Zeal-DBA (7/25/2013)
hi Eric,thanks for such a good explaination, actually there are already multiple running applications and it is not possible to remove logins from sysadmin role or cant modify any users permission because that may imapct of other areas of application and client will not accept it. requirement is only to restrict everyone except SA to update that audit table data.
'SA' is not a role, it is just an account that itself is a member of sysadmin. All members of sysadmin are equal, a sysadmin can't be denied permission. If the client doesn't want to remove users from sysadmin, then the client will just have accept the fact that users can do whatever they want in your database.
Really, one of the users could drop you from sysadmin role and call himself the new DBA.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho