dba with local admin privs

  • Hi

    I have been asked the above question and I cannot really answer it as I have always been the sysadmin as well as the dba on sites I have worked at or contracted on.

    Is there any good reason why the sql server dba should NOT be given local admin rights as well?

    thanks

  • DBA need to have the ability to view the system as a whole. DBA often need to install SQL Server or service pack on those server as well. At the same time, SQL service account doesn't not have to be part of the local administrators group.

    Sopheap

  • In addition to this when you are doing performance & tunning at that time you need to have admin privilages to access perfmon for CPU, IO, MEMORY etc. utilization.

    ---------------------------------------------------
    "Thare are only 10 types of people in the world:
    Those who understand binary, and those who don't."

  • Is there a good reason? Yes, having admin permissions can be a security issue and could be a problem with separation of duties.

    You do not "need" to be a local admin on a SQL Server. It can hinder your ability to do your job, but without being a member of the local administrators group you could be given access to everything you need.

    That being said, it is usually not worth it and putting the DBA in the local admin group is pretty common.

  • Just a thought here, how does maintaining SOX compliancy affect this?

  • It will depend on your interpretation of SOX.

  • SOX will be ok as long as there is a seperation of dba from developer role. DBA don't develop and developer don't have access to production server.

    Sopheap

  • thanks for the replies.

    Its the division of labour thing I guess. That's why I prefer to have the sysadm and dba all in the one person. We're dealing with third party system providers - two of them, with the DBA belonging to the client and having to justify everything he needs.

    So in reality there is really no need to have local admin rights but its just less hassle

  • Window server admin ... well that's a line in the sand, but most DBA prefer that their window server admin don't have sa access to the sql server even though there is not much way to prevent them if they hack the registry to allow themself in... It is a trust issues that could be built.

    Also it is an issue that will be brought up when you bring in outside auditor to audit and you have to response to those audit. Internal audit will also raised this issues as well.

    It could affect your rating that might affect your bottom line if you are highly dependent on credits.

    Sopheap

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply