Thanks to SOX regulations their is a movenement to remove the dba's from the local administrators group on all the servers. Is there a paper or anything to get me started that list out what premissions a DBA would need such as regiestry keys file access and anything else in general?
I recently worked as a DBA under a (extremely painful) SOX environment. Not only did I not have admin rights to the box, but I was also not SA on the SQL Server. I was doled out rights by the Network Admins so I had DBO for each individual db and could gain access for things like backups.
The most painful part was that you had to use Remote Desktop to connect to a "bastion host" from which you could PC Anywhere to the SQL Servers (moving backups from prod to refresh dev took an afternoon per DB) but that's not here nor there.
The theory behind this was that the DBA role should be seperate from the Network Admin role entirely. Therfore the DBA could not affect security audits on the boxes and the Network Admins couldn't fudge data. I could never figure out how this Consultant-Approved system kept the Network Admins out of my financial data, but it certainly kept me from being able to hide my tracks from having logged in... The main issue is who has the responsibility for maintaining the SQL Server application itself? In this environment it was the Net Admins.
My takeaway from this experience, however, was that it is possible to do many DBA functions without access to the box, let alone admin access. The rest of the functions, however, took a committee to accomplish.