Denying access to Enterprise Manager

A user wants to have a user that can read/write to the database from the server (ASP pages) but NOT be able to login through Enterprise Manager.  Is this even possible?
Who is Participating?
ShogunWadeConnect With a Mentor Commented:
The "realistic" answer is that if you allow someone to have sql client tool installed and give them permisions to access a database then there is nothing you can do.   So either :

a) You need to restrict access (by uninstalling) client tools from machines, or
b) Limit peoples access using better security in SQL Server, thus preventing users from doing much in enterprise manager., or
c) Impose a corporate policy banning the use of enterprise manager.

Fundamentally Enterprise manager (as with the rest of sql client tools) are designed and provided for the management (dbo type stuff) and /or developers.  Users dont need it and shouldnt have it generally.
not sure i understand

why would the user have access to enterprise manager?
gexenAuthor Commented:
I'm by no means an MSSQL expert (far from it) but I was under the impression that by default any user could log into Enterprise Manager as long as they have a SQL username and password.  Then, their appropriate permissions would limit them to whatever they were doing.  
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

basically yes...

and basically once the have an ID & password with some authority
there isn't anyway to stop them using it as they see fit...

which is why its bad to give out datareader/datawriter and allow users to have access
to dynamic sql generation facilites...

since any old ODBC providing tool  MS Word, Excell, etc allows them to interact with the database...

I still ask why they would have direct access to Enterprise Manager or any Standard DB tool...

(ok they can still install there own version... and gain client access...)

whats the real problem ?

gexenAuthor Commented:
We host SQL databases for several clients who connect to their databases from home to edit them.
Scott PletcherSenior DBACommented:
Of course you could have a job that ran every, say, 10 seconds and KILLed any task (that's not authorized) with a program_name = N'MS SQLEM'  (in sysprocesses) :-) .
Or have a batch processess printing out P45s for people who dont behave :)
gexenAuthor Commented:
Moderator, please kill this thread, a realistic answer does not exist for this question.
This can be accomplished by setting the database options for "Restrict Acess" to: 'members of db_owner, dbcreator, or sysadmin' in enterprise manager.

Right-Click the database in question, and select the 'Options' tab.  You'll see the setting there.

By doing this your sql logins can still acess the database under the permissions given in their role membership, but any attempt to mange the db in SQLEM will fail.
NO!  You couldnt be more incorrect.  

The questioner asked how to restrict access to enterprise manager.   what you have suggested is a way to ristruct access to a specific database to members of "Administrative" groups.  

In addition: " sql logins can still acess the  database under the permissions given in their role membership"   this is absolutely untrue.   Unless all your users are  either in  db_owner, dbcreator, or sysadmin roles!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.