• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 309
  • Last Modified:

Sql Database permissions

Hello,

I have a 3rd part application that allows a user to create a database to be used with their front end. Every year this user needs to create a few new databases. Id like to lock the user down to :

Create the database through the application provided to create the database.

Allow the user to only manage the database though this application. (Not use anything like Sql managment studio.)

And not give this user any kind of server level permissions. Can it be done?

I do have the option of migrating to sql 2012 if that would help with this.
0
BrownRJ
Asked:
BrownRJ
  • 3
  • 2
1 Solution
 
achaldaveCommented:
Is the application uses any account to connect to database or passes the credentials of currently logged on user? If the application uses its own account you can remove user's permission from the database and configure permission for account used by the application. This will prevent user from accessing SQL server directly by using tools like SQL management studio.
0
 
BrownRJAuthor Commented:
The application can use either windows authentication or sql. Currently it uses windows authentication.
0
 
Scott PletcherSenior DBACommented:
You could have a DDL trigger that, upon db creation, changes the owner of the db.

You can have a logon trigger that would reject any attempt by that user to log onto a SQL instance using SSMS.

Does the user need to use SSMS to do other tasks on the same instance?
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
BrownRJAuthor Commented:
Scott,

Id like the user to keep permissions as DBO for any database he creates. Do you have any suggestions on the logon trigger for the SSMS? They do not need to ever access the server this way.
0
 
Scott PletcherSenior DBACommented:
If the user is dbo on the db, then he can do anything to that db, including delete it.

Unless the user changes it (not easy to do but probably possible), SSMS will come in with an APP_NAME() of:
'Microsoft SQL Server Management Studio - Query'

You can use that in the logon trigger to rollback (cancel) the login, something like this:



CREATE TRIGGER [Check_For_SSMS_Trigger]
ON ALL SERVER
AFTER LOGON
AS
IF ORIGINAL_LOGIN() IN (N'domain_name\restricted_user_name1') --, ...
AND APP_NAME() LIKE '%Management Studio%'
    ROLLBACK; --cancel/reject login, preventing specified user(s) from accessing SQL using SSMS
GO
0
 
BrownRJAuthor Commented:
Scott,

That did the trick. But I notice it doesnt like user groups. Ill just create  a trigger for each person. Its not that many.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now