Export (0) Print
Expand All
3 out of 5 rated this helpful - Rate this topic

VIEW ANY DATABASE Permission

VIEW ANY DATABASE permission is a new, server-level permission. A login that is granted this permission can see metadata that describes all databases, regardless of whether the login owns or can actually use a particular database.

The VIEW ANY DATABASE permission regulates the exposure of metadata in the sys.databases and sys.sysdatabases views, and the sp_helpdb system stored procedure.

By default, the VIEW ANY DATABASE permission is granted to the public role. Therefore, by default, every user that connects to an instance of SQL Server 2005 can see all databases in the instance. To verify this behavior, run the following query:

SELECT l.name as grantee_name, p.state_desc, p.permission_name 
FROM sys.server_permissions AS p JOIN sys.server_principals AS l 
ON   p.grantee_principal_id = l.principal_id
WHERE permission_name = 'VIEW ANY DATABASE' ;
GO

The metadata that describes the master and tempdb databases is always visible to public.

Members of the sysadmin fixed server role can always see all database metadata.

Database owners can always see rows in sys.databases for databases that they own.

Granting the CREATE DATABASE and ALTER ANY DATABASE permissions to a login confers access to the database metadata.

ms189077.note(en-US,SQL.90).gifNote:
CREATE DATABASE permission is implicit to the dbcreator fixed server role.

ms189077.note(en-US,SQL.90).gifNote:
If you grant CREATE DATABASE and ALTER ANY DATABASE permissions to a login and do not deny VIEW ANY DATABASE to the login, the login can see all rows in sys.databases.

To limit visibility to database metadata, deny a login the VIEW ANY DATABASE permission. After this permission is denied, a login can see only metadata for master, tempdb, and databases that the login owns.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.