Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
rado
Starting Member
18 Posts |
 Posted - 2003-11-06 : 06:15:11
|
Hi,I've created a separate user/login which is used to access the database from my ASP.NET application. This user is a member of only the "public" role for this database, and has execute permissions for 6 SProcs and for nothing else (so this user cannot do select, insert on any table nor exec on another SProcs).The problem is that if someone uses EM to login with this user/password, they will see the list of tables and sprocs, and although they cannot read or write data into database tables and cannot execute other SProcs, they can see the structure of the tables by doubleclicking them, and they can see the code of the SProcs.Is there a way to prevent them from this?  Thanks in advance!Rado |
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2003-11-06 : 06:42:03
|
| You can encrypt the procs.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
 |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2003-11-06 : 08:18:13
|
| Remove Enterprise Manager from the machine of anyone who should not be using it. This "anyone" extends to anyone who is not a database administrator. Period. EM does not get installed automatically with Windows, and it is not needed to connect to SQL Server via some other means.Sorry if I sound harsh, but this question is somewhat along the lines of "I gave my house keys and alarm code to a burglar, how do I keep them from burglarizing my house?" |
|
|
|
rado
Starting Member
18 Posts |
Posted - 2003-11-06 : 09:08:14
|
| If I understand this correctly there is no way to hide it from EM once the user has permission to access the database itself (even as a member of the public role).The problem is that people who will be using the application that will access the database from outside (using this restricted login/password described in my previous post) may somehow hack into the application to get this login/password (which is normally not available to them) and then try to use enterprise manager (if they have it) to hack into the database. They will not do any harm, as they can only execute some harmless SProcs, but I would not want them to see the code or structure of the tables. |
|
|
|
|
|
|
|
|
Permissions question