This is somewhat of a trick question since I believe the answer is: no one should have sysadmin rights. I should clarify that statement. What I mean is, that no one’s normal network login should have sysadmin rights. It should only be granted to service accounts and/or to a specific SQL admin account. This would be a SQL Server admin specific network login account.
The danger and security concerns for a normal login having sysadmin rights are very real. I am sure many of us have thought we were connected to a test or dev box only to find out after applying some update or alter statement that we just changed production by mistake.
Some of you may be thinking, but how am I supposed to get my job done without sysadmin rights? I agree there are a number of things that happen in a day where a DBA needs sysadmin rights or at least elevated privileges. So, when those things come up you should be logging in as the SQL Server admin account to gain the admin level access you need.
Now, you might be saying to yourself, I have too many servers, I would spend a large part of my day remoting in to the different servers to log in with a SQL admin login. That is one option to access SQL Server with a different account, but there are others.
One option, assuming you use Management Studio when you are administering SQL Server, is you can hold the shift key down and right click the Management Studio icon. You will see an option for “Run as different user”
If you select this, you can enter your SQL Server admin login and password once and all servers you connect to after that will be with those elevated admin permissions.
Now, this does make it a lot easier to access SQL Server with the elevated permissions, but you have lost some of the benefits of not having those permissions with your normal login. So I would suggest you exercise caution when doing this to ensure you know when you have admin rights and when you don’t.
Many DBAs would agree that least privilege is the best path for security, yet many of us bypass this by giving our own login elevated rights. In the end, I believe the benefits of giving sysadmin only to a SQL admin account out weight the detractions to doing it. So how about you? Does your normal login give you sysadmin rights? If you use a SQL admin login for elevated rights share how is it working for you?
