Is it possible to deny RESTORE
permissions to a login with db_owner
role membership?
Is dbcreator
required to RESTORE over an existing DB with a BACKUP of that DB? Or is that only needed when creating a new DB from a BACKUP?
I'm trying to prevent a user with db_owner
membership from accidentally restoring to the wrong server/instance.
Best Answer
The Microsoft RESTORE statement Docs say this about database permissions:
I'd suggest providing the person who requires db_owner level permissions be a separate login from actual database owner. Membership in the
db_owner
database role prevents that user from performing a restore.Logins can be prevented from performing
RESTORE DATABASE
by denying themCREATE ANY DATABASE
permission.As a test, I did this on my SQL Server 2008 R2 instance.
Create a test login:
Create a test database:
Create a user in the test database for the login above, and add the user to the
db_owner
database role:Create a backup of the database:
Test the restore statement as the login:
Output:
Cleanup:
FYI, the database owner is changed like this:
(or with
sys.sp_changedbowner
, which is deprecated)Membership in the db_owner role is granted like this:
Although both statements seem to affect the "database owner", that is not the case; only the
ALTER AUTHORIZATION
statement can modify which login owns the database. See this excellent answer by Remus Rusanu.If you want to allow the login to restore databases in the non-production environment, make them a member of the
dbcreator
server role: