robin.pryor (5/26/2015)
The company I work for insists on being really liberal with db_owner. For the most part, that's not a problem, but security is an issue. Is there a way to give someone db_owner in a db, but remove their ability to do anything in the db's security node?
The crux and possible solution to this problem hinges on WHY the company insists on granting db_owner membership to a broad range of users.
If you are the DBA, then you have ultimate control. If the application will still function normally and users can still perform their daily duties without db_owner privillage, then you could simply ignore tradition by removing everyone from db_owner, and then adding them back on a case by case basis only when someone complains and submits a formal change request that is approved by executive management.
You can also experiment with using DENY to block permissions to db_owner role. I've never dig deep into this, so I don't know how successful this will ultimately be, but the following article appears to go into some detail.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho