I have sql server 2005,
I need to create separate database login to support engineer of my software vendor to access their own database. My only worry is deny him to take backup from our database while he connected remotely to resolve any incident in the application.
To sum up,
1- How to create login with access to specific database only
2- How to monitor his activity on database (what query he runs, is he try to took any backup and when)
3-Deny Any backup and restore task (I want to keep this only to sysadmin)
Best Answer
I - To create a login with access to specific database only:
3 Enter the login details. In Server Roles, make sure only 'public' is checked
4 In User Mapping, make sure only the vendor database is selected.
If public role for the vendor database is not enough, grant the necessary permissions but only on the vendor database
Another solution is to deny access to all databases and then grant just to the vendor database
DENY VIEW ANY DATABASE TO [SE]
See more info here: http://msdn.microsoft.com/en-us/library/ms177518.aspx
II- How to monitor his activity on database (what query he runs, is he try to took any backup and when)
I suggest using some third party tools. Transaction logs don't capture info about executed queries
III-Deny Any backup and restore task (I want to keep this only to sysadmin)
Having public role will prevent the user to backup or restore databases
he'll get the following messages when he tries to backup or restore a database
T-SQL statement to deny creating backups is:
DENY BACKUP ANY DATABASE to [SE]