February 14, 2014 at 5:13 pm
What are the Security Risks for granting View Server State permissions to developers in a production instance?
-Does any of the dmv's exposes password information?
-Can the actual transaction data (from the OLTP database tables) be viewed from the dmvs?
February 14, 2014 at 5:37 pm
1.- No, password information is never revealed.
2.- Not exactly, just number of rows (AFAIK).
February 14, 2014 at 6:31 pm
Consider like read only access to dmv/system information and schema info but not the direct ability to view the data
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
February 14, 2014 at 7:23 pm
Thanks. So are there no Security risks? So what are the best practices in granting View Server State permissions to developers (non-sysadmins) in production SQL instances?
February 15, 2014 at 6:41 am
The question is not entirely easy to answer, and ultimately it depends on why you want to give developers VIEW SERVER STATE and how much you trust them.
With VIEW SERVER STATE is possible to see some data, for instance constants and parameters in query plans and query text. From estimates in query plans, you can draw some conclusions about the data profile. No, it is not a particularly simple exercise, but if you have very sensitive data, you may have reason to be worried.
If you want to give developers VIEW SERVER STATE for a specific purpose, one alternative is to package that in a stored procedure which you sign with a certificate, and create login from that certificate and grant that login VIEW SERVER STATE.
[font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply