8

Where I work we have a SQL Server database (Microsoft SQL Server 2008 R2) that serves as the back-end with two different user interfaces, a .NET web interface and a FoxPro interface.

Every month we need to apply updates to both the Web and FoxPro clients. Before doing this, we are advised to make sure that no one is accessing the database during the update process.

What it the easiest way to prevent access to the database while we update it? Follow-up question: What is the best way to prevent access while we update it?

Baodad
  • 483
  • 3
  • 8
  • 14

4 Answers4

11

If you put the database into Restricted User mode, then only members of the fixed server roles sysadmin or dbcreator, or members of the fixed database role db_owner can access the database:

ALTER DATABASE my_app_db SET RESTRICTED_USER

If you want to force existing connections to be closed:

ALTER DATABASE my_app_db SET RESTRICTED_USER WITH ROLLBACK IMMEDIATE

And when you're ready to put things back to normal:

ALTER DATABASE my_app_db SET MULTI_USER

Source: http://www.blackwasp.co.uk/SQLRestrictedUser.aspx

I don't recommend Single User mode in these cases, as the application update process may need to open multiple connections simultaneously.

db2
  • 9,708
  • 4
  • 37
  • 58
9

There are couple of ways that you can restrict access to a database :

  1. Using LOGON Trigger - but only temporarily (enable before upgrade and then disable it). Refer to my answer here for more details including a script.
  2. You can shutdown IIS on the webservers so that no connections are made using the application. This is called "Applicaiton downtime"

  3. Keep database in single user mode using (Note this will be risky as if there is any other connection to the database then you might end up waiting or refused connection.)

    alter database databasename
set single_user with rollback immediately

You are better off using Option 2 as a safe and planned upgrade during your maintenance window.

EDIT:

Restricted user - only users with dbo rights on database allowed (e.g. db_owner, dbcreator, sysadmin). This means that multiple users can still be logged into the database, as long as they are DBO.

Single user - only one connection allowed i.e. first come, first served.

Due to the fact that Single user will be first come, first served -- it will be more risky in case of error or somehow your connections gets terminated.

When dealing with Logon Trigger, as @AaronBertrand pointed out, that it will not work for existing sessions, but you can over come that by first killing all the sessions and then enabling the trigger so that all the new incoming connections have to go through the trigger.

I can't think of any other way of restricting the connections to the database.

Community
  • 1
Kin Shah
  • 62,545
  • 6
  • 124
  • 245
3

If you have a set group of users that would access the database or just one or two application accounts that make the database connection you could simply disable the login(s) and kill all connections, and then just re-enable the login(s) when you are done.

Cougar9000
  • 1,538
  • 1
  • 13
  • 29
1

I’m not sure I understand if your SQL Server is on the same machine as apps that are accessing it.

If not you can just disable firewall port for SQL Server for all incoming traffic and you’re all good. Another option is to disable IP address in SQL Server configuration manager that is used to access the server (and leave only local IP 127.0.0.1)

Stanley Norman
  • 349
  • 3
  • 3