How to deny writes in all SQL Server databases (including new ones & restored ones)

If you could live with a finite time (minimum 10-seconds) between executions to catch new/restored databases, you could create a scheduled SQL Server Agent Job and put something like this in a T-SQL Job Step:-

SET NOCOUNT ON

DECLARE @command nvarchar(max) ;

SET @command = 
N'SET NOCOUNT ON

DECLARE @UserName sysname ;

SELECT @UserName = USRS.[name] 
FROM sys.database_principals AS USRS
INNER JOIN sys.server_principals AS LGNS ON LGNS.[sid] = USRS.[sid]
WHERE LGNS.[name] = ''LoginName'' ;

IF IS_ROLEMEMBER(''db_denydatawriter'', @UserName) = 0
   BEGIN
      EXEC sp_addrolemember ''db_denydatawriter'', @UserName ;
   END ;' ;

EXEC sp_ineachdb 
   @command      = @command, 
   @state_desc   = N'ONLINE', 
   @is_read_only = 0 ;

Tags:

Sql Server

Security

Related

Does Postgres optimize this JOIN with subquery? What does "psql: /usr/pgsql-11/lib/libpq.so.5: no version information available (required by psql)" actually mean? Datetime progressive sum PostgreSQL Does MySQL 8 ASCII vs utf8mb4_0900_ai_ci size differ when only using ASCII characters? is there any point of moving tempdb files into different disk drive if all LUNs are from the same RAID pool? SQL Server 2019 performance worse than 2012... am I missing something? How can I set a column to NOT NULL without locking the table during a table scan? Memory utilization by SQL Server Is a single-table relational database similar to a simple NoSQL database? What is the point of outer in a join? SELECT DISTINCT ON, ordered by another column Does ordering by auto-incrementing PK ensure chronological order?

Recent Posts