Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Getting rid of sysadmin role for application Expand / Collapse
Author
Message
Posted Tuesday, June 17, 2014 1:44 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Yesterday @ 12:44 AM
Points: 5, Visits: 200
I have a weird situation with security permission for our application.
The program seems to need to be in sysadmin server role during version update otherwise (removing sysadmin and giving dbowner) it crashes with an error along the lines: "DLL must contain function Execute"

Obviously having login user as sysadmin role for an application is not good so I'm trying to find why would it need it.

So for tests I gave the login user dbowner role and tried the following:

I have tried giving execute rights to the user to execute all the stored procedures in the database. When that didn't help I gave all the permissions (Alter, control) just in case but it didn't help.

I tried running sql trace and then trying running all the queries manually in Management studio.

I granted EXECUTE rights to all schema - nothing.

I tried giving the permissions to execute xp_cmdshell
Nothing seems to effect it.

Anyone has any ideas what difference between sysadmin and dbowner there might be which could cause it?
Post #1582121
Posted Tuesday, June 17, 2014 2:00 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 1:41 PM
Points: 13,331, Visits: 10,198
dbowner role is a database role, while sysadmin is a server role. So it might be a instance-level task that the application wants to do.



How to post forum questions.
Need an answer? No, you need a question.
What’s the deal with Excel & SSIS?

Member of LinkedIn. My blog at LessThanDot.

MCSA SQL Server 2012 - MCSE Business Intelligence
Post #1582141
Posted Tuesday, June 17, 2014 2:56 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 12:11 PM
Points: 42,470, Visits: 35,541
Could you identify what command the app is running when it throws that error? Use a server-side trace if necessary.


Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1582161
Posted Tuesday, June 17, 2014 5:39 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Today @ 12:16 PM
Points: 3,977, Visits: 2,993
Is the application using functions (or anything else) in other databases? If you granted db_owner to the login in the application's database, the login can use any table, procedure, function, etc. in that database. You should never, ever give an application login sysadmin privs - it's a bad idea and asking for disaster. The only users with the sysadmin privs should be the DBAs.


Tally Tables - Performance Personified
String Splitting with True Performance
Best practices on how to ask questions
Post #1582260
Posted Tuesday, June 17, 2014 9:56 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Today @ 12:29 PM
Points: 3,198, Visits: 2,295
The line: "DLL must contain function Execute" might be pointing yo an 'extended' stored procedure.

If that os so 'sysadmin' role is usually required. But only the software vendor knows for sure. Some vendors will work with you to determine this and most will not.

We have a number of 3rd party applications in our environment that require 'sysadmin' for installation or upgrades but only 'dbowner' to function normally. We used to just elevate the credentials in question for the installation and/or update but now we creaet a separate set of credentials named 'application_name_install' or something meaningful and just enable them for the duration of the installation or upgrade then immediately disable them - it makes our auditors happier this wayt instead of the 'elevation' of provileges.

My 2 cents.




Regards
Rudy Komacsar
Senior Database Administrator

"Ave Caesar! - Morituri te salutamus."
Post #1582423
Posted Monday, June 23, 2014 8:20 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Yesterday @ 12:44 AM
Points: 5, Visits: 200
Sorry for a delay on the update, but I managed to get time with the head developer and we did a debug off the operations and we found the problem.
The error message was a lazy "catch, try" coding and didn't reflect the real error.

The real error was because of some very old code which wasn't needed anymore was building indexes on the database. Now this does explain why only dbowner isn't enough but from what I've read it meas that ddl_admin with db_owner should be enough but it wasn't.

The code was removed and it works now with only db_owner.
Still bugs me why can't I couldn't get it to work if it only builds indexes on the database and I'll probably will try to check it even though its something that is not used anymore in the application.

Thanks for replies.
Post #1585147
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse