August 18, 2010 at 8:21 pm
Hi all,
I am trying to create a restricted login in that it is mapped to only a single database with the following permissions (roles)
- db_datareader
- db_denydatawriter.
Effectively a read-only view of a specific database.
This all seems to be working fine, except that when I connect to the server using Management Studio using this restricted login, I see more about the server than what we would like. In particular there are 2 issues I'm try to address (unsuccessfully to date)
Firstly the restricted login can check the Security--> Logins and see "itself", as well as the sa account. Now I realise that we shouldn't even have this sa account enabled for many reasons (some more frustrating than others .. ) we do. The restricted login can also view the properties of the sa account but can not change them (of course). Is there anyway to hide the fact that the sa account exists?
Secondly, the catalog of databases on the server are there for all to see. The restricted login can't browse / read or query them but ideally we would also like to hide the listing of databases except of course for the database this restricted login is intended for. Some of the names of these databases are reason enough for hiding.
I have "played around" with the securables for this login but every attempt seems to be either ineffectual or lock the login out competely.
Any pointers would be gratefully accepted.
August 19, 2010 at 10:54 am
Unfortunately this isn't possible.
You can run the command:
DENY VIEW ANY DATABASE TO [login]
But that will hide all databases besides the ones that that user is the owner of (actual db owner, not just a member of db_owner).
There is also no way to hide the sa login that I know of.
August 19, 2010 at 6:06 pm
Hi Derrick,
I suspected as much.
Thanks for the comment.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply