September 22, 2011 at 12:46 am
Hi,
The developers have sa priviledge on 1 server , they usually stop the sqlserveragent service and due to which the nightly backup jobs fail.
Can it be possible to stop the developers that they haven't permission to touch even the sql server agent without removing sa priviledge.
Or
Is there any other solution?
Thanks
September 22, 2011 at 2:33 am
if they have sa permission then there is not much you can do, and anything you did do they could undo.
best solution is to assign the developers the correct permissions to do their role as developers, using sa is bad practice even in dev.
other option is to tell them to stop messing with the sql agent.
September 22, 2011 at 3:09 am
steveb. (9/22/2011)
other option is to tell them to stop messing with the sql agent.
Agreed. It's not always a matter of tools. Appropriate communication an cooperation can do more than permissions at times.
Try to involve them in the backup process and explain why stopping the agent is bad.
However, you should try to revoke sysdmin permissions.
-- Gianluca Sartori
September 22, 2011 at 3:22 am
Is it not possible from the proxy account of sql server?
Thanks
September 22, 2011 at 3:49 am
forsqlserver (9/22/2011)
Is it not possible from the proxy account of sql server?
Seriously do yourself a big favour, and sort out the correct permissions for the developers and forget about implementing other measures. There are roles that give a lot of access without giving over full control
The devs may complain but it is your responsibilty to administer the database (i assume you are the dba). Because eventually one of them is going to drop and delete a database or bring the server down and it will be over to you to sort it.
Also communication is the key, let them know what the issues are and why they should not have sa access.
September 22, 2011 at 4:13 am
Thanks,
Actually their applications do not installing sa priviledge.
Thanks
September 22, 2011 at 4:14 am
Thanks,
Actually their applications SFS does not installing without sa priviledge.
Thanks
September 22, 2011 at 4:19 am
forsqlserver (9/22/2011)
Thanks,Actually their applications SFS does not installing without sa priviledge.
Probably because they're not aware of the single privileges that they have to be granted instead of sysadmin.
If they started coding with restricted users, you could have granted single privileges. Now it would be a PITA to find them all.
Another good reason to avoid granting sysadmin to devs.
-- Gianluca Sartori
September 22, 2011 at 4:31 am
Probably because they're not aware of the single privileges that they have to be granted instead of sysadmin.
If they started coding with restricted users, you could have granted single privileges. Now it would be a PITA to find them all.
Another good reason to avoid granting sysadmin to devs.
Thanks Sartori,But....
1. What is PITA?
2. How it can be possible with single priviledge login?Please tell actually this is devleopemnt and our production is about to start.So then I cannot give permission of sa?
3. I have forefront,TFS,HRMS Axapta all these developers have taken sa rights perforcely from me.I have not solid reason for this.
Thanks
September 22, 2011 at 4:34 am
forsqlserver (9/22/2011)
Thanks,Actually their applications SFS does not installing without sa priviledge.
Then it is a poorly developed application,
find out exactly what the applicaiton needs to do with the SQL server and then give the appropriate permissions based upon need. Otherwise you end up with lazy devs, as I can bet they do not NEED sa permission.,
September 22, 2011 at 4:37 am
1. What is PITA?
Pain In The A$$. I didn't want to write it fully, I though the acronym would have been enough.
2. How it can be possible with single priviledge login?Please tell actually this is devleopemnt and our production is about to start.So then I cannot give permission of sa?
You should have done this from the start, now I'm afraid it's too late. Especially if you want to do it in a rush.
3. I have forefront,TFS,HRMS Axapta all these developers have taken sa rights perforcely from me.I have not solid reason for this.
You're right: that's the reason why here I still have some devs with sysadmin rights. They shouldn't, but this is the best I could do.
-- Gianluca Sartori
September 22, 2011 at 6:25 am
forsqlserver (9/22/2011)
Hi,The developers have sa priviledge on 1 server , they usually stop the sqlserveragent service and due to which the nightly backup jobs fail.
Can it be possible to stop the developers that they haven't permission to touch even the sql server agent without removing sa priviledge.
Or
Is there any other solution?
in a similar situation, I know another poster ended up creating a Windows scheduled task that ran the "net start SQLSERVERAGENT"
to clean up after his developers, exactly so that the backups would not fail, because they were stopping the service.
in his case, the developers did not know how to kick people off of a database (using KILL @spid or ALTER DATABASE SET SINGLE USER ROLLBACK IMMEDIATE), so they would bounce the dev server to kick people off.
he could not get them trained and just gave up and did the scheduled windows task as a work around.
and he c
Lowell
September 22, 2011 at 8:38 am
not to mention, developers logging in with application logins. Like mentioned above, I've seen applications that need sysadmin rights. So are the joys of life...
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply