Home Forums SQL Server 2008 Security (SS2K8) Is there ANY scenario where SA can be denied rights to specific objects? RE: Is there ANY scenario where SA can be denied rights to specific objects?

  • January 14, 2015 at 12:34 am

    #1770019

    spaghettidba (1/13/2015)

    GilaMonster (1/13/2015)

    Erland Sommarskog (1/12/2015)

    As I understand it, membership in sysadmin means that all permissions checks are waived.

    Correct.

    Any login that's a member of the sysadmin fixed server role bypasses ALL security checks. Hence it is impossible to deny anything to any member of sysadmin as the permission chain is never checked.

    Worth noting that the same is not for the server-level permission CONTROL SERVER

    Moreover CONTROL SERVER does not really mean the same as sysadmin: many system stored procedures still check for sysadmin membership and CONTROL SERVER is no good for that.

    Correct.

    Simplest example is : xp_readerrorlog

    Unavailable for non sysadmins who have been granted Control Server.

    + you can actually DENY stuff for Control Server.

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me