SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Contractor Access to Company Databases


Contractor Access to Company Databases

Author
Message
Mark Shepherd
Mark Shepherd
Valued Member
Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)Valued Member (68 reputation)

Group: General Forum Members
Points: 68 Visits: 133
Hi there

I need to get some feedback about DBA Contractor access to our company databases. I am a DBA and from time to time we get DBA contractors in to perform development work on specifc systems. The group that they current get added to gives them access to all systems in the company (we have a lot of systems from payroll to customers etc). I might add that our company is a well known financial institution in our country.

How are other DBA's treating contractors in their company. I have no problem giving them the access they need to perform the task that they are contracted to do, but should they get full access?

How does this fit in with Sarbanes Oxley?

Your feedback would be much appreciated.

Thank you





colin.Leversuch-Roberts
colin.Leversuch-Roberts
SSChampion
SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)SSChampion (12K reputation)

Group: General Forum Members
Points: 12131 Visits: 715

as an independent DBA I encounter this often. If I'm to perform dba tasks on prod systems then I need the access to do the task. I know SOX prefer it that you log on as an account under your own name, so there's some sort of audit trail, and they prefer that you are not a sysadmin - but it's not possible to have a system without sysadmins - I usually connect with integrated security through a DBA group - seemed fine for them.

Don't know if this helps at all?



The GrumpyOldDBA
www.grumpyolddba.co.uk
http://sqlblogcasts.com/blogs/grumpyolddba/
Malcolm Leach
Malcolm Leach
SSC-Addicted
SSC-Addicted (429 reputation)SSC-Addicted (429 reputation)SSC-Addicted (429 reputation)SSC-Addicted (429 reputation)SSC-Addicted (429 reputation)SSC-Addicted (429 reputation)SSC-Addicted (429 reputation)SSC-Addicted (429 reputation)

Group: General Forum Members
Points: 429 Visits: 71
Are you asking for a proscribed way of limiting access? If so, there are many ways to achieve this but my favourite first step is, as Colin quite rightly states, to give the contractor a specific domain login with minimal privileges.

It should then be a simple matter to add that domain login to the specific SQL Server instance and assign server roles (sysadmin etc.) or database specific privileges (db owner, datareader etc.).

This scheme gives you the best chance at a meaningful audit trail and, even better, the domain account can be set up to expire at a predetermined date thus ensuring the access lasts no longer than it should.

Malcolm
DB Ghost - Build, compare and synchronize from source control = Database Change Management for SQL Server
www.dbghost.com
mforbes
mforbes
SSC Veteran
SSC Veteran (235 reputation)SSC Veteran (235 reputation)SSC Veteran (235 reputation)SSC Veteran (235 reputation)SSC Veteran (235 reputation)SSC Veteran (235 reputation)SSC Veteran (235 reputation)SSC Veteran (235 reputation)

Group: General Forum Members
Points: 235 Visits: 547
I aggree give them only the access they need. With the least amount of privileges needed to do what they were contracted for.



Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search