July 2, 2012 at 11:21 am
Hi everyone,
From a security perspective, is it advised or discouraged for non-DBA users to have owner (db_owner or equivalent permissions) to some or all databases on a SQL Server? I've received a few requests about granting db owner permissions to non-DBAs on our development servers. I'm just wondering if this is just something that is needed to allow developers to do their work, or if I need to prevent that and have those "higher" parts of the db owner role funneled to me so I can do them. I don't want to handcuff developers but I also want to know if there's a best practice around this issue.
Thanks for any help.
- webrunner
-------------------
A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html
July 2, 2012 at 11:50 am
webrunner (7/2/2012)
Hi everyone,From a security perspective, is it advised or discouraged for non-DBA users to have owner (db_owner or equivalent permissions) to some or all databases on a SQL Server? I've received a few requests about granting db owner permissions to non-DBAs on our development servers. I'm just wondering if this is just something that is needed to allow developers to do their work, or if I need to prevent that and have those "higher" parts of the db owner role funneled to me so I can do them. I don't want to handcuff developers but I also want to know if there's a best practice around this issue.
Thanks for any help.
- webrunner
Firstly setting a user as the database owner maps them through into the database as the builtin user dbo. They automatically have all the rights available within that database. You won't see a database user account for them.
Secondly, its best practice to force the devs to appluy only the permissions they need to their code. Being a member of DB_Owner doesn't enforce any thought process IMHO.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
July 2, 2012 at 12:12 pm
Perry Whittle (7/2/2012)
webrunner (7/2/2012)
Hi everyone,From a security perspective, is it advised or discouraged for non-DBA users to have owner (db_owner or equivalent permissions) to some or all databases on a SQL Server? I've received a few requests about granting db owner permissions to non-DBAs on our development servers. I'm just wondering if this is just something that is needed to allow developers to do their work, or if I need to prevent that and have those "higher" parts of the db owner role funneled to me so I can do them. I don't want to handcuff developers but I also want to know if there's a best practice around this issue.
Thanks for any help.
- webrunner
Firstly setting a user as the database owner maps them through into the database as the builtin user dbo. They automatically have all the rights available within that database. You won't see a database user account for them.
Secondly, its best practice to force the devs to appluy only the permissions they need to their code. Being a member of DB_Owner doesn't enforce any thought process IMHO.
Great, thanks, this is the information I needed. I'm going to need to speak with them to work out something aside from db owner permissions.
Thanks again,
webrunner
-------------------
A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html
July 3, 2012 at 2:01 pm
Before having the conversation I recommend reading up on the difference between being a dbo (Database Owner) and being a member of the db_owner (a Fixed Database Role). There are important differences. Mostly I see developers placed in the db_owner Role with a service account or sa as the dbo.
webrunner (7/2/2012)
Hi everyone,From a security perspective, is it advised or discouraged for non-DBA users to have owner (db_owner or equivalent permissions) to some or all databases on a SQL Server? I've received a few requests about granting db owner permissions to non-DBAs on our development servers. I'm just wondering if this is just something that is needed to allow developers to do their work, or if I need to prevent that and have those "higher" parts of the db owner role funneled to me so I can do them. I don't want to handcuff developers but I also want to know if there's a best practice around this issue.
Thanks for any help.
- webrunner
There really is no best practice when it comes to development environments. In my experience a lot depends on how the developers debug their apps. If the app uses Windows Auth and they run their development debugger as their Windows account then having a Windows Login for them on the server be a dbo or in db_owner of a database can mask permissions issues that will not appear until a QA, or worse, a real user runs the app. It's really up to you what to give them in development. You are spot on in terms of balancing their ability to do their job with guiding them into working with you in areas important to you.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply