We have a third-party vendor setting up software on a server. They have full access to that server and the sql-server on it with the sa account. We would like to set up a linked server so that a trigger can update data on a remote machine. Does access to the sa account necessarily mean that they have full access to the linked server or is there a way to protect yourself from sa?

EDIT: We wanted to give them full control of the server because we want them to have full responsibility. It takes the blame off us when it stops working. “hey, we didn’t touch it, you fix it, you have full permissions”. That way, they can do whatever they need to to get their software working, but it’s in a sand boxed environment. We just need a trigger to get the final records out of their database and insert into our production database. That requires permissions we don’t want to give them. The question was meant to ask if there was a way to save the password in that sand boxed environment under there noses. so to speak.