June 24, 2011 at 4:20 am
Hi,
I have a requirement to restrict everyone (including DBA) from accessing user defined sql server database objects (like tables/function/views/stored procedures triggers etc). No one should be able to select/modify/delete/drop/disable these database objects from any sql client. These should only be accessible from application. I searched on net and found following:
1. logon triggers : this is a server level trigger which blocks the user (you can modify to block dba well) to logon on the database server. But the same server may have other application database as well and using this user wont be able to login to other db as well. so this is out of scope.
2. DENY permission: as per my R&D results, we cant apply deny permission on sa / dba. let me know if this is possible and how.
3. DB level trigger: we can create database level triggers and roll back the action if any of above mentioned event occur. but DBA can disable the trigger can can access db objects after that.
4. sp_addextendedproperty: using this stored procedure, we can hide user defined tables in SSMSE. but no control over command line. The DBA can login through sql prompt and can execute commands to view table structure and other objects.
Does anyone have any idea on how to restrict any user (especially DBA) from accessing sql server database objects.
PS: I am using SQL Server 2005/2008.
Thanks,
Bhawna
June 24, 2011 at 4:41 am
why would you want to restrict the DBA? surely you are just making their job very difficult to do and if possible end up in a situaiton where the dba is locked out.
June 24, 2011 at 5:31 am
Have you looked at the separation of duties framework at http://sqlserversod.codeplex.com/?
Might not be exactly what you are looking for but it seems to be a better way of managing access.
And to reiterate what steveb mentioned - why would you want to restrict everyone but the application from accessing DB ojects?
June 24, 2011 at 5:34 am
When you say DBA, do you mean a login that is member of the sysadmin role?
There is no way of blocking out a sysadmin from SQL Server. A sysadmin can simply use a DAC connection to bypass all your "security features" implemented by logon triggers etc.
If your DB contains sensitive data that you don't want a sysadmin to be able to read then you need to encrypt it, and hide the encryption keys from the dba.
June 24, 2011 at 5:56 am
it goes back to the "who can you trust" issue.
if you cannot trust the people with the keys to the database, there's basically three options: remove the keys, remove the people or remove the database.
You've covered all the bases pretty well about looking into logon triggers and other options, but you completely skipped over taking rights away, which is where you should have started with.
if someone has sysadmin rights and shouldn't, take those rights away. give them a role that better suits the biz rules you need instead.
Create an DDL and/or DML trace audit so that you can identify(and then reprimand or fire) changes that should not have occurred.
If you cannot trust your sysadmins, fire them and get some new ones.
yeah i know, you can't fire anyone, nor take away those rights, and you already KNOW that's the right thing to do, but it needed to be mentioned.
I think your only option is audits (maybe even using even notifications) and identify the people who wander out of their allowed access.
if you don't want to use SQL because you want your app to be sooper sekret, what are your options? not using SQL server at all, and doing everything in a zipped, encrypted binary file when not in memory? like a SQLLite database or something?
at some point, you have to trust someone(even if it's just yourself)
Lowell
June 24, 2011 at 5:56 am
I have already applied cell level encryption. But I don't want DBA to see the definition or modify any object. We are blocking DBA access for the security of the product.
June 24, 2011 at 6:00 am
bhawna.jain (6/24/2011)
I have already applied cell level encryption. But I don't want DBA to see the definition or modify any object. We are blocking DBA access for the security of the product.
As far as I know SQL Server does not provides such a feature in a way that both allows the DBA to do her/his job and also block her/him from touching objects.
_____________________________________
Pablo (Paul) Berzukov
Author of Understanding Database Administration available at Amazon and other bookstores.
Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.June 24, 2011 at 6:20 am
bhawna.jain (6/24/2011)
I have already applied cell level encryption. But I don't want DBA to see the definition or modify any object. We are blocking DBA access for the security of the product.
how do you expect the DBA to do their job then?
what happens in a DR situation
or if a index is neede?
June 24, 2011 at 6:37 am
If you have so little faith or trust in your DBA then you should find one you can trust. Trying to implement the philosophy you are proposing is silly and negates the reason for having a sysadmin role.
I doubt you will ever have luck holding on to a qualified DBA under such circumstances.
The probability of survival is inversely proportional to the angle of arrival.
June 24, 2011 at 6:44 am
reminds me of some of the other threads , like where the poster wants to encrypt the definition of his tables, because, to him, that might reveal a trade secret or something.
or where they want to remove all foreign keys so no one can reverse engineer their logic and make their own reports.....
Lowell
June 24, 2011 at 6:47 am
yeah these threads pop up every now and again, and i feel that the real solution to protecting your IP would be to desgin the application to use complied DLLs (or similar) to carry out all the important work, as I don't feel this sort of logic belongs in a stored proc..
June 24, 2011 at 7:13 am
bhawna.jain (6/24/2011)
I have already applied cell level encryption. But I don't want DBA to see the definition or modify any object. We are blocking DBA access for the security of the product.
I agree with Lowell, Sturner, and the others. If you can't trust the DBA, then get one you can. If it's that important, spend the money to build a separate server, write the code to make it 100% self maintaining, and don't give the DBA a login for it.
Good luck on that. 😉
--Jeff Moden
Change is inevitable... Change for the better is not.
June 24, 2011 at 8:07 am
Sounds like a software vendor worried that someone may look at their database design and stored procedure.
June 24, 2011 at 8:23 am
Michael Valentine Jones (6/24/2011)
Sounds like a software vendor worried that someone may look at their database design and stored procedure.
Agreed. If that's the case best approach may be to sell whatever it does as a service so customer will only have access to the front-end 🙂
_____________________________________
Pablo (Paul) Berzukov
Author of Understanding Database Administration available at Amazon and other bookstores.
Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.June 24, 2011 at 8:26 am
We've had the same question here a few month ago.
A provider asked us how they could hide all their design from us (dba), the short answer is they can't.
A dba motivated enough will see all your secrets.
As the other said, if you want to protect some IP then shove that piece in the application code.
If you want to protect your data from a DBA then encrypt it in the application.
The more you try to hide things the harder the life of your DBA, which might simply start recommending your soft be replaced by something else (exactly what happened here).
Viewing 15 posts - 1 through 15 (of 36 total)
You must be logged in to reply to this topic. Login to reply