|
Home > Archive > MS SQL Server security > July 2005 > Revoke/deny SOX issue
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Revoke/deny SOX issue
|
|
| jaylou 2005-07-20, 8:23 pm |
| Hi all,
Either revoke/deny doesnt work or I dont understand the concept correctly.
I need to separate the duties of SA and DBO for SOX :(
I am planning on creating 2 new roles in every database. Securityadmin and
DataAdmin.
In testing this I set myself up as a user of a test DB, as a member of
Public I can do everything in the DB as if I was SA.
I tried to deny all rights to my username, and to Public. After doing so I
was still able create insert, update, blah, blah...
I have tried all of the following:
DENY CREATE TABLE TO public
DENY SELECT, INSERT, UPDATE, DELETE
ON testrights
TO PUBLIC --username
REVOKE ALL ON testrights TO jfischer
I don't understand why I can still do everything on the server.
TIA,
Joe
| |
| Jasper Smith 2005-07-20, 8:23 pm |
| What does the following return
select is_srvrolemember('sy
sadmin')
--
HTH
Jasper Smith (SQL Server MVP)
http://www.sqldbatips.com
I support PASS - the definitive, global
community for SQL Server professionals -
http://www.sqlpass.org
"jaylou" <jaylou@discussions.microsoft.com> wrote in message
news:F0EA0EB9-EF0D-460D-84D0- A1AF4E9F9307@microso
ft.com...
> Hi all,
> Either revoke/deny doesnt work or I dont understand the concept correctly.
>
> I need to separate the duties of SA and DBO for SOX :(
> I am planning on creating 2 new roles in every database. Securityadmin
> and
> DataAdmin.
> In testing this I set myself up as a user of a test DB, as a member of
> Public I can do everything in the DB as if I was SA.
> I tried to deny all rights to my username, and to Public. After doing so I
> was still able create insert, update, blah, blah...
>
> I have tried all of the following:
>
> DENY CREATE TABLE TO public
>
> DENY SELECT, INSERT, UPDATE, DELETE
> ON testrights
> TO PUBLIC --username
>
> REVOKE ALL ON testrights TO jfischer
>
> I don't understand why I can still do everything on the server.
>
> TIA,
> Joe
| |
| jaylou 2005-07-21, 7:23 am |
| Thank you!
The issue was I was part of the administrator group on the server. I didn't
realize the window account mattered. I thought SQL security was only
controled thru SQL.
Thanks again!
joe
|
|
|
|
|