January 17, 2008 at 10:58 am
Hi,
I have a requirement from our client that requires us to manage certain databases on the Enterprise Level SQL SERVER 2005 instance. Meaning,
One (1) big hardware having a SQL SERVER 2005 instance and underneath multiple databases for multiple projects maintain by different DBA groups (from different companies). We are not allowed to logon to the Enterprise server but using client management tool to create and manage the databases. Question is, is it possible to segregate certain databases from other DBA to view and access? For example, I don't want other DBA groups look at my databases and same way I don't want to see their databases even though we share one hardware?
Please advice.
January 17, 2008 at 11:08 am
You will have to degrade DBA's (which is server wide level) to DBO's (which is on databases level).
However you will need to have at least one DBA still..
January 17, 2008 at 11:17 am
Hi Mark,
Thanks for your quick turnaround. Could you please elaborate your response ?. As I said I don't have control over other DBA's as they will response for their databases.
What all I need is, when I logon through client enterprise studio to the server, I should have access to other databases than my own dbs. Same way other DBA's should not have access to my databases.
Thanks.
January 17, 2008 at 12:18 pm
I worry if you're administering such a server! You will have to either remove builtin admins or make sure no-one can get added to the local admins of the box otherwise they will become a sysadmin of the entire box.
You will need to be sysadmin to manage the server and databases, highest level of permission for admins of a database will have to be dbowner. However, there's a real problem for you here in as much as public permissions across server and databases will allow all dbowners to extract information on other databases, and how you'll manage msdb, master, maint and logins I have no idea.
I've hardened sql servers on a few occasions but generally it stops 3rd party applications working which love to call system tables.
[font="Comic Sans MS"]The GrumpyOldDBA[/font]
www.grumpyolddba.co.uk
http://sqlblogcasts.com/blogs/grumpyolddba/
January 17, 2008 at 12:19 pm
actually you'd do better to allocate an instance to each user rather than a database. If this isn't production you could consider some levsl of virtualisation too
[font="Comic Sans MS"]The GrumpyOldDBA[/font]
www.grumpyolddba.co.uk
http://sqlblogcasts.com/blogs/grumpyolddba/
January 17, 2008 at 12:37 pm
I will not have local admins rights and so will not have direct server access. Patching and other sys admin things will be done by server group. We DBA groups will logon through CLIENT enterprise manager/studio and manage our appropriate databases.My concern is how the heck I can prevent other DBA group not looking at my databases ?.
May be create multiple instances and create SQL authenticated users accounts (no windows authentication) ?
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply