November 14, 2010 at 8:55 am
how to set password for particular db in sa login
November 14, 2010 at 9:18 am
jangidsatish148 (11/14/2010)
how to set password for particular db in sa login
you'll want to revamp how you are currently doing access;
first, to be clear, a login has one password only. you cannot change it for each database.
based on your question, i can tell you are using the sa login for everything, and that's not the best practice. best practice is to change the "sa" password to something noone knows,no longer permiut people to use the sa password, and create multiple logins and roles to control access on a per-database level. then you add users to those roles.
create database Sandbox
GO
USE Sandbox
--create a role which can READ any table, and execute any procs/functions
CREATE ROLE [ReallyReadOnly]
--give reader writes to this group
ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [ReallyReadOnly]
--explicitly DENY access to writing
ALTER AUTHORIZATION ON SCHEMA::[DB_DenyDataWriter] TO [ReallyReadOnly]
GRANT EXECUTE TO [ReallyReadOnly]
--create the Role for my Dev guys
CREATE ROLE [SandboxDEVAdmins]
ALTER AUTHORIZATION ON SCHEMA::[db_ddladmin] TO [SandboxDEVAdmins]
ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [SandboxDEVAdmins]
ALTER AUTHORIZATION ON SCHEMA::[db_datawriter] TO [SandboxDEVAdmins]
GRANT EXECUTE,ALTER TO [SandboxDEVAdmins]
--create role for my normal users
CREATE ROLE [SandboxDEVUsers]
ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [SandboxDEVUsers]
ALTER AUTHORIZATION ON SCHEMA::[db_datawriter] TO [SandboxDEVUsers]
GRANT EXECUTE TO [SandboxDEVUsers]
--now add specific users to nearly-Admins
IF NOT EXISTS (SELECT * FROM MASTER.dbo.syslogins WHERE name = N'bob')
BEGIN
EXEC MASTER.dbo.sp_addlogin @loginame = N'bob', @passwd = 'NotARealPassword', @defdb = N'Sandbox', @deflanguage = N'us_english'
END
IF NOT EXISTS (SELECT * FROM MASTER.dbo.syslogins WHERE name = N'jeff')
BEGIN
EXEC MASTER.dbo.sp_addlogin @loginame = N'jeff', @passwd = 'NotARealPassword', @defdb = N'Sandbox', @deflanguage = N'us_english'
END
USE [Sandbox]
--make a user in the db for the matching login
CREATE USER [bob] FOR LOGIN [bob]
CREATE USER [jeff] FOR LOGIN [jeff]
--add these logins to the role
EXEC sp_addrolemember N'SandboxDEVAdmins', N'bob'
EXEC sp_addrolemember N'SandboxDEVAdmins', N'jeff'
--create logins for any domain users
CREATE LOGIN [NT AUTHORITY\Authenticated Users] FROM WINDOWS WITH DEFAULT_DATABASE=[Sandbox]
CREATE USER [NT AUTHORITY\Authenticated Users] FOR LOGIN [NT AUTHORITY\Authenticated Users]
--any one logged into the domain can have basic read/write access via their login
EXEC sp_addrolemember N'SandboxDEVUsers', N'NT AUTHORITY\Authenticated Users'
Lowell
November 14, 2010 at 10:22 pm
there are many database of many people. so anyone open database using sa login. now i want no one should be able to open my database except me.
how to go about that?
November 14, 2010 at 10:38 pm
If everyone's using the sa account, then everyone has access to everything. Login names (and passwords) are server-level, not database level, and anyone who's a member of sysadmin (including sa) has complete rights to everything on that SQL instance.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
November 15, 2010 at 12:08 am
how to solve this problem in best manner.
please suggest me step by step because i am completly new in sql 2005
thanks in advance
November 15, 2010 at 2:12 am
If everyone is using the sa login, you cannot in any way prevent them from seeing or doing what the want on any database on the server.
sa (and in fact any sysadmin login) means unrestricted rights to everything
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
November 15, 2010 at 4:27 am
like i mentioned before, the only solution is to take away the sa login from everyone, and make them login with something else.
in a place where everyone has been using sa for a long time, this can be a hard choice for some, but you can always pass the blame by saying "i was told to tighten security". once the new logins are in place, it'll be much easier to keep things tight in the future.
Lowell
November 15, 2010 at 4:43 am
I understood your point. i will create new login under which i will keep my db but i have to handover backup copy of db to client. whenever client need to take information, he can do it by restoring this backup file.
Here i want solution of MS Access. if i set password for MSAcess file, no one can open it without my permission because i have password.
November 15, 2010 at 4:49 am
SQL server is already like that...once the sysadmin restores or creates a database, NOONE has access to it, except the sysadmins.
as long as no one except the dba has sysadmin privileges, the only access is what gets specifically granted to the users...that could be no access at all (the default), grant to one specific table, or more (like my example)
on a dev machine, where everyone is logging in as sa, you are seeing everyone having access to everything, but that's (hopefully) not how a client would do things.
Lowell
Viewing 9 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply