Eric M Russell (4/11/2014)
Obviously the government, whether it be Congress or some agency dedicated to the task, can't come up with the standards; it has to be the industry putting their heads together, sort of like the various standards working groups for HTML or network protocols.We can argue about what minimal privilege is, for example does the DBA also need to be local Admin on the server, or does the Network Admin or service accounts also need to be sysadmin on the database server.
However, when it comes to discussions about whether the developer, CEO, or director of business analytics needs to be SYSADMIN on the database server, then that's not even worth discussing; the answer is obviously no. We all have to move past that.
In some sense, yes, but what about SSC? For years I was the CTO and one of the developers, as well as the DBA? It's not clear cut in terms of how you do this.
The rules should be, if you don't administer the box, you aren't an administrator. However that can vary dramatically, especially in small companies. You always need a backup. You also need to remember that the way privileges work on different platforms (*Nix, OSX, etc.) can be different, so it's not as simple as specifying roles or groups.
I'm not saying you aren't correct here in terms of what you'd like to accomplish, but that it's very complex to figure out how to apply this broadly. The one thing I'd note is that for all applications, they should be able to run at less than admin privileges. However even that's hard. What about apps that gather telemetry or metrics from the box? Often that requires some level of admin access. What about adding accounts?
It's overall, a mess.