November 21, 2003 at 12:22 pm
Is there a way to give a developer the rights to temporarily administer the jobs without giving them full sa rights?
We're trying to come up with the coverage schedule for the holidays, and it looks like some non-DBAs will have to support the jobs.
November 21, 2003 at 12:57 pm
May be a lot more than the jobs could need taken care of at some time.Not trying to be persimistic
Mike
November 24, 2003 at 6:48 am
What we've found during SQL Server security lockdown process, an individual NT login with be created for each maintenance / operations staff, and will be mapped to some pre-defined sql server roles with appropriate privileges, such as read/write data, start/stop/view jobs. We now have stored proc that does this.
November 24, 2003 at 9:36 am
To administer(create, modify, run, stop, enable..) jobs you either have to be in sysadmin role or be logged in as owner of the job. with a little work, nearly all jobs can be converted to an owner that is a standard sql ID and then the specific rights granted to this one ID. actions requiring SA permissions are xp_cmdshell(even with Proxy, there is exposure as the service account IS involved - ask MS if you don't believe me), OPENROWSET, and linked server ~ so watch out when you need to run even DTSRun.exe via xp_cmdshell ~ you could try setting job type to CmdExec. you probably want to be sure you have good backups of all jobs, etc in the event they get hosed while you are out ~ you may even want to engage a systematic profiling ~ better yet if SQL2K setup C2Audit - and keep those files but be careful of disk space! good luck
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply