Search code examples
sql-serverdatabase-security

Hide a database from logins with VIEW ANY DATABASE permission


On our SQL Server, we have a lot of users (logins) who have 'VIEW ANY DATABASE' as an effective permission. I need to secure a single database and its tables from these users. Ideally, they shouldn't be able to see it. If that's not possible than they shouldn't be able to view (use the SELECT statement).

I've tried different approaches, but I don't want to prevent them from accessing their other databases. Also, I see the db_denydatareader and db_denydatawriter roles, but hope I won't have to specify all the possible user names.


Solution

  • I found that the "effective" permission 'VIEW ANY DATABASE' in the Login Securables panel is misleading. Even though it shows at the Login level, it doesn't mean they have access to "any database" -- only the ones to whom they've been explicitly or implicitly mapped.

    In this case, there was an Active Directory User Group login defined that had mapped these users (belonging to the AD Group) to multiple databases.

    So the only thing that needs to be done is to verify that the database you want to hide is not mapped to the User Group (Login/Properties/User Mapping) and then validate the user's access.