Eric M Russell (9/30/2014)
GilaMonster (9/30/2014)
Eric M Russell (9/29/2014)
Upgrading to the next release of SQL Server offers an excellent pretext for removing unneeded permissions from app developers."I'm so sorry, I know it a pain in the a$$, but under SQL Server 20xx a login can't drop/recreate objects unless we make them database owner or sysadmin. It's a new default feature intended to tighten security and prevent SQL injection attacks. Do we really want to operate under a non-standard security configuration? It's best just to leave it as is and let the DBA execute all the deployments."
Because lying to management is such a great way to get them to trust you....
OK, but is it really a lie? I believe it's just being "economical with the truth".
http://en.wikipedia.org/wiki/Lie#Types
Notice I never said that it's impossible to continue granting such privillage going forward. It's actually true (for the most recent release as well as all past releases) that a login can't drop/recreate objects unless it's a member of the SYSADMIN role or at least DBO for the database, and it's also true that granting membership in those roles to non-operational staff exposes security risks needlessly.
Gosh. being "economical with the truth" requires the same memory of who you told what to and, if such an omission is discovered, it will be just as detrimental to your reputation and credibility as if it were an outright like instead of a lie by omission.
Although a lot of other people don't abide by it, I consider absolute truth (including not being "economical with the truth") and immediate notification as part of the essential core requirements for being a DBA or a good consultant. Being able to deal with any fallout from such honesty is also an essential core requirement.
--Jeff Moden
Change is inevitable... Change for the better is not.