Who should have Sysadmin rights?

, 2019-03-11

This is somewhat of a trick question since I believe the answer is: no one should have sysadmin rights. I should clarify that statement. What I mean is, that no one’s normal network login should have sysadmin rights. It should only be granted to service accounts and/or to a specific SQL admin account. This would be a SQL Server admin specific network login account.

The danger and security concerns for a normal login having sysadmin rights are very real. I am sure many of us have thought we were connected to a test or dev box only to find out after applying some update or alter statement that we just changed production by mistake.

Some of you may be thinking, but how am I supposed to get my job done without sysadmin rights? I agree there are a number of things that happen in a day where a DBA needs sysadmin rights or at least elevated privileges. So, when those things come up you should be logging in as the SQL Server admin account to gain the admin level access you need.

Now, you might be saying to yourself, I have too many servers, I would spend a large part of my day remoting in to the different servers to log in with a SQL admin login. That is one option to access SQL Server with a different account, but there are others.

One option, assuming you use Management Studio when you are administering SQL Server, is you can hold the shift key down and right click the Management Studio icon. You will see an option for “Run as different user”

If you select this, you can enter your SQL Server admin login and password once and all servers you connect to after that will be with those elevated admin permissions.

Now, this does make it a lot easier to access SQL Server with the elevated permissions, but you have lost some of the benefits of not having those permissions with your normal login. So I would suggest you exercise caution when doing this to ensure you know when you have admin rights and when you don’t.

Many DBAs would agree that least privilege is the best path for security, yet many of us bypass this by giving our own login elevated rights. In the end, I believe the benefits of giving sysadmin only to a SQL admin account out weight the detractions to doing it. So how about you? Does your normal login give you sysadmin rights? If you use a SQL admin login for elevated rights share how is it working for you?

Rate

4 (1)

Share

Share

Rate

4 (1)

Related content

Mini-Me

Will the next version of Windows be a "Mini-Me" version of Vista? Who knows, and it's too early to tell, but apparently there's a mini-kernel version of Windows 7, the one after Vista, which fits into 25MB on disk. That's a touch lower than the 4GB that Vista takes up. Granted it's not a full […]

2007-10-25

60 reads

An Hour in Time

Daylight Savings time switches a little later this year. In fact it's November 4th this year, after having been in October for all of my life. In case you don't remember which way we move the clocks, here's a saying: Spring forward, fall back.

5 (1)

2007-10-17

199 reads

Software is Like Building a House

One of the really classic analogies in software is that it's like building a house. You have a foundation, multiple teams, lots of contractors that specialize in something, etc. And it's an analogy that's debated as to its relevance over and over. I won't go into the correctness of this analogy, but I wanted to comment on it.

2012-10-08 (first published: )

291 reads