Post reply

dba permissions and roles

  • April 6, 2004 at 11:50 am

    #161203

    I am trying to gather information on what permissions and roles the DBA should have to the server which the database resides on. Any information would be greatly

    appreciated.


    Steve Johnson

  • April 6, 2004 at 12:01 pm

    #501912

    Everything!

    Just kidding. It would be nice for the DBA to have sysadmin rights on the server that hosts SQL Server, but it's not needed.

    To do your regular DBA job, you probably only need USER rights on the server itself. You will need to be able to access whatever you do your backups to. For example, I backup to hard drive and then from there to tape. I need access to the file I backup to and I need my tape device to be able to access the file. You should also be able to start and stop the SQL services.

    I personally am a sysadmin on my server along with being DBA, but that's because I work closely with my sysadmin and have earned his trust.

    That all is just my opinion, I'm sure you'll hear from others. I don't think Microsoft defines that in any of their stuff about SQL Server.

    -SQLBill

  • April 6, 2004 at 8:55 pm

    #501945

    Our DBAs happen to be local administrators because it makes their job easier overall. However, this isn't absolutely necessary in order for a DBA to perform typical day-to-day functions.

    I agree the minimum permissions a DBA needs is to be a user on the box. However, power user is required in order to administer services. So if you want to stop and start SQL Server, power user it is (at least, using services.msc and the like). However, a power user can also add local users and groups and create shares and the like, so for some organizations that may be seen as too much power.

    An explanation of the default group permissions can be found here:

    Default security settings for groups

    A better way to probably approach the question is by asking a related one: What are the organization's expectations of the DBA? If the DBA is also performing system administrator related functions, then the rights should be granted accordingly. In my organization DBAs are given wide latitude and responsibility, hence the administrative rights on our servers. However, if an organization only wants a DBA to touch the SQL Server and that's it, probably user rights are sufficient.

    One final note: keep in mind that if a DBA is a member of the sysadmin role within SQL Server, the DBA basically has the same rights as the user account the SQL Server service is running under. Therefore, if DBAs have less rights than the SQL Server service account, SQL Server provides a convenient backdoor.

    K. Brian Kelley
    @kbriankelley

  • April 7, 2004 at 7:15 am

    #501987

    Thanks guy's this information is much needed


    Steve Johnson

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply