With SQL Server 2005 there is an option to grant a person access to Profiler for tracing SQL. This is done with the "GRANT ALTER TRACE" statement. The statement has to be executed at server level i.e. the master database.
The user in question only has access to certain databases on that server. The security problem that arises is that with the Profiler rights active, he can see the sql commands that are executed on the databases he has no rights for. Those SQL commands are executed by others users.
How do I configure security rules so that the person in question can use Profiler, but can only see the SQL statements that are executed on the databases he has the rights for? TIA!
Unfortunately there is no such level of granularity in SQL Server 2005 permission model, and ALTER TRACE is considered an elevated permission because of the reasons you mentioned.
Hopefully somebody may be able to reply back with a good workaround.
-Raul Garcia
SDE/T
SQL Server Engine
No comments:
Post a Comment