Is it possible prevent an SQL Server Admin from changing a user in the database? The case is that a user which is created by an application has ReadOnly rights on the database. The Server Admin of a customer should not be allowed to change these rights or other settings of that user and database.
+2
A:
No, you can not do that. The Administrator is administrator for reason...
Svetlozar Angelov
2009-09-15 08:02:23
Yep. I'd feel pretty uncomfortable with a DB that doesn't allow the admin in.
spender
2009-09-15 08:03:22
A:
Well - errrh - no.
The admin has full access to the database. You cannot prevent people from having full access to the database that they themselves install and own.
So they are free to mess with the database structure, as well as they are free to delete critical files in the application.
So I would say that the best you can do is point out to your customers that the database schema is the one that you have developed and tested, and if they make any modifications you cannot guarantee for the correctness of the application.
If you have some super-duper hot-shot lawyer, you can probebly make an EULA that makes it illegal to mess with it, like Apple tries to make it illegal to install OS-X on a PC ;)
Pete
2009-09-15 08:02:40
A:
Could you refrain from giving the admin account details to the client, and create a logon with the permissions/restrictions you mention? This could be the client's "admin" account.
spender
2009-09-15 08:04:47
A:
If you are in SQL Server 2008, consider if you can create a DDL trigger on the alter login command. As admin they could still disable this, but it would at least let them know the first time they tried it that the change was not committed and why. Likely, they wouldn't drop the trigger as any changes to the login would probably be becasue they didn't know they weren;t supposed. It's not a perfect solution but it would be one level of protection.
HLGEM
2009-09-15 16:59:57