I am merging a few instances together which are for separate customers. They need to be separated by account access so customer X can't view customer Y's databases.
I have created a login (we'll call it Bob). Bob has the server roles dbcreator and public. Under user mapping, I have given access to the required databases.
If I use these account details in SSMS, I can see all of the databases (as If I were SA). I can only open the database I have access to but I still don't want Bob to be able to see other customers' database names. Any ideas?
Also, when using a script in my application to create a new database, it complains that I do not have access to C:\Program Files\Microsoft SQL Server\MSSQL12.IDENTITYACCESS\MSSQL\DATA
My instance has access to this folder but I do not want to give Bob the sysadmin server role. Is there a way to give Bob access to that folder without giving the sysadmin server role?
Best Answer
SQL Server Login
When you create a SQL Server login (be it either a native SQL Server login with password or a Windows Authenticated login without password), then this user is assigned certain default permissions/privileges. Let's have a step-by-step look at how we can achieve what you want.
1. Create SQL Server Login
Reference: CREATE LOGIN (Transact-SQL) (Microsoft | Docs | SQL)
The login has been create for
[Bob]and he can already connect to the SQL Server instance.You may ask yourself: How so?
When a login is created the login receives some default permissions/privileges. Let's see what they are.
2. Check [Bob]'s Permissions/Privileges
In a SQL Server query window execute the following statements/commands:
Reference: EXECUTE AS (Transact-SQL) (Microsoft | Docs | SQL)
With the above step we are posing as [Bob] and are then going to check the default permissions/privileges. Next step:
Reference: sys.fn_my_permissions (Transact-SQL) (Microsoft | Docs | SQL)
We are checking the default permissions of [Bob] for various so called securable classes (
securable_class). We only receive return values for the first statement. These are:These basic permissions seem reasonable. Allowing the login to connect to the SQL Server instance is a good thing and letting the login view any database seems pretty adequate.
Oh, but you don't want the login [Bob] to be able to view any database? Well let's
DENY[Bob] that privilege.3. DENY Privilege to [Bob]
The following command will deny [Bob] the ability to view any database on the server:
You will have to open a new Query Window as your current Query is running as [Bob] and [Bob] can't revoke his own permissions/privileges. Try it....
Reference: DENY Server Permissions (Transact-SQL) (Microsoft | Docs | SQL)
...and because you shouldn't trust anything you read on the internet, you should go ahead and verify that [Bob] can't view any databases:
Which returns:
Even though you have denied the
VIEW ANY DATABASEprivilege to [Bob], he'll still have the ability to view themasterandtempdbdatabase. He can't view themsdbormodeldatabases. Why? Well, this topic is worth a separate discussion...4. GRANT Privileges to Create Databases
[Bob] is now able to connect to the SQL Server instance, but unable to view any database (other than
masterandtempdb) or perform any other task. But he needs to be able to create databases. Let's assign the right privilege:Hmmm. Let's see if [Bob] can create a database now:
And let's see if [Bob] can view his own database:
This returns:
So we have proven that [Bob] can create his own databases, but not view all databases.
Folder Access
The folder access issue is a bit more complex. Needless to say, [Bob] doesn't have access to my local
C:\SQL\Data\...folder, because [Bob] is a native SQL Server login. However, he does have theCREATE ANY DATABASEprivilege, so he doesn't actually require access to the folder itself; the SQL Server instance's service account will do that for him.Your issue with the folder access might have to do with how you are executing the script in your application. Is it [Bob] that is executing the statement or some unknown application pool account? Does that account have privileges to create any database? Or could you pose as [Bob]?
This does require that the application pool account have adequate SQL Server privileges. You might have to rewrite that part in your code or seek further advice on how to pose as somebody else.