开发者

protect stored procedure by deny view definition

Is it enough for protecting stored procedure code if user has DENY VIEW ANY DATABASE DENY VIEW ANY DEFINITION?

User is granted execute sp only. Is it possible for him to trace or someh开发者_开发知识库ow see the code? I could not connect under that login with profiler but maybe some other ways available.


It's not clear what your goal is: are you trying to protect intellectual property; prevent users from seeing sensitive information in source code (e.g. passwords); prevent users from ALTERing the procedures themselves, or something else? Are your users internal users in your own company or are they external customers? Do they host the database and the application or do you?

To protect intellectual property:

  • Have your users (customers?) sign an NDA or contract that specifies your terms and conditions and includes penalties for disclosing your intellectual property
  • Move the sensitive information into a service that you host and expose as a web service

To prevent users seeing the source code:

  • CREATE PROCEDURE WITH ENCRYPTION - this only prevents 'normal' users from seeing the code, it will not stop a determined user with sysadmin permissions
  • Write a CLR procedure in .NET instead of using TSQL
  • Move the sensitive information into a compiled client application
  • Move the sensitive information into a service that you host and expose as a web service

To prevent users ALTERing the procedures:

  • Don't give them the necessary permissions

In the end, a determined user with sysadmin permissions will always reverse-engineer, debug, decompile or otherwise uncover the logic in your code. So you need to be very clear about exactly what you're trying to prevent, what the potential impact is on you or your company, and how much time and money you're willing to invest in preventing it.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜