Home Forums SQL Server 2017 SQL Server 2017 - Administration How would you lock down a SQL DBA to have local admin on the SQL box RE: How would you lock down a SQL DBA to have local admin on the SQL box

  • March 1, 2018 at 2:43 am

    #1981599

    Hmmm, OK. I tried this:

    CREATE LOGIN JoeDBA with password = 'xxx'
    GO
    GRANT ALTER ANY DATABASE TO JoeDBA

    I then opened a new window, logging in as JoeDBA and ran:
    EXEC sys.sp_detach_db @dbname = 'Bob'

    Got this:
    Msg 916, Level 14, State 1, Line 1
    The server principal "JoeDBA" is not able to access the database "Bob" under the current security context.

    Then tried this in my sysadmin connection:
    USE bob
    GO
    CREATE USER JoeDBA FOR LOGIN JoeDBA
    GO
    ALTER ROLE db_owner ADD MEMBER JoeDBA

    Returned to my JoeDBA connection and was able to detach the database.

    ALTER ANY DATABASE is not sufficient, but db_owner for a db is. This means you'd need to ensure each login had that permission in each database to detach. 

    I also tried dbcreator and serveradmin (separately) for the login. neither allows me to detach a database. I suspect sysadmin OR db_owner in a specific database allow detaching. Of course, if you add the user to model and include db_owner, that would solve that permission set.