Re: sql agent job owner best practice

From: Russell Fields (RussellFields_at_NoMailPlease.Com)
Date: 07/23/04

• Next message: Pat Rogers: "Apparent Security violations recorded in Event Viewer"
• Previous message: Steve Thompson: "Re: import user list"
• In reply to: jason: "sql agent job owner best practice"
• Next in thread: jason: "Re: sql agent job owner best practice"
• Reply: jason: "Re: sql agent job owner best practice"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 Jul 2004 13:54:00 -0400

jason,

We run "production" jobs under service accounts that we set up with the
needed rights. These accounts are granted or denied rights to data just
like any other user. (In the development server, programmers create and
test jobs with their own accounts prior to the release process to promote
them to production.)

This production policy avoids binding the job to a particular user who may
change teams, departments, countries, etc. and thus gain or lose rights
without regard to the needs of the jobs. It also avoids running the jobs as
a sysadmin or some other too powerful account.

Russell Fields
"jason" <jason@discussions.microsoft.com> wrote in message
news:475C5734-43EA-4F63-A0E9-B432067AF429@microsoft.com...
> sqlserver defaults my user id as the owner of new jobs i create.
> if my account gets deleted from ad when i leave this company, those jobs
will fail..correct?
>
> i was thinking to use the AD service account i use to run the sql agent
service. it has full rights in sql server, but limited on the server...good
idea or bad?
>
> if my account has full rights in sql server and the server...that would be
a bad idea to run the job using my credentails...correct?
>
> or do people create a new account, like a job_owner account, and use that
one to run the jobs?
>
> what do people generally set as the job owner?
>
> thanks

• Next message: Pat Rogers: "Apparent Security violations recorded in Event Viewer"
• Previous message: Steve Thompson: "Re: import user list"
• In reply to: jason: "sql agent job owner best practice"
• Next in thread: jason: "Re: sql agent job owner best practice"
• Reply: jason: "Re: sql agent job owner best practice"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: sql agent job owner best practice ... These accounts are granted or denied rights to data just ... > without regard to the needs of the jobs. ... > a sysadmin or some other too powerful account. ... (microsoft.public.sqlserver.security) Xerox DocuTech problems ... Kudos to Xerox for setting a new standard of incompetence. ... The Scanner is controlled by an Intel box ... The scanner sends jobs via ftp to the printer. ... The NT box Administrator account password is "administ" and is ... (Vuln-Dev) Xerox DocuTech problems ... Kudos to Xerox for setting a new standard of incompetence. ... The Scanner is controlled by an Intel box ... The scanner sends jobs via ftp to the printer. ... The NT box Administrator account password is "administ" and is ... (Bugtraq) Re: Questions over questions ... >> defeating the 30 second limit I'd be terminating your account as I'd deem ... > I've built a small perl daemon (php too old) which runs php jobs ... > I would really like to be able to spawn offline jobs from a web page ... (comp.lang.php) Re: MVBase Spooler Help ... Yes, I've been around for over 25 years in Pick and I do know the why's and wherefores for setting up different User Names for each user and different spool Que's for different jobs... ... IF there was an easy way to change the Account Name on the "fly" with a command or user exit or etc.. ... Brian Speirs ... brian at rushflat dot co dot nz. ... (comp.databases.pick)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint