tags:

views:

136

answers:

1
Q: 

SQL Server 2005 - Deny View of "Security", "Server Objects", "Replication" and "Management"?

I can deny a specific user DB viewing by doing something like this: 

DENY VIEW ANY DATABASE TO Myuser

But, is there a way to also deny the "Security", "Server Objects", "Replication" and "Management" from being viewed by a remote user when logging in through SSMS?

Thanks.

+1  A: 

Those SSMS categories are aggregates of various server side features. Take for instance the 'Security' tab, this shows 'Logins', 'Server Roles' and 'Credentials'. Consider the 'Logins' node:

  • shows existing login, that is a view over sys.server_principals and visibility of the objects in this catalog view is restricted to entities (logins) on which the current user has ownership or has view definition permission over.
  • Allows to add a new login, which means CREATE LOGIN and this in turn requires ALTER ANY LOGIN or ALTER LOGIN permissions.
  • Allows to delete a login, which means DROP LOGIN and this requires ALTER ANY LOGIN.

Now you could in theory deny VIEW DEFINITION on the logins, deny ALTER ANY LOGIN and deny ALTER LOGIN to the user(s), but you will not be able to deny ownership of a login, so the user will still see something there (its own login). So it's a loosing battle. You could apply similar reasoning to any of the other panels in SSMS you want to hide and you'll reach similar results.

That said, you are approaching this from the wrong angle. Security never relies on DENY, always relies on GRANT. Your users should not have any unnecessary rights, period. You should not have to explictly deny anything, bare some extraordinary circumstances.

Remus Rusanu  2009-09-04 20:29:59
Thanks Remus. I'm aware that the effective permissions for this user is going to prevent them from accessing this resources, but generally I just don't like the idea of them seeing everything in a system that they don't have access to...I'll take your advice and just leave it be :)
Scott  2009-09-04 21:13:07

related questions

Can't copy file with appropriate permissions using FileIOPermission
GetProcessesByName() and Windows Server 2003 scheduled task
Starting a process in C# with username & password throws "Access is Denied" exception
How do you set directory permissions in NSIS?
PHP: How to check if a directory is writeable?
Sharepoint Item Level Access & performance
sudo echo "something" >> /etc/privilegedFile doesn't work... is there an alternative?
What is the best way to create a security architecture?
Hierarchical Group Permissions Theory/Resources?
Why is access denied when installing SSL cert on IIS 5?
What databases do I have permissions on
Can an iPhone App Be Run as Root?
SQLite/PHP read-only?
Multiple permission types (roles) stored in database as single decimal
SharePoint Permissions
CakePHP ACL Database Setup: ARO / ACO structure?
LINQ and Database Permissions
What's the best way to implement a SQL script that will grant select, references, insert, update, and delete permissions to a database role on all the user tables in a database?
php scripts writing to non-world-writable files
How do I detect if a function is available during JNLP execution?
Implementing permissions in PHP
Access Control Lists & Access Control Objects, good tutorial?
In Visual Studio you must be a member of Debug Users or Administrators to start debugging. What if you are but it doesn't work?
Where should I put my log file for an asp.net application?
What is the best way to handle multiple permission types?