Find VIEW ANY Database permission privileges for all users

Published 18 July 07 08:11 AM | satyaskj

You may be aware that any login that is created on SQL Server will have permission or privilege to see all databases on that instance. This is due to VIEW ANY DATABASE permission that regulates the exposure of metadata system databases. This permission is granted to the public role. Therefore, by default, every user that connects to an instance of SQL Server 2005 can see all databases in the instance. To verify this behavior, run the following query:

SELECT l.name as grantee_name, p.state_desc, p.permission_name
FROM sys.server_permissions AS p JOIN sys.server_principals AS l
ON p.grantee_principal_id = l.principal_id
WHERE permission_name = 'VIEW ANY DATABASE' ;
GO

So to avoid this you could limit or deny a login to grant VIEW ANY DATABASE permission when it is created.

Filed under: tsql, sql server, databases, public, view

Comments

# SSQA - SqlServer-QA.net said on July 18, 2007 9:35 AM:: You may be aware that any login that is created on SQL Server will have permission or privilege to see

Anonymous comments are disabled

SQL Server Transact-SQL (SSQA.net)

Find VIEW ANY Database permission privileges for all users

Comments

Search

This Blog

Tags

Navigation

Archives

Syndication