Getting rid of sysadmin role for application

  • I have a weird situation with security permission for our application.

    The program seems to need to be in sysadmin server role during version update otherwise (removing sysadmin and giving dbowner) it crashes with an error along the lines: "DLL must contain function Execute"

    Obviously having login user as sysadmin role for an application is not good so I'm trying to find why would it need it.

    So for tests I gave the login user dbowner role and tried the following:

    I have tried giving execute rights to the user to execute all the stored procedures in the database. When that didn't help I gave all the permissions (Alter, control) just in case but it didn't help.

    I tried running sql trace and then trying running all the queries manually in Management studio.

    I granted EXECUTE rights to all schema - nothing.

    I tried giving the permissions to execute xp_cmdshell

    Nothing seems to effect it.

    Anyone has any ideas what difference between sysadmin and dbowner there might be which could cause it?

  • dbowner role is a database role, while sysadmin is a server role. So it might be a instance-level task that the application wants to do.

    Need an answer? No, you need a question
    My blog at https://sqlkover.com.
    MCSE Business Intelligence - Microsoft Data Platform MVP

  • Could you identify what command the app is running when it throws that error? Use a server-side trace if necessary.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • Is the application using functions (or anything else) in other databases? If you granted db_owner to the login in the application's database, the login can use any table, procedure, function, etc. in that database. You should never, ever give an application login sysadmin privs - it's a bad idea and asking for disaster. The only users with the sysadmin privs should be the DBAs.

  • The line: "DLL must contain function Execute" might be pointing yo an 'extended' stored procedure.

    If that os so 'sysadmin' role is usually required. But only the software vendor knows for sure. Some vendors will work with you to determine this and most will not.

    We have a number of 3rd party applications in our environment that require 'sysadmin' for installation or upgrades but only 'dbowner' to function normally. We used to just elevate the credentials in question for the installation and/or update but now we creaet a separate set of credentials named 'application_name_install' or something meaningful and just enable them for the duration of the installation or upgrade then immediately disable them - it makes our auditors happier this wayt instead of the 'elevation' of provileges.

    My 2 cents.

    RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."

  • Sorry for a delay on the update, but I managed to get time with the head developer and we did a debug off the operations and we found the problem.

    The error message was a lazy "catch, try" coding and didn't reflect the real error.

    The real error was because of some very old code which wasn't needed anymore was building indexes on the database. Now this does explain why only dbowner isn't enough but from what I've read it meas that ddl_admin with db_owner should be enough but it wasn't.

    The code was removed and it works now with only db_owner.

    Still bugs me why can't I couldn't get it to work if it only builds indexes on the database and I'll probably will try to check it even though its something that is not used anymore in the application.

    Thanks for replies.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply