January 15, 2014 at 10:34 am
Hi,
How can I deny view Master database to a login?
When I create a linked server the login can see the master...
January 15, 2014 at 10:45 am
Take a look at this article:http://support.microsoft.com/kb/75291
January 15, 2014 at 11:34 am
and to recap, all users, since they are in the public role, have access to master and tempdb;
however what they see in the master database is limited by permissions, and can be further restricted(ie DENY VIEW ANY DATABASE)
they can only see objects in sys.objects like dbo.sptvalues, and not any other tables/views/procs that are not part of the default install, if any extra objects were added to master.
Lowell
January 16, 2014 at 10:14 am
One funny note on the DENY VIEW ANY DATABASE bit: I once had a request to prevent a login from being able to view the names of any databases on the instance other than their own. It turns out that that can only be done in an incredibly hack-y and convoluted way, but in the process I discovered that even with DENY VIEW ANY DATABASE I could still pass the integers greater than 4 to DB_NAME and get the names of all the user databases. A funny little loophole 🙂
September 16, 2020 at 4:07 pm
Lowell,
Is there any other way to restrict what a user can actually "see" from the Master/Temp DB's? I'm asking because I have included the restriction for "Deny View Any Database" while also restricting schema permissions to Information_Schema and Sys. When I deny "execute" on the Sys schema nothing shows up for a user to see including their own database's data. I also get the error "The Execute permission was denied on the object 'sp_tables'" so I remove that restriction and everything shows back up again.
Is there a role that perhaps I could create that would trump the Public role and take away those tables while still allowing access to data within a created user database?
As you can see in the screenshot attached I have created a database called "performance" and over to the right there is a list of tables to choose from but look at all of the native db objects that are listed as well. The only objects I would like a user to see is the first table and the fourth from the top. The client will be confused as to what to choose and it will create chaos and long running queries from folks poking around.
Any suggestions?
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply