patternsqlMinor
Grant permission to KILL connections (sessions) for certain databases only?
Viewed 0 times
killdatabasespermissiongrantforcertainonlyconnectionssessions
Problem
For a SQL Server on a VM/physical box (not Azure SQL database!)Is this possible to grant KILL permission, but in a way that grantee can kill connections only for certain databases ?
I would not want to grant this user ability to kill any connection, but just 1 database
Thanks!!
Solution
Granting highly selective / fine-grained permission is rather easy via module signing:
HOWEVER, figuring out what Session / SPID is affecting which DB(s) is not easy. The
USE [master]
- Create a stored procedure to do whatever you want the low-privileged Login(s) to be able to do, with the necessary checks, etc.
- Create a Certificate
- Create a Login from that Certificate
- Grant that Certificate-based Login the minimum level of permissions required to accomplish what the Stored Procedure is coded to do (in this case it might just be
ALTER ANY CONNECTION(according to @sepupic)
- Sign that Stored Procedure with that Certificate using
ADD SIGNATURE
- Grant the low-privileged Login(s)
EXECUTEpermission on that Stored Procedure.
HOWEVER, figuring out what Session / SPID is affecting which DB(s) is not easy. The
database_id reported in sys.dm_exec_sessions is the "current" database: either what was connected to / their default DB if not specified in the connection string / whatever DB was changed to via the most recent USE statement. But the "current" database isn't necessarily where the problem is. Anyone can execute code and run queries in other DBs using 3-part names (a query can reference 3 tables, each in separate DBs, and none of them being in the "current" DB). So, I'm not sure how you would reliably enforce the "only certain DBs" constraint.Context
StackExchange Database Administrators Q#185832, answer score: 6
Revisions (0)
No revisions yet.