only should be SA) you have a whole lot more problems than only the data.
--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/[/url]
January 12, 2005 at 2:44 pm
Frank is spot on, as usual. Anyone mapped to dbo in a given database (such as the true database owner) ignores all permissions to include DENY within that database. Since members of the sysadmin role map to dbo, they too ignore any permissions that may have been set. Therefore, the only choice you have is encryption. And if DBAs can't look at it, you're going to have to look at encryption at the application level.
K. Brian Kelley
@kbriankelley
January 13, 2005 at 6:20 pm
If the data is so valuable that no one should be able to browse it, it should be encrypted.
If you don't want DBA's to be able to select data from the table, don't make them sysadmins. Give DBA's restricted access to the database, and follow some strict security guidelines for the SA account. (Change password regularly, Store it somewhere safe, make sure only a restricted list of people can have access to it, and audit all actions).
Julian Kuiters
juliankuiters.id.au
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply