Restricting SQL sysadmin from access

  • Hi,

    One of our clients wants to host a highly secured application DB under a server with SS2008 (OS: WS2008 R2), SSL will be used and h/w would be in a guarded location. The proponent requires their data to be inaccessible to other than designated user, and restriction includes the DBA with sysadmin to this SQL instance :hehe:. I understand that with TDE, sysadmin DBA would still be able to access the data. Auditing is not a solution as it takes place after the fact/incident.

    Can you shed some light on possible approaches, no matter how complicated, to achieve such setup, and if it requires 3rd party s/w, will such data still be inaccessible to sysadmin DBA, should db recovery/restore be needed ?

    Thanks in advance.

    Othman

  • If the DBA is in the sysadmin role, then the DBA will have access to the data. The DBA would need to not be in the sysadmin role. They have to trust the DBA.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • If you restrict permissions to DBA then he should not be called DBA :(.

    Nag

    Nag
    ------------------------------------------------
    How to get the best help on a forum

    http://www.sqlservercentral.com/articles/Best+Practices/61537

  • Why not just be selective about who you give sysadmin rights to? In a typical production installation, even for a DBA there aren't many situations that absolutely need sysadmin rights.

    You can create a user-friendly application that allows a manager / business owner to assign and revoke privileges to users for administrative and development tasks. That's the approach taken by Oracle's Database Vault solution (Oracle only, not SQL Server).

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply