Restrict DBA access to Azure database
For financial transaction, we may have multiple persons to approve a transaction or record. It will be helpful if there is a second person that can restraint DBA from updating records in the database for fraud prevention.
Is there a way to restrict DBA from directly updating records in database via query? DBA can create a SQL user who have write or update permission of tables. Or DBA can attach himself to a role that has that permission.
In the concept of second person for check or balances, would it help to have a second person who can set certain tables as update protected except via a designated application such as power app? Then that power app is managed by a business owner who does not give the DBA permission of it. In addition, that application has multiple level of approvers built in.