Should the DBA be a Local Administrator?

  • Hello everyone,

    I am in need of building a case of reasons why it is required for the SQL DBA and the SQL service account to have local administrator authority on SQL server boxes. My current access to the SQL servers is not a local or domain administrator account it is a sort of a tweaked users account. Meaning… my account is given access to certain pieces of the registry, file or dlls as issues arise and the Network Administrator identifies the pieces and grants access. There are some things that I am just unable to do like restart the SQL services through Enterprise Manager. I have found this is making our environment very unpredictable. The latest is full text searches stopped working when we replace the SQL service account with a non-local administrative account. I believe that I need the local administrator authority to do my job, and now I must prove it.:crazy:

    Any help would be greatly appreciated!!!!

    Nicole

  • Because of SOX, I was allowed to be administrator of the development box but not the production box.

  • Running the SQL Server services using the Local Administrator and adding the DBAs network account to the local machines Administrator Group should give you what you need. You do not need to be in the Domain Admin group. However, if you choose not to do this and create your own users and groups you will need to apply all the appropriate permission to do whatever it is you have to do. This can be painful if not fully tested in a development environment first. Having a production system that is having problems and scrambling for information on security related things can cause lots of issues.

    Good luck and hopefully somebody from this community can give us a list or point us to doc describing how to setup a system without using local admin and the administrator group, but still giving the DBA and SQL Server what it needs.

  • Making a DBA and Service account a local admin is by no means a necessity, but often makes things easier. I've worked both ways...one job I was at gave me so few privilages on the server I couldn't properly do my job, I've also worked where they just made me a domain admin (way overkill!).

    The only time you'll probably need to be an admin on the server itself is when you are doing installs/patches/service packs.

    Here is the books online page for what the service accounts need.

    ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/instsql9/html/309b9dac-0b3a-4617-85ef-c4519ce9d014.htm#Review_NT_rights

    The Redneck DBA

  • Strictly speaking, it's not necessary. A lot of organizations do it because of convenience. But I've seen cases where it's locked down hard.

    The question is responsibility and accountability. If you are responsible for the SQL Server should the service fail, then you've got a technical reason to either (a) have elevated rights or (b) have the responsibility and accountability given to the server admin. If you present it rationally and calmly to your management, they should see only one of those two options work.

    K. Brian Kelley
    @kbriankelley

  • yes you should.

    Gethyn Elliswww.gethynellis.com

  • see the reply i just made on this post:

    http://www.sqlservercentral.com/Forums/Topic451274-146-1.aspx

    the SQL services do NOT need admin permissions and shouldn't.. why people are saying to do that I've got no idea.. it's clearly mentioned in the books online topic on this very subject. The system can work quite happily without it.

    as for you being the DBA and your account.. technically speaking, no, you shouldn't need admin permissions to the server either. However, unless the server guys are paranoid, I can't see why they'd want to remove your access and it certainly would make your life easier.

    Having said that, if you were revoked admin permissions, there's some SQLServer2005* groups you'd need to be made a member of, which are installed as part of SQL... just add yourself to all of em and be done with it. And, you'll also need to have permissions to the data, log and backup directories too.. so you can manipulate those files if needed. Stuff like that, i'm sure there's more but that's a good start.

    cheers

    Dave

  • If you are managing SQL Server 2000, there is IMHO too much that does not work if the DBA is not also in the local Administrators group.

    If you are managing SQL Server 2005 there is no reason related to SQL Server why a DBA needs to be a local administrator.

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

  • I have worked in many places that simply gave me keys to the kingdom, domain admin rights. I don't mind having that responsibility, but it opens you up to unnecessary risks and possible finger pointing. In my present environment, I need to remote into database servers, thus I have local admin rights on these servers. I am not a network person, but according to my networking co-wrokers, I need to be a local admin to be able to remote into these servers.

    Q

    Please take a number. Now serving emergency 1,203,894

  • Nicole,

    At a philosophical level, you may not be correct. Practically speaking, you're finding NOT having these rights is a pain in the $@%^&! and slows you down. The strongest argument you can make is $. How much is it costing your employer to NOT give you access rights? What's the downside risk of giving you access? You need to look at both pros and cons, and give a balanced argument. Talking about the downside risk of granting you what you need means that you are looking at the question objectively. Of course, you get to choose what arguments you present. But talking to your sysadmins about what they see as the risk of giving you rights may help your presentation. Be prepared for a corporate policy standing in your way.

    If there's a policy objection, then you need to insist on faster and better support as a way to save your employer $ - it's a fallback position, but may be what you have to settle for.

    Good luck!

    Steve

  • I always take the stance that you should be justifying what rights you need, not how that is implemented.

    If the team responsible for granting rights to Servers or Groups deems that your request is easier satisfied by adding you to an Admin group then so be it.

    Cheers

    Andrew

  • I'd have to agree with Steve Smith. You need to present the argument in a monetary sense. Point out that if a database file had to be moved because of disk space concerns at 3:00 AM, would it make sense to have to contact a server admin and/or a network admin, or just simply allow you to make the changes.

    It is purely up to the company, but I would say making arguments regarding on-call situations will probably win.

    If I was a server admin, I would not want to be woken up by a SQL Server issue.

    Good luck!

    Steve

  • I would guess it depends on your environment. We used to have full admin rights. But that was stripped away. Now, my account can not even connect to the machine. I've been given a secondary account that can connect, and it has rights to start/stop sql service(s).

    The biggest issue involves meeting our audit regulations. We're governed by US and EU law. So we get hammered all the time over governance.

    If you have very tight SLAs you need responsive support from your local-admin types. I guess it'll come down to being a trade off.

    Honor Super Omnia-
    Jason Miller

  • The big thing, IMHO, is whether or not your job duties require that kind of access to the server.

    Where I work, the DBA team is responsible for the "soft" server admin jobs. Things like granting / revoking Share access, fixing minor OS / Cluster / SQL issues, restarting Services, installing new .dlls and general logical disk drive maintenance. This does require us to have local admin access on the machines. On the other hand, if you're not doing these duties and someone else is, then I don't see a reason you actually need this kind of access.

    Make a list of your duties. Then investigate each one and verify whether or not you can accomplish that particular task without local admin access. If, at the end of the list, you don't have any tasks that require local admin access, don't bother trying to fight for it.

    You need to be realistic about what you should and shouldn't have. It won't look good for you if you demand local admin access based on what you found in the User Group and not based on what your job requires. Some security paranoid person might think you're trying to get away with something. So instead of asking us for a list of reasons why you should have access, make your list and then (if you can't figure out the security yourself) ask us what type of security is required for the tasks on the list. That'll work much better.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • Brandie Tarvin (2/11/2008)


    Make a list of your duties. Then investigate each one and verify whether or not you can accomplish that particular task without local admin access. If, at the end of the list, you don't have any tasks that require local admin access, don't bother trying to fight for it.

    I think thats great if you have the time, however as most have better things to do just identify what it is you need and leave it up to the person responsible to decide what that should translate into.

    That being said you should never be left in the situation where by during transition you are left with insufficient rights to do your job.

    Cheers

    Andrew

Viewing 15 posts - 1 through 15 (of 31 total)

You must be logged in to reply to this topic. Login to reply