I’ve been tasked to move our TFS databases from the SQLExpress our developers implemented, to SQL 2008 Enterprise. Our developers are planning on retaining complete control over the TFS application server.
My concerns are the requirements that the TFS Services, and by extension our developers, require sysadmin rights to the instance where the TFS databases are stored, “Required Permissions .... member of the sysadmin security group for the database instance for Team Foundation …”. This is based on the Microsoft document “Move from a Single-Server to a Dual-Server Deployment” (http://msdn.microsoft.com/en-us/library/ms404854(v=vs.100).aspx)
I have also reviewed a blog from Brian Harry (http://blogs.msdn.com/b/bharry/archive/2010/08/20/database-permissions-required-to-configure-tfs.aspx) that discusses fewer access rights, but still elevated (member of serveradmin role, alter any login, CONTROL on the master database.
Implementing the TFS databases in this manor goes against the Principle of Least Privilege as I understand it.
Are there any suggestions for best practices in implementing a TFS database environment, while limiting SQL instance privileges to the minimum required for TFS to function?