Denying update rights to all tables in a database for a user

Question

Denying update rights to all tables in a database for a user

Viewing 2 posts - 16 through 16 (of 16 total)

You must be logged in to reply to this topic. Login to reply

GSquared SSC Guru Points: 260824 More actions · Answer 1

kkapferer (11/6/2009)
I think you both raise very interesting points. My situation is unique in that this person is an R&D engineer, not in IT at all. They prefer to work on their own island, and only come to us when they need us to help out because they "tripped and fell while running with scissors". There were two engineers who oversee the application that connects to the database in question, and have dbo access (the rest of the engineers could only query through the application). The one apparently had repeatedly asked him to stop editing data in Enterpise Manager because he had made typographical errors while doing his quick and dirty edits. Now she came back to me because she discovered he was still doing this after we restricted his access to a read only role. That was how we discovered he had write access on each of the 600 or so tables in this database.
Since I do not work in the same group as this guy, I obviously do not have the power to fire him. I have made it very clear to his superior (the other engineer with dbo access) that what he is doing is very suspect behavior, but that is as far as I go with it. She knows how sensitive her data is, and I don't.
Thanks again for the dialog on this. As a fairly new DBA, (2 years out of college) I always think engaging in conversation about this stuff is fascinating.

In that scenario, if I were you, I'd make sure I had a written report with that data that went to the IT manager or someone responsible for system security, and to HR. That way, you've at least covered your own a** if something goes wrong. That would be my minimum action on it. Up to you, all I can say on this is what I would do.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

John Rowan SSC Guru Points: 56440 More actions · Answer 2

Wow, that's a bit more serious than I thought. I initially assumed this was a general security question. Gus has some great advice, cover your butt. In the mean time, I'd begin to work w/ your manager to have the R&D team's manager build a case for production data access. Document the data that they need access to and give it to them via a view or SP. Don't give them table access at all.

John Rowan

======================================================
======================================================
Forum Etiquette: How to post data/code on a forum to get the best help[/url] - by Jeff Moden