December 8, 2016 at 1:05 am
Our network administrator, whom I'll affectionately refer to as DCD (Data Center _ick), has decided that I no longer deserve to have sa rights to the instance of SQL Server that I'm the DBA for (and won't tell me why). Since I never granted myself any other database mappings or rights outside of the sysadmin role, I'm completely locked out from doing my job (and no, I wasn't fired). I have never had access to login to the OS on the server since I'm not a part of the exclusive networking team. I have searched everywhere I can find for a solution to restore my rights (so I can disable him and get back to work) and go on doing my job but everything I have found requires access to the OS. I'm not interested in dark web options as I don't want to introduce that risk to my employer.
I have two questions:
1. Is there any way of restoring my access to the instance, bypassing DCD? I don't need OS access, just sa access to my instance. I have been operating just fine without OS access for nearly a year now.
2. Can a DBA do their job without the sysadmin role? What granular rights would I have to be assigned so I can do my job (I fully manage everything on the instance)?
Please don't comment about the obvious [expletive here] behavior of DCD, that he has already well established. I just need real solutions and practical answers to my questions.
Thank you!
December 8, 2016 at 5:23 am
It might seem silly, but the SQL Server security is there for a reason. If you're not permitted to do something, then you're not permitted. If there was a a way to do it, then it wouldn't be security, and limiting people's access would be fruitless. You're not going to be able to "get around it" as your rights have been limited and that's all SQL Server is going to let you do.
As for the second question, that all depends on what you actually need to do. I sometimes find that the role"dba" can vary from company to company a little. For example, as I work in a small business, I need the ability to not only administer, but develop, as we only have 2 people who are SQL trained. I'm technically not a "true" dba, but the title suits the purpose.
I suppose you have contacted the member of staff they has revoked your rights? You should know what you do from a day to day basis better than anyone, so provided you can show what permissions you need (or at least what you need to be able to do), and how your limited permissions are inhibiting your ability to work then having those permissions given to you should not be a problem. If they aren't going to comply, then you should raise the matter with your line manager, so that they can escalate it.
Plus, from a work ethic point of view, I really don't think trying to by pass the security and upping your permissions is really the best of ideas. Doing so could be seen as a breach of conduct by your employer, and although highlights a security flaw at your work place, you performed that security breach which could result severe consequences.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
December 8, 2016 at 6:17 am
wow, I've heard of petty turf wars like this happening.
You've got to bring it all out in the open, with your DCD and all related supervisors; this is not the time to slink around in the shadows. you are a professional, and handle it via professional discussions and communications. Immediately establish that you can no longer do your job, and have a list of the many things you can no longer do.
if they no longer trust you as a group, then your permissions were taken away for a reason; i doubt that's the issue.
IF it's a petty turf war, the DCD needs to establish why and communicate the reason to all participants,and to offer the replacement solution or whether he is taking over all sysadmin roles in lieu of you, the DBA.
if he's taken away your permissions, are you just a member of the public group, then? or did someone give him a script and he added a new server role that lets you do some stuff but not others?
SELECT 'About Server Permissions:' As QueryFocus,* FROM fn_my_permissions(NULL,'SERVER')
SELECT 'About Database Permissions :' As QueryFocus,* FROM fn_my_permissions(NULL,'DATABASE')
Lowell
December 8, 2016 at 6:57 am
You can grant yourself membership to the SYSADMIN role by:
1. log into Windows host as local admin
2. stop the SQL Server service
3. restart the service in Single User mode using -m or -f switches
4. connect to SQL Server temporarily as local admin
5. add your domain account as member of SYSADMIN
6. disconnect and restart service without -m or -f switches
https://msdn.microsoft.com/en-us/library/dd207004.aspx
However, this requires you to first be a member of admin on the Windows host.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 8, 2016 at 6:59 am
In the interim, should you get a 2AM support call, tell them to call Dick.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 8, 2016 at 7:43 am
Thanks all for the feedback.
Thom - I guess I needed to be brought back down. I know it would be considered a security violation, just had hopes. I know SQL Server is designed to keep people out if they don't have rights. Kudos to Microsoft.
Lowell - Yes, it is a turf war. I just don't understand why. I don't have OS level access because I'm not a networking admin. Ok, not a big deal. I just need to do my job inside of SQL Server. To answer your question about what they left me with? Absolutely nothing. I have server connect rights and nothing into any of my databases.
Eric - As I mentioned, I don't have OS access on the server so I can't put the server in maintenance mode. I wish I could. However, I'm not answering the 2 AM calls either. I'm almost at the point I'm going to forward my email to him with an auto-reply to the sender telling them DCD is the new DBA.
Hopefully I'll get more answers today...
December 8, 2016 at 7:53 am
Don't bother trying to fight with a power hungry network admin. Make it known immediately to your supervisor that you are unable to do your job in an effective matter and that said network admin is the reason, let him fight with the higher ups about it that's his job after all. Also make sure it's immediately known every single time something is delayed or there is customer impact that said network admin is the reason why, make sure your manager and any customers are aware of this. Eventually he'll either get swamped doing your job or be forced to give you back access.
December 8, 2016 at 8:17 am
Just out of curiosity, give us a little background information about this situation. For example, are you primarily in an IT support or DevOps position within a small company and you are simply the closest thing to a DBA without being formally acknowledged as one?
Or, is this a large enterprise with many database servers and many DBAs and somehow you fell through the cracks when the domain admin decided to lock down security?
As suggested earlier, speak with your manager. Also: escalate an emergency support ticket requesting access, drop by the domain admins desk for a face to face, forward any emails from the domain admin rejecting access to the IT director so upper level management are in the loop. Do whatever it takes to put the organization on notice that something is seriously wrong here.
Oh, and redirect any database support requests to the domain admin. That will bring him to the table.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 8, 2016 at 8:26 am
I'm the only DBA that our organization has. There are others that "know enough to be dangerous" that can at least create a database and point an application to it. I handle all of the maintenance plans and management of the instance overall. I manage the SQL Agent jobs. I'm also a DB and web programmer so I modify DDL, stored procs, etc. on a regular basis to meet the needs of the end user. I also manage nearly 40 vendor integrations in and out of our data as well as cross database/server data management.
I did speak with my boss this morning. He said that permissions were taken away from all users because I created a tiny little database for another web developer in our department. Supposedly without permission from a network admin. I guess my only failure there is that I didn't get his permission in writing.
December 8, 2016 at 8:38 am
A network admin shouldn't be telling you who you can or cannot create databases for, that is by definition your job as a DBA.
December 8, 2016 at 8:48 am
jim.powers (12/8/2016)
...I did speak with my boss this morning. He said that permissions were taken away from all users because I created a tiny little database for another web developer in our department. Supposedly without permission from a network admin. I guess my only failure there is that I didn't get his permission in writing.
Did creating this new database break something else? So, get the network admin some flowers and an apology letter or something. You can't wait indefinitely for him/her to get past this petty little old thing. The organization needs a DBA.
:Whistling:
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 8, 2016 at 8:52 am
It is a tiny little database that has absolutely no impact. It will hardly be noticed and again, I even had permission from his junior network admin whom he put in charge of the SQL Servers. DCD just wants to control the world.
December 8, 2016 at 8:53 am
December 8, 2016 at 8:56 am
Agreed...
December 8, 2016 at 10:20 am
jim.powers (12/8/2016)
It is a tiny little database that has absolutely no impact. It will hardly be noticed and again, I even had permission from his junior network admin whom he put in charge of the SQL Servers. DCD just wants to control the world.
Odd and unfortunate. Where network/storage/platform operations fits into the IT hierarchy varies considerably from one organization to another.
Where I've worked in the past, they're not even on the same VP organization chart as database management. Database operations requests SAN storage, and once granted how we allocate it is our own business, so long as we don't abuse it in a way that causes performance issues.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
Viewing 15 posts - 1 through 15 (of 34 total)
You must be logged in to reply to this topic. Login to reply