<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 2008
»
Security (SS2K8)
»
Roles/Permissions for 3rd Party Providers...
Roles/Permissions for 3rd Party Providers doing Rollouts/updates
Rate Topic
Display Mode
Topic Options
Author
Message
gs1975
gs1975
Posted Wednesday, September 05, 2012 2:39 AM
SSC Rookie
Group: General Forum Members
Last Login: Yesterday @ 4:04 AM
Points: 28,
Visits: 573
Hi,
I have just started at a new company and I am tightening security at the moment.
One of our 3rd party providers has a login to perform software rollouts/upgrades on one of our servers.
They previously had sysadmin level of access (which I have now reduced).
Is there a best practice for what roles and permissions a 3rd party provider should have for performing upgrades and data rollouts on a server, or does it depend on a number of factors which I need to continue investigating?
Thanks,
George
Post #1354380
John Mitchell-245523
John Mitchell-245523
Posted Wednesday, September 05, 2012 3:00 AM
SSCarpal Tunnel
Group: General Forum Members
Last Login: Today @ 9:14 AM
Points: 4,428,
Visits: 7,196
George
I think it depends. The ideal solution is for them to develop the solution on their own systems (possibly a copy of your database) and provide you with a script to run on your own system. If they can't, or won't do that, then you probably need to quiz them thoroughly about the changes they're going to make and give them only the access they need to make them, and only for the duration of the change.
John
Post #1354388
opc.three
opc.three
Posted Wednesday, September 05, 2012 8:32 AM
SSCertifiable
Group: General Forum Members
Last Login: Today @ 9:55 PM
Points: 6,720,
Visits: 11,759
I recommend running in FULL recovery and taking lots of backups. If the rollout is multi-phased or prolonged then take a FULL backup at each logical stopping point. You can always restore these backups to other instances and do before and after compares to make sure what they say they did and what they actually did match up. Being in FULL recovery and having log backups also allows you to recover to a point in time if needed.
If they legitimately require sysadmin privs then I would grant them to a specific login that belongs only to them for purposes of the rollout, then take away sysadmin privs when the rollout is done. Consider setting up an Extended Events Session (or Trace) to capture the activity associated with their login while they're doing the rollout in case you need to refer to it just in case should something result in a problem after the rollout.
__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Believe you can and you're halfway there.
--Theodore Roosevelt
Everything Should Be Made as Simple as Possible, But Not Simpler
--Albert Einstein
The significant problems we face cannot be solved at the same level of thinking we were at when we created them.
--Albert Einstein
1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples.
--Giordy
Post #1354593
RBarryYoung
RBarryYoung
Posted Wednesday, September 05, 2012 11:42 AM
SSCrazy Eights
Group: General Forum Members
Last Login: Saturday, May 04, 2013 11:13 AM
Points: 9,855,
Visits: 9,374
And make them do their rollout/upgrade changes on a test or backup copy of your database first. Only when that suceeds should you consider giving them (temporary) access to your production database.
-- RBarryYoung
,
(302)375-0451
blog:
MovingSQL.com
, Twitter:
@RBarryYoung
Proactive
Performance Solutions, Inc.
"Performance is our middle name."
Post #1354788
gs1975
gs1975
Posted Wednesday, September 05, 2012 2:23 PM
SSC Rookie
Group: General Forum Members
Last Login: Yesterday @ 4:04 AM
Points: 28,
Visits: 573
Thanks for all your replies. They all make sense.
I will be making my recommendations tomorrow.
George
Post #1354885
« Prev Topic
|
Next Topic »
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
