![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/2e1ax_default_entry_sqlserver2014_20130625-144612_1.jpg\")
<\/p>\n<\/p>\n
Microsoft will introduce four new security permissions in SQL Server 2014. One of them called SELECT ALL USERS SECURABLES is the subject of this post. \u00a0As explained by Microsoft SQL Server 2014 will allow a database administrator to manage data without seeing sensitive data or personally identifiable information. We can achieve a greater compliance but we must take care what is said because we could be wrong about the terms \u201cmanage without seeing sensitive data\u201d. Let me explain.<\/p>\n
If we have a na\u00efve approach we could misunderstand this terms and think \u201coh great \u2026 with SQL Server 2014 we will prevent a database administrator to see all data (sensitive or not) but in\u00a0fact I think (personal point of view) on reflection it is not exactly the goal of this server permission.<\/p>\n
Basically \u201cSELECT ALL USERS SECURABLES\u201d permission is designed, when granted, to allow a user to view data in all databases he can connect. For auditing purposes, the new permission is very interesting and it can be also used to prevent someone to read. Furthermore, SQL Server 2005 introduced the concept of \u201csecurable\u201d that can be the server.\u00a0 One of the new server permission provided is CONTROL SERVER often associated with sysadmin fixed role because it will grant full server level permissions and automatically grant full access to all databases but unlike sysadmin fixed role it allow a more granular approach to granting and denying access to individual securable (login in our case) without bypassing the permission check algorithm. Thus, applying security principles to DBA team staff begins by avoiding to use sysadmin role and to prefer CONTROL SERVER permission. At this point I know, we\u00a0could claim this is not\u00a0that easy as\u00a0CONTROL SERVER has multiple caveats but let me demonstrate by a practical example where we can use the new server permission \u201cSELECT ALL USERS SECURABLES\u201d to restrict database administrators to view data in all databases.<\/p>\n
First we can create a server role introduced with SQL Server 2012 for the database administrator team:<\/p>\n
<\/p>\n
<\/p>\n
Then we create a database administrator login dba1:<\/p>\n
<\/p>\n
<\/p>\n
We add the login as member of the dba1 fixed role :<\/p>\n
<\/p>\n
<\/p>\n
Now it\u2019s time to play with both the server permission CONTROL SERVER and SELECT ALL USER SECURABLES to prevent a database administrator to read data in all databases.<\/p>\n
<\/p>\n
<\/p>\n
We can now\u00a0ensure it works by connecting with the login dba1.<\/p>\n
<\/p>\n
<\/p>\n
In my configuration I have a database named SensitiveDB with a table named SensitiveTable.<\/p>\n
<\/p>\n
![\"billet2_newsecuritysql14_1\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet2_newsecuritysql14_1.jpg\")
<\/p>\n
<\/p>\n
<\/p>\n
![\"billet2_newsecuritysql14_2\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet2_newsecuritysql14_2.jpg\")
<\/p>\n
<\/p>\n
<\/p>\n
![\"billet2_newsecuritysql14_3\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet2_newsecuritysql14_3.jpg\")
<\/p>\n
<\/p>\n
<\/p>\n
![\"billet2_newsecuritysql14_4\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet2_newsecuritysql14_4.jpg\")
<\/p>\n
<\/p>\n
And so on \u2026 At this point we can view all objects in the database and their definitions. Now if we try to read data in the table SensitiveTable or from the view V_SensitiveTable :<\/p>\n
<\/p>\n
<\/p>\n
![\"billet2_newsecuritysql14_5\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/billet2_newsecuritysql14_5.jpg\")
<\/p>\n
<\/p>\n
As expected we don\u2019t have the permissions to read data in the database or from anywhere. Ok great, we\u2019ve done a good job. Database administrators can manage the SQL Server instance but they cannot read data! But is it really over? The answer is\u00a0of course\u00a0no. Why? At this point we have to remember about the server permission CONTROL SERVER. It will grant full permissions on the server and automatically on all the databases. It means a person which have this server permission can grant himself permissions to a securable even if it exists an explicit DENY for this securable. It is easy to retrieve which permissions are denied :<\/p>\n
<\/p>\n