January 23, 2012 at 3:03 pm
The other DBA here left for greener pastures and I've finding all the things that were default named with his login. I thought I had them all and then found out that replication broke because he had been listed as owner on a number of databases. I have been changing the ownership of all DBs to SA, so that no matter who comes or goes we don't have this problem again.
Is there any problem any of you know with making the SA account the owner of databases or other objects?
On most of my instances, login to the SA account is disabled, but it still seems to take ownership just fine.
We are running various versions from 2000 (soon to be retired!) to 2008 R2.
Thanks,
Dave Bennett
January 26, 2012 at 1:54 pm
Database owner defaults to database creator.
I prefer not to have "sa" as the owner of the databases but what I call a "operational account" for such database meaning that different databases on the same server have different owners most of the time. The same "operational account" can be used to own jobs, etc. but never for user access to the system.
This practice preserves the sanctity of "sa" account and also dettaches databases from actual people that may come and go while databases stay put.
_____________________________________
Pablo (Paul) Berzukov
Author of Understanding Database Administration available at Amazon and other bookstores.
Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.January 26, 2012 at 2:32 pm
I don't know if I agree Paul, my policy is that ALL databases are owned by sa and that no one should have the sa password. I don't ever use it and no one else should either. It is stored in case it is ever needed but the password is not given out.
In this context sa really doesn't have negatives. I don't allow for cross-db chaining which might be one reason to have different ownership. For a multi-tenant operation maybe. For jobs that I want to run in the context of the server (which is many of them, if not most) they are owned by sa as well. I don't want users to own anything, in the case where I might change ownership, I would create a user for that task and document WHY I departed from the standard that I set.
I want to insulate myself from the cases where an admit leaves and things start breaking because I killed their login..
CEWII
January 26, 2012 at 6:13 pm
I'll second all of that, Elliott. I'll also add that I prefer that most things are in the "dbo" schema.
--Jeff Moden
Change is inevitable... Change for the better is not.
January 26, 2012 at 6:16 pm
Jeff Moden (1/26/2012)
I'll second all of that, Elliott. I'll also add that I prefer that most things are in the "dbo" schema.
I tend to code to that as well. But I can see some reasons to use schemas. I'll let a developer go down that path if they can justify it.
CEWII
January 27, 2012 at 5:38 am
Elliott Whitlow (1/26/2012)
I don't know if I agree Paul, my policy is that ALL databases are owned by sa and that no one should have the sa password. I don't ever use it and no one else should either. It is stored in case it is ever needed but the password is not given out.In this context sa really doesn't have negatives. I don't allow for cross-db chaining which might be one reason to have different ownership. For a multi-tenant operation maybe. For jobs that I want to run in the context of the server (which is many of them, if not most) they are owned by sa as well. I don't want users to own anything, in the case where I might change ownership, I would create a user for that task and document WHY I departed from the standard that I set.
I want to insulate myself from the cases where an admit leaves and things start breaking because I killed their login..
CEWII
I'm okay with dissagreement 🙂
Having said that, please note that as stated my "operational accounts", the ones that own each database are not owned by a human users, nobody uses them, nobody in the user/developer community even know they exist and, nobody but DBA knows the passwords which are documented and kept in a sealed envelope. "Operational accounts" are a layer to put 'sa' one more step away from the misseries of human life 😉
_____________________________________
Pablo (Paul) Berzukov
Author of Understanding Database Administration available at Amazon and other bookstores.
Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.January 27, 2012 at 6:31 am
All,
Thanks for the responses. I guess I'm going to continue to go with sa for my ownership. I already have way too many accounts to keep track of for people (and resources) that actually log in. It sounds like there is no real downside to using sa for database ownership (which is what I wanted you'all's opinion on) so I will keep on with it.
Thanks for the feedback!
Dave
January 27, 2012 at 8:13 am
PaulB-TheOneAndOnly (1/27/2012)
I'm okay with dissagreement 🙂
As am I. Especially on something like this.
CEWII
February 6, 2012 at 5:19 pm
I'm having to deal with this now (database ownership) and came across a SQL Server 2005 best practice doc from Microsoft, stating that databases should not be owned by 'sa' (page 18). I'm guessing that the reasoning is similar to Paul's.
My environment is exactly like David's ('sa' account exists but is disabled). Management will make me adhere to Microsoft's ideas so a separate, "operational" account will have to be used.
----------------------------------------------------------------------------
Sacramento SQL Server users group - http://sac.sqlpass.org
Follow me on Twitter - @SQLDCH
----------------------------------------------------------------------------
February 7, 2012 at 9:07 am
SQLDCH (2/6/2012)
I'm having to deal with this now (database ownership) and came across a SQL Server 2005 best practice doc from Microsoft, stating that databases should not be owned by 'sa' (page 18). I'm guessing that the reasoning is similar to Paul's.My environment is exactly like David's ('sa' account exists but is disabled). Management will make me adhere to Microsoft's ideas so a separate, "operational" account will have to be used.
Careful now. It doesn't simply state that "databases should not be owned by 'sa'. It states...
Have distinct owners for databases; not all databases should be owned by sa.
... and it says that in a section where individual customers own and can control their own databases in shared system which is a very specific requirement. Making the blanket statement that "databases should not be owned by 'sa'" isn't the right thing to do especially after you've misquoted the "official" MS documentation (heavily disclaimered by MS in the front matter, BTW). That's how really bad SQL "myths" get started. 😉
--Jeff Moden
Change is inevitable... Change for the better is not.
February 7, 2012 at 9:37 am
Jeff,
What MS doc is this? It sounds like best practices for a shared hosting environment. In THAT environment I would agree with not being owned by sa, but for my company databases...
CEWII
February 7, 2012 at 12:52 pm
Elliott Whitlow (2/7/2012)
Jeff,What MS doc is this? It sounds like best practices for a shared hosting environment. In THAT environment I would agree with not being owned by sa, but for my company databases...
CEWII
SQLDCH had provided a link in his post immediately previous to mine in the word "doc" and it's hard to see that it's actually a link. Here's the full link...
--Jeff Moden
Change is inevitable... Change for the better is not.
February 7, 2012 at 3:47 pm
Thanks Jeff. The paragraphs before it mentions not using sa specifically talks about IT department mode vs ISV mode. I don't think you can take sa shouldn't be used from this document unless the context is ISV. And in the ISV use case I agree. However, lets be real, most of us are not running SQL in that mindset..
CEWII
February 7, 2012 at 3:58 pm
Elliott Whitlow (2/7/2012)
Thanks Jeff. The paragraphs before it mentions not using sa specifically talks about IT department mode vs ISV mode. I don't think you can take sa shouldn't be used from this document unless the context is ISV. And in the ISV use case I agree. However, lets be real, most of us are not running SQL in that mindset..CEWII
I agree here. I think that statement is meant more for ISV. In a shared environment, I would have separate operational accounts as described by Paul.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
February 7, 2012 at 4:01 pm
SQLRNNR (2/7/2012)
Elliott Whitlow (2/7/2012)
Thanks Jeff. The paragraphs before it mentions not using sa specifically talks about IT department mode vs ISV mode. I don't think you can take sa shouldn't be used from this document unless the context is ISV. And in the ISV use case I agree. However, lets be real, most of us are not running SQL in that mindset..CEWII
I agree here. I think that statement is meant more for ISV. In a shared environment, I would have separate operational accounts as described by Paul.
That's why I said that saying that "databases shouldn't be set to 'SA'" was a bad thing. 😛
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 15 posts - 1 through 15 (of 16 total)
You must be logged in to reply to this topic. Login to reply