December 26, 2007 at 7:55 am
There are people who say that:
- DBAs can do all of their duties using EM or SSMS,
- DBAs have no business on the local servers, no need for logging on as a member of the local administrator group.
So,
Do DBAS need system admin privs on the local servers? and why?
Does this NOT being one (sys admin) prevent the DBAs to do their job properly?
Thanks.
December 26, 2007 at 8:39 am
Here is my cent.
A DBA needs local administration privilege because he needs to do something on the OS level, such as
check what (application) eats up disk space;
check what (application) eats up memory/CPU;
check status of disks on the server;
...
It is important to a small company. Even in a big company, we need more coordination if DBAs do not have authority to access OS.
December 26, 2007 at 9:47 am
I don't think you need local system admin privileges, but as mentioned above, you need coordination and assistance from the people that do. There are times you will have to troubleshoot, see event logs, check process usage, etc. and if you don't have admin rights, then it becomes a pain.
As long as you have rights to all folders on the machine that SQL uses, including replication, DTS package folders for temp data, backup folders, etc., you probably don't need admin privileges. Most of the time it hasn't mattered for me, but if I call on the sysadmins, I need them to respond.
December 26, 2007 at 11:02 am
Which type of DBA? If it's the "System" DBA, you'd better trust him/her... they need total access to really do the job correctly. If it's an "Application" DBA, then probably not... application DBA's should go through the same process as everyone else to promote code... submit it to the "System" DBA for review and promotion.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 26, 2007 at 11:39 am
he is a system/operation DBA.
why the need?
there are already system administartors to do all OS stuffs.
December 26, 2007 at 12:47 pm
If you dunno, you may be in trouble...
Who's going to set the files sizes? Who's going to do the load balancing for TempDB and other databases? Who's going to fix things having to do with SQL Server itself? Who's going to setup the maintenance jobs? Who needs to be able to see all the server settings and perhaps change them if they're wrong? Who's going to need access to the Index Wizard to make recommendations? Who's going to have to add new indexes? Etc, etc, etc...
You think the OS guy knows how to do all of that? Heh... good luck with that...
Personally, having a Systems DBA that does not have SA rights is like having a car engine that you can't add oil to. It's gonna blow up...
If you can't trust your DBA, then find one you can. I wouldn't work at such a job under such limits for a System DBA...
--Jeff Moden
Change is inevitable... Change for the better is not.
December 26, 2007 at 2:50 pm
Ummm... my mistake, I think... you're probably taking about the "WINDOWS" server System Admin, huh?
That might be a different story but, still, I'd be inclined to let the DBA in. So far as I'm concerned, it would be his/her box to take care of in all ways.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 26, 2007 at 6:36 pm
Jeff,
Yes, we have SQL Server running on Windows.
I think apart from installing SQL and SPs, for what the DBA needs sys admin privs? It's not that we do not trust the DBA, but just want to understand.
December 26, 2007 at 7:39 pm
It just seems very odd to me that you want a DBA to drive your very expensive truck but you won't even let him/her check the pressure in the tires never mind look under the hood. Worse than that, you've gone out of your way to put black electric tape over the "Low Oil" and "Service Engine" lights. 😉
And, whether you trust the DBA or not, not giving the DBA privs on the box that SQL Server lives on is saying that you don't.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 26, 2007 at 9:35 pm
While I agree with Jeff that you might want to trust the DBA, I know that some of my sysadmins were much better at tuning Windows than me and I'd ask their advice. There's no reason for me to do that part of the job. I wouldn't need Windows admin privileges.
I think it's a debate, but I don't think you need it. It might make your job easier, and I wouldn't want the Windows guys to prevent you from having them just to keep control of the OS, but they might just want to prevent you from making changes that they don't know about.
I've trusted my Windows admins to have SA rights on SQL, but let them know I would not be happy about them making changes without asking first.
December 27, 2007 at 1:50 am
Hi
Would like to put it like this , "It takes two to tango", both windows admin and DBA should be responsible for the box as they are both expertise in their domain and compliment each other.
Giving local admin rights to the box would only help in speeding up the processes of monitoring and maintainence. and also in time of crisis.
TO ensure that DBA or anyone for that matter should not do anything to the box, that he is not supposed to do , you need to enable auditing and also a good change mgmt process in place.
Regards
Avijeet
December 27, 2007 at 4:43 am
Heh... then there's shops like what I used to work for... I'd not only be the DBA, but I was also the OS guy, the guy that built the computer, the network guy, the printer guy, the firewall guy, and the GUI guy.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 27, 2007 at 6:55 am
I agree with Steve and Jeff.
Do DBAs need local system admin privileges?
... and with Information Technology almost every answer starts with "it depends".
In my experience, each IT shop operates a little differently. I have been the sole Admin for a SQL Server database server from unpacking and mounting the machine in the rack, all the way to aging it out 5 years later, and powering it down for the last time. Working contracts, you are working within the established policies of the company you are hired by which can be open ended or you having a "shadow" that tracks your work almost literally down to the keystroke.
The common thread for all shops, it seems, is that time will eventually build trust, and the rules usually get relaxed, if a good rapport can be made by the DBA with the Server Admins and Security Staff, they will all work as a team (and not be at odds with each other over "turf") to make the things that go bump in IT stay a bump.
(soapbox)
I always keep in the back of my mind that a DBA is the "Ambassador of Information Technology" due to the fact that if there is a server issue, the Server Admins have to get involved, if an application that has a database associated with it (and how many don't these days) has problems, the Helpdesk is involved (DBAs can be 1st, 2nd, or 3rd tier support), network issues? Network Admins get a shoulder tap, and so on until you eventually deal with all the IT staff. DBAs are fortunate/unfortunate enough to have a need to have their "fingers" in all these pies at once.
(/soapbox)
We never have the same day twice! 😀
"Key"
MCITP: DBA, MCSE, MCTS: SQL 2005, OCP
December 27, 2007 at 7:16 am
Well said, Damon. Not are they only "Ambassadors", but "I always keep in the back of my mind that a DBA is the" first scape-goat when something goes wrong. I'll bust a hump to help a DBA if (s)he needs it.
--Jeff Moden
Change is inevitable... Change for the better is not.
December 27, 2007 at 7:24 am
Amen Brother Moden!
Sacrificial-Lamb also comes to mind.
To quote my brother: "I knew there would be a goat!"
"Key"
MCITP: DBA, MCSE, MCTS: SQL 2005, OCP
Viewing 15 posts - 1 through 15 (of 24 total)
You must be logged in to reply to this topic. Login to reply