Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Hide all system views/tables from users in SQL server 2005


Hide all system views/tables from users in SQL server 2005

Author
Message
Heinrich-192976
Heinrich-192976
Grasshopper
Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)

Group: General Forum Members
Points: 11 Visits: 171
Hello,
as you described, that is exact the same situation for me.
I have users who connect via ODBC and MS Access with an SQL Server Navision DB (SQL Server 2005).
They must connect via sql server authenticated login (because they access from outside our domain).
I have implemented a role and grant special select rights to this role. I have tried to deny on schema sys and INFORMATION_SCHEMA etc. but that doesn't work. The users should see only the user tables, but they also are able to sell all sys-views and information_schema views and i am not able to prevent it.
I have looked in web all around but i found no solution for this topic. Therefore a solution for your problem would be a solution for me too.
Thanks for answer
H.Stenner
Brett Stutzman-431075
Brett Stutzman-431075
Forum Newbie
Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)

Group: General Forum Members
Points: 3 Visits: 39
Well it is 2012 March and I am using SQL Server 2008 R2 and having the same problems SQL S 2005 folks 3 yrs ago had. Anyone come across a solution or work around for the part when making a ODBC connection to sql server 2008 r2 dbase that the connection does not show information_schema and sys objects? I see this is still a problem but outside of scripting every object in database 'mssqlsystemresource' as deny(not really what I was looking for). Anyone have anything on this?
Lowell
Lowell
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14994 Visits: 39025
there's a number of threads here on SSC where the requirement is to remove public permissions in order to comply and lock down a SQL server to DoD standards (google Database Security Checklist for examples).
In that ,we just don't care what breaks.

see this thread for an example:
http://www.sqlservercentral.com/Forums/Topic845604-392-1.aspx#bm845742


and take a look at this link for a more comprehensive script.
http://blogs.technet.com/b/fort_sql/archive/2010/02/04/remove-public-and-guest-permissions.aspx

Lowell

--
help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

Brett Stutzman-431075
Brett Stutzman-431075
Forum Newbie
Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)

Group: General Forum Members
Points: 3 Visits: 39
I created a role and am applying the deny select and deny exec for stored proc to that role, not changing the public access. I am not trying to foobar up the dbase as it is vital right now but need to be able to create a secure connection from ODBC giving users only a select set of objects(mainly tables) to access. I have been searching for sometime now this week and have not found something that would fit yet. Have you tried what I am suggesting or trying to do in a quick dev environment? I am thrown from the fact that others over the years have not solved or work around this yet or that this is resolved or a resolve posted on this for sql server 2008 yet, seems to be a basic thing that many would come up against. Simply trying to set up a role and user id that a ODBC can get too and only see a select set of tables or objects in parent dbase.

thanks for your time and knowledge,
Brett
Brett Stutzman-431075
Brett Stutzman-431075
Forum Newbie
Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)

Group: General Forum Members
Points: 3 Visits: 39
when you use deny VIEW DEFINITION the user cannot see the objects but user can still query(select * from table/view) object if they know the name(s). Again I am using a newly created role and user as not to affect other dbases and systems with this. so this did not work

thanks
Brett
martin-k
martin-k
Forum Newbie
Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)Forum Newbie (1 reputation)

Group: General Forum Members
Points: 1 Visits: 11
Hello,
I had the same problems with SQL Server 2008 R2 with ODBC. When connecting to any database all systemviews from db master were shown in addition.
I have done following in the management studio: After selecting db master, properties, I added the role public in rights and revoked "select". That was all!
Did you try this already?

In ODBC-Management "Sql Server native client 10"-driver is a must! With older versions it does not work.
New ODBC-connections can only be created with accounts without "public"-membership!

best regards
Martin
Attachments
picture.png (29 views, 57.00 KB)
Mile Higher Than Sea Level
Mile Higher Than Sea Level
SSC-Enthusiastic
SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)

Group: General Forum Members
Points: 172 Visits: 465

Image of what the discussion is about.

Steps to limit a user to choose only the Views they have permission for:
1. In Databases, Security, Logins - New Logins
Login Name: GISviewer (password) turn off password enforce policy
Default DB - RegDB User Mapping - RegDB

2. run tsql on the view GISWell
Use RegDB
GRANT SELECT ON vGISWell TO [GISviewer]

3 Open Access - External Data (Native SQL - add server name)
in data source UserName GISViewer Password: .....

Link Tables Result:
Only the dbo.vGISWell shows on top ' desired!
Plus.... Not Desired
All the Information_Schema.check_constraints
All of the sys.all_xxxx See link image above

Did the solution above Work?
Mile Higher Than Sea Level
Mile Higher Than Sea Level
SSC-Enthusiastic
SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)SSC-Enthusiastic (172 reputation)

Group: General Forum Members
Points: 172 Visits: 465
http://support.microsoft.com/kb/2513216
Got to love Microsoft SQL Server Support
After dozens of people asking how to solve this - Microsoft referenced this article.
It sure shows the problem. But, it is the End User (all of them) we shoud educate?

Microsoft warns that deny select to public may have unintended effects - but MS offers no real solution.
Keywords: deny view definition to public
Keywords: deny select to public
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search