SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SharePoint permissions for DBA


SharePoint permissions for DBA

Author
Message
Ryan D.
Ryan D.
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1265 Visits: 1729
Does anyone have any guidelines or best practices regarding SharePoint admins access level to the SQL Server? I looking at more individual admin not SharePoint service accounts.
Sue_H
Sue_H
SSC Guru
SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)

Group: General Forum Members
Points: 69394 Visits: 14446
Ryan D. - Monday, June 12, 2017 2:55 PM
Does anyone have any guidelines or best practices regarding SharePoint admins access level to the SQL Server? I looking at more individual admin not SharePoint service accounts.

Is the Sharepoint admin going to be the DBA? Are they taking responsibility for the server and instance including patches, upgrades, on-call duties, backups/restores, all maintenance, etc?
If not, they don't need any special or elevated access to the database end as they can do what they need through Central Administration in Sharepoint.

Sue




Joie Andrew
Joie Andrew
SSC-Insane
SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)

Group: General Forum Members
Points: 24432 Visits: 2115
Sue_H - Tuesday, June 13, 2017 12:29 PM
Ryan D. - Monday, June 12, 2017 2:55 PM
Does anyone have any guidelines or best practices regarding SharePoint admins access level to the SQL Server? I looking at more individual admin not SharePoint service accounts.

Is the Sharepoint admin going to be the DBA? Are they taking responsibility for the server and instance including patches, upgrades, on-call duties, backups/restores, all maintenance, etc?
If not, they don't need any special or elevated access to the database end as they can do what they need through Central Administration in Sharepoint.

Sue

While generally I think that is true I have found that if using PowerShell to run SharePoint admin functions you need to ensure that the SharePoint admins (or their group) needs db_owner rights in the SharePoint databases they will be working against, and possibly dbCreator and securityAdmin server rights if creating new service apps or content dbs. While going through Central Admin all these actions tend to get performed by the farm account on the database when going through PowerShell it is using the context of the user running the PowerShell prompt. That has been my experience, anyway.


Joie Andrew
"Since 1982"
Sue_H
Sue_H
SSC Guru
SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)SSC Guru (69K reputation)

Group: General Forum Members
Points: 69394 Visits: 14446
Joie Andrew - Saturday, September 30, 2017 2:31 AM

While generally I think that is true I have found that if using PowerShell to run SharePoint admin functions you need to ensure that the SharePoint admins (or their group) needs db_owner rights in the SharePoint databases they will be working against, and possibly dbCreator and securityAdmin server rights if creating new service apps or content dbs. While going through Central Admin all these actions tend to get performed by the farm account on the database when going through PowerShell it is using the context of the user running the PowerShell prompt. That has been my experience, anyway.


As I said, if they are not the SQL Server admin and responsible for the backups/restores, patching, on-call, etc. there is no reason to give a sharepoint admin elevated access.

Creating new service apps or content databases is not a daily or regular activity and if creating apps and content databases is happening frequently, there seems to be a problem in defining how sharepoint should be setup,how it needs to be configured and how it's used. So even more of a reason to not allow elevated permissions. Permissions needed for installation or migration is different than day to day.
Sharepoint admins doing regular activities via Powershell rather than Central Admin console would be a choice rather than a requirement.
If nothing else and someone was forced to provide elevated permissions, I still wouldn't give a sharepoint admin elevated privileges as it's just not congruent with the principles of least privileges. I would create an account that is normally disabled and only temporarily enable it when absolutely needed during a maintenance or change window, especially if they are adding databases, making SQL Server security changes for something they do not support.

Sue



Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search