Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SQL Server 2005 Security for Developers Expand / Collapse
Author
Message
Posted Friday, July 04, 2008 3:16 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, December 14, 2009 4:05 AM
Points: 2,320, Visits: 31
Hi All,

Need some guidance please.....

I am currently looking at the process of creating some advance security for my developers on my Test environment and whish to give developers access to run agents jobs, ssis packages, with their own credentials, etc without having to give Developers access to SYSADMIN. I would like the DBAs to remain the only users with SYSADMIN access. Has anyone got a similar sinario in their environment...if so, can you share it with me?? I am considering creating a group on the network for Developers and giving that group less access than SYSADMIN (eg: msdb: SQLAgentOperatorRole, SQLAgentReaderRole and SQLAgentUserRole) and placing all Developers in that group.

All ideas will be appreciated.

Thanking you all in advance.
Post #528559
Posted Monday, July 07, 2008 7:16 AM


SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: 2 days ago @ 3:36 AM
Points: 416, Visits: 542
You can provide SQLAgentOperatorRole in MSDB so that they will privilege to execute all the jobs.

Regards..Vidhya Sagar
SQL-Articles
Post #529264
Posted Monday, July 07, 2008 9:49 AM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Yesterday @ 11:35 AM
Points: 4,056, Visits: 5,185
The Windows group for developers sounds like a good idea and Vidhya's suggestion of using the SQLAgent roles in msdb is a good choice for allowing non-sysadmins to maintain jobs. You should review the permissions for the role in BOL to make sure it's what you want.

If you want to restrict database access to smaller groups, you may want to create Windows groups for each of those and make them members of the larger group. In our shop, we have multiple systems and each system has it's own group of developers.


Greg
Post #529431
Posted Monday, July 07, 2008 10:26 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 4:11 PM
Points: 32,810, Visits: 14,959
Greg and Vidhya's advice is good. I'd be wary of allowing developers to manage jobs and packages. They tend to "fix" things on the fly, often breaking others at the same time and potentially causing instability.

The reasons behind SOX and other regulations are to ensure stability and prevent unnecessary and unauthorized changes. This is one place I think developers should not be allowed access to do anything other than run jobs. Allowing them to make changes can lead to stability issues.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #529464
Posted Monday, July 07, 2008 12:10 PM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Yesterday @ 11:35 AM
Points: 4,056, Visits: 5,185
Thanks for that Steve. I based by comments on BrendA's statement that it's a test environment, but you reminded me that developers shouldn't have free reign to change jobs or packages that will end up in production.

Greg
Post #529533
Posted Wednesday, July 09, 2008 6:11 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, December 14, 2009 4:05 AM
Points: 2,320, Visits: 31
Thank you all for your valuable comments - greatly appreciated.
Post #530680
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse