Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

Best Practice for Database Owner? Expand / Collapse
Author
Message
Posted Monday, August 09, 2010 2:00 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, April 14, 2014 11:17 AM
Points: 139, Visits: 351
I see your point. Thanks for the reply!
Post #966216
Posted Tuesday, October 30, 2012 7:20 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Wednesday, June 19, 2013 10:34 AM
Points: 4, Visits: 97
This does matter for ownership chains (Impersonation. etc). For example if you attempt EXECUTE AS SELF, the dbowner will be used to execute. If the call is cross database, the dbowner may not have permissions in the target DB...broken wonership chain.
Post #1378759
Posted Thursday, February 21, 2013 5:52 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, April 14, 2014 8:19 AM
Points: 306, Visits: 461
Hi!

Our practice is to create a service user/group in AD and assign that as the database owner. I have never been a fan of using the 'sa' account for anything other than emergency admin at the instance level and considering the level of authority the account has should IMHO not be used.

The other reason, and something that applies to us with the amount of databases we have, is that when I see a list of database users/groups, it would be nice to be able to associate them easier with the database. To that end we use AD Resource Groups and assign users to them. These users then have automatic db_owner on the database. Users of the database are then assigned to other reource groups with the appropriate permissions.

I think to say, as I have read in this post, that the owner is irrelevant is perhaps a little dangerous. The owner of the database automatically has (as expected) the right DB_OWNER which is the equivalent of God at the database level so some control over the owner needs to be had. Using 'sa' is also dangerous because, as expected, this is a SYSADMIN account with authority at the Instance-level! It doesn't take much to open a database query and run a query inside MASTER for example!

As far as possible, the rule of minimum privilege should be applied and Active Directory gives us the perfect tools to do that.

I hope that helped.....
Post #1422515
Posted Monday, February 25, 2013 8:40 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, April 07, 2014 3:56 AM
Points: 200, Visits: 778
Not a database owner issue but I did run into problems when a SQL job owner had their accoutn disabled which in turn caused lots of problems. If I remember rightly it wasnt an issue in executing the job as obviously that is under the service account but there were permission issues for sure.

Apologies for no exact but I would give a little planning regarding the owner of objects, and as previous poster, my preference would be to reserve sa for admin duties.


'Only he who wanders finds new paths'
Post #1423641
Posted Monday, February 25, 2013 10:50 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, April 14, 2014 8:19 AM
Points: 306, Visits: 461
I agree with that 100%. The owner should be a service account that can only access the resources it needs to fulfil its job.

For me personally, the use of the 'sa' account is a huge no-go!
Post #1423704
Posted Monday, February 25, 2013 11:24 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, April 07, 2014 3:56 AM
Points: 200, Visits: 778
Absolutely, I never use sa unless its a in case of emergency etc...

However I would necessarily use a service account for an owner, rather I was saying the Agent jobs ran under that. In all honesty I have mostly found an administrative type user specified as the db_owner.


'Only he who wanders finds new paths'
Post #1423717
Posted Friday, March 01, 2013 7:02 PM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: 2 days ago @ 1:43 PM
Points: 687, Visits: 2,995
This thread is almost 4 years old -- you might want to start a new one.
Rich
Post #1425803
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse