Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Fixed server role required for Object creation in sys databases?


Fixed server role required for Object creation in sys databases?

Author
Message
ZeeAtl
ZeeAtl
Valued Member
Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)

Group: General Forum Members
Points: 63 Visits: 259
What Fixed server role required for Object creation in sys databases?

Does login/connected user have to be db_owner, dbo or sysadmin [server role]?

I'm trying to downgrade privileges for application owners that are doing admin and configuration to SQL databases through app UI. Some of these apps through these users connections are creating objects in tempdb (e.g. User Defined Table).

Thanks,

Zee
GilaMonster
GilaMonster
SSC Guru
SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)

Group: General Forum Members
Points: 54971 Visits: 44680
ZeeAtl (2/11/2010)[hrSome of these apps through these users connections are creating objects in tempdb (e.g. User Defined Table).


Why? In general stuff like that is a bad idea with lots of support nightmares. Remember TempDB is completely recreated whenever SQL starts. Anything (tables, permissions, etc) in there is dropped.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


ZeeAtl
ZeeAtl
Valued Member
Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)

Group: General Forum Members
Points: 63 Visits: 259
I have no control over it. It is simply an operation that is executed with certain application activities. I'm not sure what the final result is.

My question is whether with these "black-box" behind the scenes operations going on, does that account connecting to SQL Server need to be sysadmin to have privileges to do this?

In essence, can a non-Sysadmin, non-DBO, or non-db_owner role member create objects in the system databases? I would assume not, but I'm unsure.

Thanks.
Shriji
Shriji
SSC Journeyman
SSC Journeyman (85 reputation)SSC Journeyman (85 reputation)SSC Journeyman (85 reputation)SSC Journeyman (85 reputation)SSC Journeyman (85 reputation)SSC Journeyman (85 reputation)SSC Journeyman (85 reputation)SSC Journeyman (85 reputation)

Group: General Forum Members
Points: 85 Visits: 318
No it cannot...
GilaMonster
GilaMonster
SSC Guru
SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)

Group: General Forum Members
Points: 54971 Visits: 44680
ZeeAtl (2/12/2010)
In essence, can a non-Sysadmin, non-DBO, or non-db_owner role member create objects in the system databases?


Yes. Ddl_admin is more than sufficient.

Do note that TempDB is recreated completely on every start and hence all user permissions and tables will disappear. You need a way to put the permissions (and any necessary tables) back after a restart. Not trivial.

Is this 'operation' something written by in-house developers or is it a 3rd part vendor?

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


ZeeAtl
ZeeAtl
Valued Member
Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)Valued Member (63 reputation)

Group: General Forum Members
Points: 63 Visits: 259
Third party application. I have no idea what the app is doing. It is hitting TempDB more than infrequently though.

Thx,

Zee
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search