tags:

views:

39

answers:

2
Q: 

Sql Server: How to Deny users access to linked servers

I'd like to deny access to query linked servers to a group of users. I've put them in a role and assigned certain permissions to object level permissions to the that group. I'm at a loss after searching BOL and 'net how to DENY access to linked servers.

EDIT:

I decided to break out profiler to verify exactly what SSMS is calling when displaying linked servers and ensure that a DENY was issued on that system view/SP. Turns out it calls sys.servers, but Sql Server doesn't honor the ACL on this system view -- It's does to other system views (ex: sys.dm_db_index_physical_stats).

+3  A: 

Afaik referencing a linked server is not controlled by access control lists (ACLs). In other words, you cannot GRANT/DENY/REVOKE permission to use a linked server. You can certainly control the permission to change a linked server via ALTER ANY LINKED SERVER permission.

This apparent lack of permission is because the linked servers are forwarding specific credentials to the remote server, controlled via the impersonation or the remote_logins settings associated with the linked server. The actual access control happens on the remote server, using the credentials associated with the linked server. So in order to deny a group of users access to the linked server, you need to deny that group access to the remote server on the remote server itself.

Remus Rusanu  2010-06-28 21:34:00
Depending on your setup, I guess you could also attempt to use the login mapping feature. Typically, I would prefer integrated security and handle everything with proper permissions on actual users based on their actual identity.
Cade Roux  2010-06-28 22:00:35
@Remus I was hoping there was a way to do this. I remember using a tool on Sql Server 200 that would alter permissions on system objects to prevent some users from being able to see the list of linked servers, but not the ability to query them. In this case they can't use integrated security for all linked server, however for some I can modify the settings. Thanks for the response.
Chad  2010-06-29 16:30:47
A: 

The type of authentication is of importance. When you link the servers they have to be linked using Kerberos and then you can control the access on the linked server. Otherwise your group will always be authenticated on the credentials specified in the link.

bjorsig  2010-06-28 23:21:51

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?