SQL Server – Grant Permission to KILL Connections for Certain Databases

killpermissionssql server

For a SQL Server on a VM/physical box (not Azure SQL database!)

Is this possible to grant KILL permission, but in a way that grantee can kill connections only for certain databases ?

I would not want to grant this user ability to kill any connection, but just 1 database

Thanks!!

Best Answer

Granting highly selective / fine-grained permission is rather easy via module signing:

USE [master]
Create a stored procedure to do whatever you want the low-privileged Login(s) to be able to do, with the necessary checks, etc.
Create a Certificate
Create a Login from that Certificate
Grant that Certificate-based Login the minimum level of permissions required to accomplish what the Stored Procedure is coded to do (in this case it might just be ALTER ANY CONNECTION (according to @sepupic)
Sign that Stored Procedure with that Certificate using ADD SIGNATURE
Grant the low-privileged Login(s) EXECUTE permission on that Stored Procedure.

HOWEVER, figuring out what Session / SPID is affecting which DB(s) is not easy. The database_id reported in sys.dm_exec_sessions is the "current" database: either what was connected to / their default DB if not specified in the connection string / whatever DB was changed to via the most recent USE statement. But the "current" database isn't necessarily where the problem is. Anyone can execute code and run queries in other DBs using 3-part names (a query can reference 3 tables, each in separate DBs, and none of them being in the "current" DB). So, I'm not sure how you would reliably enforce the "only certain DBs" constraint.

Related Solutions

Sql-server – Granting Permissions for a limited period of time

A very simple approach would be to open up an SSMS query window that's connected to the instance you want and use either WAITFOR DELAY or WAITFOR TIME

WAITFOR DELAY '00:01:00' --waits for 1 minute
PRINT 'FINISHED' --revoke permission code
--(optional TSQL code to send an email when complete

or ------

WAITFOR TIME '08:00'  --waits until 8am
PRINT 'FINISHED' --revoke permission code
--(optional TSQL code to send an email when complete

You could even include TSQL code to send you an email indicating the process had completed.

Keep in mind that if your SSMS session dies for any reason, the revoke code will not be executed.

A more robust (and more complex) solution would be to use Service Broker BEGIN CONVERSATION TIMER

How to Grant Permission to View Database Audit Logs to Non-Sysadmin Login – SQL Server

Reference:

Microsoft recommends viewing the audit log by using the Log File Viewer. However, if you are creating an automated monitoring system, the information in the audit file can be read directly by using the sys.fn_get_audit_file (Transact-SQL) function. Reading the file directly returns data in a slightly different (unprocessed) format. See sys.fn_get_audit_file for more information.

In order to use sys.fn_get_audit_file users requires the CONTROL SERVER permission.

You can deny privilege on a principle who has been assigned CONTROL SERVER permission which is not possible in case of SYSADMIN.

More about this:

Security Questions: Difference between sysadmin and CONTROL SERVER Permission by Jason Strate.

Best Answer

Related Solutions

Sql-server – Granting Permissions for a limited period of time

How to Grant Permission to View Database Audit Logs to Non-Sysadmin Login – SQL Server

Related Question