Our Group Security dictates that personal information is classified as highly confidential, and as such, the regular DBA performing normal database admin tasks should be prevented from reading data in the database containing that data??
How we can make it possible ?? DBA should be able to manage the SQL server without having access to particular database.
Just add the DBA in question to the db\_denydatareader database role and also to the db\_denydatawriter role (just in case). This way, the DBA will still be able to perform normal admin tasks but will not be able to read the sensitive data. Once the roles are granted, you will still need to add the audit to prevent the DBA in question from temporary removing this membership (and adding it back in after the data is read) and/or from accessing the data in the database tables as sa. The script to grant the membership: alter role db_denydatareader add member [dba_user_name]; go alter role db_denydatawriter add member [dba_user_name]; go Oleg