SQL Server 2005: Deny Server-Level Dynamic Management Views to public group
As you are aware DMV - Dynamic management views are very good to provide server-level information and some of them with detailed information on the execution environment of the database engine.
Just to introduce about DMVs, there are two types of dynamic management views and functions:
- Server-scoped dynamic management views and functions. These require VIEW SERVER STATE permission on the server.
- Database-scoped dynamic management views and functions. These require VIEW DATABASE STATE permission on the database.
Books online refers the permission to execute these DMVs as:
To query a dynamic management view or function requires SELECT permission on object and VIEW SERVER STATE or VIEW DATABASE STATE permission. This lets you selectively restrict access of a user or login to dynamic management views and functions. To do this, first create the user in master and then deny the user SELECT permission on the dynamic management views or functions that you do not want them to access. After this, the user cannot select from these dynamic management views or functions, regardless of database context of the user.
Sometimes it may be obvious to grant permission to the users that are not under SYSADMIN group to execute the DMVs, it is unlikely that hosting application users will require access to data contained within the DMVs. To stop this kind of access in preventing the potential of information disclosure if users have access to it you can reovke the access to server-level DMVs with following statement:
DENY VIEW SERVER STATE TO public
**__________________________________**
SQL Server MVP, Sr. DBA & industry expert.
-
Knowledge is of two kinds. We know a subject ourselves or we know where we can find information on it. It is also a power and you will gain by sharing it.