Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Sarat
Constraint Violating Yak Guru
265 Posts |
 Posted - 2003-04-25 : 19:07:07
|
| Hi,I am curious to know if all sys admins should have complete access to data also! In our company, only HR and HR app programmers should have access to employee's sensitive information. If a sysadmin (server/network admin) is in a different dept (like Tech Operations) and HR doesn't want them to view data, what can i do? I am not very familiar with other dbs but there is a very thin line between a dba and sys admin in certain tasks in sql server. ex: i am trying to isolate the tasks (like backups, server monitoring, logshipping, sp installs) which a server/network dept guy can do vs. dba or db programmers (like indexing, defrag, stored procedures etc.) can do. i understand you have to be a sys admin to do server maintenance but does that justify for you to have access to table data?how do you guys handle this? thanks,sarat. |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2003-04-25 : 19:15:13
|
| By default, yes all sysadmins have complete access to data. By default, sysadmins include sa and administrators on the server.If you don't want your server admins to be able to do stuff in SQL Server, then just remove the Built-in Administrators group from the system administrators role. Then go back and individually add those that you want to have this access.At my organization, we trust those who have sysadmin (DBAs, server administrators, and a few other select individuals) access. If we didn't, then they wouldn't be occupying that position. If you don't want certain people to view the data, then just add them to the specific server role which gives them the correct access. You can easily see what server roles exist in SQL Server in EM by going to Security then Server Roles. To see what the role can do, just double-click on it, then go to permissions.Tara |
 |
|
|
|
|
|
|
|
'sa' permissions