[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 554
  • Last Modified:

Prevent Network Administrators from access to sql database tables

I have an employee database and I want to restrict access to specific tables to only a couple of people not including the Network Admins. What would be the best way to go about doing this seeing as though they know the sa username and password? I thought about creating a group in Active Directory, then a role within SQL Server that denies that specific group access; however, they could just remove their name within the group and again have access.
I realize this is probably an obvious question but any suggestions would be helpful. Thanks

Using SQL Server 2000
 
0
SasDev
Asked:
SasDev
2 Solutions
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
anyone having sa power cannot be prevented to grant (or remove deny) of any access.
if you need to remove the network or domain admins in general, you need to block the sa account as wells as the builtin\administrators as well as any login that has some fixed server roles assigned that can do the same.

0
 
BryanMICommented:
In order to restrict this access, you would have to remove BUILTIN\Administrators from the sysadmin fixed server role.  These users would then have non sysadmin access to the server and have to be granted specific access to each item you wanted them to have access to.

Anyone who has sysadmin access will always have full access to your server and data.  Note that if you remove them, you will want to add your service account as a sysadmin, as well as NT AUTHORITY\SYSTEM.  These are system accounts used by SQL and they must have admin access for your server to run normally.

For normal maintenance, backups, etc..  You could keep your Domain Admins on the server as dbo's in every database except the database you want to restrict.  You could also add them to the other server roles to give them some server admin type of access without having them able to access your restricted data.  Research fixed server roles in the books online to determine what would work for your organization.
0
 
SasDevAuthor Commented:
Great suggestions. Thanks for your help!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now