<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 2008
»
SQL Server 2008 - General
»
db_owner and sysadmin unexpected behavior
19 posts, Page 1 of 2
1
2
»»
db_owner and sysadmin unexpected behavior
Rate Topic
Display Mode
Topic Options
Author
Message
SQLEngine
SQLEngine
Posted Monday, September 24, 2012 6:56 PM
Valued Member
Group: General Forum Members
Last Login: Monday, April 29, 2013 11:29 AM
Points: 53,
Visits: 224
I noticed specifically with SharePoint databases that just because an account is sa doesn't necessarily mean it's also db_owner
I know the theory, and that it SHOULD be implicitely mapped to dbo, which would give it all the db_owner rights anyway, but I think sometimes the account needs to be explicitely mapped to db_owner even though it's already sa at the sql instance level.
Did anyone experience similar behaviour?
Post #1363753
opc.three
opc.three
Posted Monday, September 24, 2012 8:44 PM
SSCertifiable
Group: General Forum Members
Last Login: Today @ 5:26 PM
Points: 6,696,
Visits: 11,715
The dbo of a database has full rights in that database, including the ability to drop the database. Also being a member of the db_owner role offers no additonal permissions.
__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Believe you can and you're halfway there.
--Theodore Roosevelt
Everything Should Be Made as Simple as Possible, But Not Simpler
--Albert Einstein
The significant problems we face cannot be solved at the same level of thinking we were at when we created them.
--Albert Einstein
1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples.
--Giordy
Post #1363758
Suresh B.
Suresh B.
Posted Monday, September 24, 2012 11:27 PM
Ten Centuries
Group: General Forum Members
Last Login: Tuesday, April 30, 2013 5:59 AM
Points: 1,075,
Visits: 5,114
sa is member of sysadmin server role.
sysadmin role members don't need any additional role membership.
Post #1363792
GilaMonster
GilaMonster
Posted Tuesday, September 25, 2012 12:39 AM
SSC-Dedicated
Group: General Forum Members
Last Login: Today @ 4:15 PM
Points: 37,651,
Visits: 29,903
Any member of the sysadmin role has all permissions across the instance, is implicitly db_owner of all databases and cannot be denied anything.
Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild
: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass
Post #1363811
opc.three
opc.three
Posted Tuesday, September 25, 2012 6:33 AM
SSCertifiable
Group: General Forum Members
Last Login: Today @ 5:26 PM
Points: 6,696,
Visits: 11,715
GilaMonster (9/25/2012)
Any member of the sysadmin role has all permissions across the instance, is implicitly db_owner of all databases and cannot be denied anything.
To be clear sa is implicitly the dbo of all databases, not a member of db_owner.
__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Believe you can and you're halfway there.
--Theodore Roosevelt
Everything Should Be Made as Simple as Possible, But Not Simpler
--Albert Einstein
The significant problems we face cannot be solved at the same level of thinking we were at when we created them.
--Albert Einstein
1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples.
--Giordy
Post #1363989
SQLEngine
SQLEngine
Posted Tuesday, September 25, 2012 7:50 AM
Valued Member
Group: General Forum Members
Last Login: Monday, April 29, 2013 11:29 AM
Points: 53,
Visits: 224
Yes, I realize that.
Thank you all for your responces.
Post #1364047
sestell1
sestell1
Posted Tuesday, September 25, 2012 8:31 AM
SSC Eights!
Group: General Forum Members
Last Login: 2 days ago @ 9:30 AM
Points: 830,
Visits: 1,197
opc.three (9/25/2012)
GilaMonster (9/25/2012)
Any member of the sysadmin role has all permissions across the instance, is implicitly db_owner of all databases and cannot be denied anything.
To be clear sa is implicitly the dbo of all databases, not a member of db_owner.
This is an important note, as implicit permissions are not included in inherited permissions or impersonation, which may be the source of your problem if adding in explicit permissions fixes the issue.
Post #1364080
opc.three
opc.three
Posted Tuesday, September 25, 2012 11:16 AM
SSCertifiable
Group: General Forum Members
Last Login: Today @ 5:26 PM
Points: 6,696,
Visits: 11,715
sestell1 (9/25/2012)
opc.three (9/25/2012)
GilaMonster (9/25/2012)
Any member of the sysadmin role has all permissions across the instance, is implicitly db_owner of all databases and cannot be denied anything.
To be clear sa is implicitly the dbo of all databases, not a member of db_owner.
This is an important note, as implicit permissions are not included in inherited permissions or impersonation, which may be the source of your problem if adding in explicit permissions fixes the issue.
Impersonation is not on the table. A sysadmin can impersonate any login without restriction.
Explicit membership in a Database Role could an issue is SharePoint (or a custom web part) is checking to see if a login is a member of a database's db_owner Role and not bothering to check if the login is a dbo or a sysadmin.
__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Believe you can and you're halfway there.
--Theodore Roosevelt
Everything Should Be Made as Simple as Possible, But Not Simpler
--Albert Einstein
The significant problems we face cannot be solved at the same level of thinking we were at when we created them.
--Albert Einstein
1 apple is not exactly 1/8 of 8 apples. Because there are no absolutely identical apples.
--Giordy
Post #1364188
GilaMonster
GilaMonster
Posted Tuesday, September 25, 2012 11:35 AM
SSC-Dedicated
Group: General Forum Members
Last Login: Today @ 4:15 PM
Points: 37,651,
Visits: 29,903
opc.three (9/25/2012)
GilaMonster (9/25/2012)
Any member of the sysadmin role has all permissions across the instance, is implicitly db_owner of all databases and cannot be denied anything.
To be clear sa is implicitly the dbo of all databases, not a member of db_owner.
It's both. A sysadmin login maps to dbo in all databases and dbo is a member of db_owner (it may not be the database owner, but it is always a member of db_owner)
Even if there's an explicit user mapping for the sysadmin login, any checking of Username will still return dbo.
Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild
: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass
Post #1364200
sestell1
sestell1
Posted Tuesday, September 25, 2012 11:51 AM
SSC Eights!
Group: General Forum Members
Last Login: 2 days ago @ 9:30 AM
Points: 830,
Visits: 1,197
opc.three (9/25/2012)
sestell1 (9/25/2012)
opc.three (9/25/2012)
GilaMonster (9/25/2012)
Any member of the sysadmin role has all permissions across the instance, is implicitly db_owner of all databases and cannot be denied anything.
To be clear sa is implicitly the dbo of all databases, not a member of db_owner.
This is an important note, as implicit permissions are not included in inherited permissions or impersonation, which may be the source of your problem if adding in explicit permissions fixes the issue.
Impersonation is not on the table. A sysadmin can impersonate any login without restriction.
Explicit membership in a Database Role could an issue is SharePoint (or a custom web part) is checking to see if a login is a member of a database's db_owner Role and not bothering to check if the login is a dbo or a sysadmin.
If you impersonate an account that does not have explicit rights within a database, you will not have any rights within that database, even if both accounts are members of sysadmin.
Post #1364210
« Prev Topic
|
Next Topic »
19 posts, Page 1 of 2
1
2
»»
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
