prevent clients to retrieve information_schema and sys metadata

  • Hi together,

    i am searching for a way to prevent users see the sql2005 system schemas like information_schema and sys when retrieving metadata from a database in e.g. Crystal Reports using ODBC or OLE DB.

    How it is ๐Ÿ™

    User sees the userdatabase, sys and information_schema

    How it should be ๐Ÿ™‚

    User sees only userdatabase

    user has server role public

    user has database role db_datareader

    i set up a ODBC DSN with native client

    SQL2005, SP2

    Thx in advance, Stephan

  • From BOL regarding the db_datareader database role:

    Members of the db_datareader fixed database role can run a SELECT statement against any table or view in the database.

    ๐Ÿ˜Ž

  • Thx for the answer.

    The user has the db_datareader role, but this is to much as he is also able to see sys and INFORMATION_SCHEMA tables and views. What is the common way to remove access rights on this "schemas"?

    BR, Stephan

  • I'm getting the same problem. What is the solution to this?

  • Roy Matthews (1/2/2009)


    I'm getting the same problem. What is the solution to this?

    All data access via stored procedures, grant only execute permissions on the procs and no rights to the base tables or views.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • With ms access and crystal reports users do not call stored procedures they see the entire tables and do their own coding i.e select * from table.

    I tried to make all bi reports use sp but they won't so i guess im asking the same question how to prevent them seeing all system tables too.

    In ms access you do a link to the database and it gives all tables, i did do all views for some companies and they still wanted to see the table definition which you can't do in views either same with sp.

    Any other options be appreciated.

  • To prevent users from being able to read schema information you have to deny view definition right.

    There are several ways you could organize it, depending on your needs. One of these is to create a database role and add users to it instead of db_datareader role, grant it select right and deny view definition. This would be equivalent of slightly trimmed db_datareader. You can also deny view definition from particular users but this may become a bit cumbersome if there are many of them.

    Then you can create a separate role and add to it only users that should have not access to schema information, like in the example:

    create user testu without login

    go

    create role [no_schema_view_role]

    go

    --deny schema access to members of this role

    deny view definition to no_schema_view_role

    go

    --if user is not to have access to schema, add it here

    sp_addrolemember 'no_schema_view_role', 'testu'

    go

    sp_addrolemember 'db_datareader', 'testu'

    go

    execute as user='testu'

    go

    --no data should be returned

    select top 1 * from information_schema.tables

    select top 1 * from sys.tables

    go

    revert

    go

    drop user testu

    go

    drop role [no_schema_view_role]

    You can have a look of the Troubleshooting Metadata Visibility topic in BOL.

    Regards

    Piotr

    ...and your only reply is slร inte mhath

  • I have a weird situation. On a network with 4 SQL servers, I was asked to prevent 3rd party from connecting to 3 of the SQL servers, they may only connect/logon to 1 SQL 2000 server. To make the issue even more hilarious, the 3rd party has the sa (SQL admin account) password for one of the SQL 2000 servers they are not supposed to connect/logon to, changing the sa password is not possible since the application and DTS's all use the sa password on that server.

    Searching via google, I found 2 solutions to the problem,

    1. use logon triggers

    2. use IPSEC

    Can anyone provide a statisfactory solution.

    Regards

    Kevin

    sonyt65@yahoo.com

  • clive (3/10/2009)


    Can anyone provide a statisfactory solution.

    On SQL 2000?

    If I may be blunt, the first thing I would look at is changing the DTS so that they use a username/password specifically for DTS, then I'd look at the apps, see if they can be modified to not use sa. Anything else is just patching holes.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Thanks, but unfortunately we have over 800 DTS, they include data source/connections and most of them ActiveX VBScripts which use sa account and password (some DTS have up to 20 or more ActiveX VBScripts), not to mention that clients connect remotely to server/s to access application - the application has the sa password embedded inside it (server side and client side), we can always change the server side, but the client side means travelling to remote sites and modifying client side application, many clients are in neighbouring countries.

    So I need a temporary solution until the sa password has been changed (could be several months).

    Regards

    Kevin

  • SQL 2000 or SQL 2005?

    This is the 2005 forum, but you mentioned SQL 2000. Which is it?

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

Viewing 11 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic. Login to reply