Re: Security: Network Admins vs. SQL Programmers
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Tue, 23 May 2006 18:22:55 -0700
If you look at the new certifications for SQL you will notice that
(finally) there is recognized a distinction between SQL development
and SQL Server administration. Also, SQL administration does not
necessarily include or imply awareness of the issues of Windows
Server administration.
To answer your question as stated, and believing SQL Programmers
to mean just what it say, then they only need DBO over the databases
with which they are programming.
Now, if they are doing tasks beyond "SQL programming", such as
defining new databases, establishing the backup regime, programming
to automate SQL services tasks (ex. health monitoring of an SQL
Server cluster, or of a distributed SQL replication or mirroring env)
then obviously DBO to the used databases is insufficient. In those
cases use of some of the Server Roles defined in SQL Server may
be warranted for a select subset of the "SQL Programmers".
I have a number of different dev teams that live fully within containment
to dbo for their databases. In turn SQL admin has responsibility for
all aspects of server and SQL Server health, tuning, recoverability,
etc. as well as for defining new databases upon justified need.
I might, if pressed (only a little), even argue that having SQL
programmers contained to dbo can be a good thing to make sure
that their resulting code is not "undeployable" and/or hazardous to
the SQL Server.
But, why do they need the ability to alter the settings of the nics?,
the IPsec policy?, the existing local accounts?, the . . . list is large.
As others have stated, ask for use cases in their work tasks that
show what DBO access to the predefined databases does not allow.
For each such case presented, establish that it is an appropriate task
for their job and then how to effect provisioning with the least excess
priv grants. For each such allocation that seems needed and that you
feel impinges on the responsibility/accountability of the server and/or
SQL admins, have them and your management accept their being
accountable for the potential impacts to your service agreements
before they are given the capabilities.
"RAlcant" <texcel@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1148413622.833585.20720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm not 100% sure where I need to post this, but to me, this is a
security question, so I'll start here.
I have just started working for a new company and came in a huge
scuffle between Network Admins and SQL Programmers. The problem is the
programmers want full administrator control on the sql server, but the
network admins refuse to give it to them stating they don't need it.
My question for the group is, what (if any) kind of access do SQL
programmers need on the SQL server? (Ie: do they need administrator
priv, power users, std. user, etc) This question is not related to
database access, that is a different issue. This is about thier domain
account rights to the SQL server.
.
- References:
- Security: Network Admins vs. SQL Programmers
- From: RAlcant
- Security: Network Admins vs. SQL Programmers
- Prev by Date: Re: possible system intruder XP
- Next by Date: Re: Security Defects
- Previous by thread: Re: Security: Network Admins vs. SQL Programmers
- Next by thread: Virtual Task Force Nabs 565 Cyber Criminals
- Index(es):
Relevant Pages
|
