August 5, 2008 at 1:27 pm
We received a request from a developer to provide him the ability to use the SQL debugger in Visual Studio on a development DB server. MS says we need to grant the developer sysadmin permission in order to use the debugger. Is it possible to grant an account sysadmin permission and then DENY specific actions such as CREATE DATABASE? When I tried to DENY various rights SQL appeared to accept the DENY command, however the account is still able to perform any action a normal sysadmin can perform. SQL is ingoring the DENY commands, despite the fact they exist on the account. I'm guessing I cannot DENY a sysadmin account, but wanted confirmation from the DBA community.
Thanks, Dave
August 5, 2008 at 1:31 pm
No, you can't. By rule members of the sysadmin fixed server role bypass security checks.
K. Brian Kelley
@kbriankelley
August 5, 2008 at 1:42 pm
Well that stinks. Not sure why MS didn't follow the security model they use with Active Directory.
August 5, 2008 at 2:11 pm
Dunno. Stuff like this has irked me with 2005. You could grant permission to a stored procedure previously and that meant you didn't have to give up the keys to the kingdom.
K. Brian Kelley
@kbriankelley
August 5, 2008 at 2:30 pm
I agree completely. Supposedly MS decided to require sysadmin permission because in 2000 it was possible for someone to manipulate debugger to elevate their permissions.
August 5, 2008 at 2:47 pm
It was, and there maybe should have been some indication of that. However, the solution they chose threw the baby out with the bath water.
K. Brian Kelley
@kbriankelley
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply