February 20, 2018 at 1:53 pm
I would like to know if we can create a separate group or what permissions on the server should be granted for the DBA to make sure he/she can perform the duties such as the ones listed below in case if we lock down local admin rights on the box due to management and security reasons.
- SQL database attach/detach
- SQL installation, service pack updates etc.
- Monitoring performance metrics
- restarting and stopping sql server
February 21, 2018 at 6:55 am
ffarouqi - Tuesday, February 20, 2018 1:53 PMI would like to know if we can create a separate group or what permissions on the server should be granted for the DBA to make sure he/she can perform the duties such as the ones listed below in case if we lock down local admin rights on the box due to management and security reasons.- SQL database attach/detach
- SQL installation, service pack updates etc.
- Monitoring performance metrics
- restarting and stopping sql server
Just attaching/detaching a database requires either sysadmin privs or DBO privs, which I'm thinking is beyond the level of privs that you want such folks to have because it will allow them do either do anything to the server or anything to the database they're assigned.
--Jeff Moden
Change is inevitable... Change for the better is not.
February 22, 2018 at 9:51 am
For Perf counters, there are ways to let non-admins get them: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771692(v=ws.10)
For attach/detach, just SQL permissions are needed, though the admin might need access to the folders to move files in/out.
For install, I think you'd need admin permissions. At least temporarily. You have to set permissions and create service accounts. This won't be something you can easily do by proxy. Of course, you could move to Chef/Puppet/DevOps style installs, which might alleviate some issues.
Stop/start services, you can use sc (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742037(v=ws.10)), and assign some rights, but this wouldn't be as easy as using SSMS.
February 22, 2018 at 10:59 am
Steve Jones - SSC Editor - Thursday, February 22, 2018 9:51 AMFor Perf counters, there are ways to let non-admins get them: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771692(v=ws.10)
For attach/detach, just SQL permissions are needed, though the admin might need access to the folders to move files in/out.For install, I think you'd need admin permissions. At least temporarily. You have to set permissions and create service accounts. This won't be something you can easily do by proxy. Of course, you could move to Chef/Puppet/DevOps style installs, which might alleviate some issues.
Stop/start services, you can use sc (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742037(v=ws.10)), and assign some rights, but this wouldn't be as easy as using SSMS.
Thanks! Steve. In short we do need admin privileges for some task if not all the task...right?
February 22, 2018 at 11:25 am
ffarouqi - Thursday, February 22, 2018 10:59 AMSteve Jones - SSC Editor - Thursday, February 22, 2018 9:51 AMFor Perf counters, there are ways to let non-admins get them: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771692(v=ws.10)
For attach/detach, just SQL permissions are needed, though the admin might need access to the folders to move files in/out.For install, I think you'd need admin permissions. At least temporarily. You have to set permissions and create service accounts. This won't be something you can easily do by proxy. Of course, you could move to Chef/Puppet/DevOps style installs, which might alleviate some issues.
Stop/start services, you can use sc (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742037(v=ws.10)), and assign some rights, but this wouldn't be as easy as using SSMS.
Thanks! Steve. In short we do need admin privileges for some task if not all the task...right?
No... only if you want the DBA to be able to do their jobs. 😉
--Jeff Moden
Change is inevitable... Change for the better is not.
February 22, 2018 at 11:45 am
Yes, despite Jeff's joke. For some things you do need this if the DBA directly does work. If you automate some things, perhaps you can reduce the number dramatically, or eliminate it, but it's work to do so.
February 28, 2018 at 7:58 am
Jeff Moden - Wednesday, February 21, 2018 6:55 AMffarouqi - Tuesday, February 20, 2018 1:53 PMI would like to know if we can create a separate group or what permissions on the server should be granted for the DBA to make sure he/she can perform the duties such as the ones listed below in case if we lock down local admin rights on the box due to management and security reasons.- SQL database attach/detach
- SQL installation, service pack updates etc.
- Monitoring performance metrics
- restarting and stopping sql serverJust attaching/detaching a database requires either sysadmin privs or DBO privs, which I'm thinking is beyond the level of privs that you want such folks to have because it will allow them do either do anything to the server or anything to the database they're assigned.
Neither require sysadmin, create database permission required at server level to create and attach a db
Alter any database at server level required to detach a database, members of dbo database role can also detach the db
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 28, 2018 at 8:01 am
ffarouqi - Tuesday, February 20, 2018 1:53 PMI would like to know if we can create a separate group or what permissions on the server should be granted for the DBA to make sure he/she can perform the duties such as the ones listed below in case if we lock down local admin rights on the box due to management and security reasons.- SQL database attach/detach
- SQL installation, service pack updates etc.
- Monitoring performance metrics
- restarting and stopping sql server
some of these have elevated permissions, no way round that.
are you really unable to trust the admins that much?
Which users are to remain in control of the instance in the event you lock down?
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 28, 2018 at 2:36 pm
Perry Whittle - Wednesday, February 28, 2018 7:58 AMJeff Moden - Wednesday, February 21, 2018 6:55 AMffarouqi - Tuesday, February 20, 2018 1:53 PMI would like to know if we can create a separate group or what permissions on the server should be granted for the DBA to make sure he/she can perform the duties such as the ones listed below in case if we lock down local admin rights on the box due to management and security reasons.- SQL database attach/detach
- SQL installation, service pack updates etc.
- Monitoring performance metrics
- restarting and stopping sql serverJust attaching/detaching a database requires either sysadmin privs or DBO privs, which I'm thinking is beyond the level of privs that you want such folks to have because it will allow them do either do anything to the server or anything to the database they're assigned.
Neither require sysadmin, create database permission required at server level to create and attach a db
Alter any database at server level required to detach a database, members of dbo database role can also detach the db
Thanks, Perry. I based my comment on needing either sysadmin or dbo privs based on the "Permissions" or "Security" sections of the following.
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-detach-db-transact-sql
https://docs.microsoft.com/en-us/sql/relational-databases/databases/detach-a-database
With the idea of "teach a man to fish" and that my Google-fu apparently is lacking for this particular search, how do you find out where someone can alter a database to detach it without having sysadmin or dbo privs on the given database? For example, how do you find where it is documented that ALTER ANY DATABASE will allow you to detach a database?
--Jeff Moden
Change is inevitable... Change for the better is not.
March 1, 2018 at 2:43 am
Hmmm, OK. I tried this:
CREATE LOGIN JoeDBA with password = 'xxx'
GO
GRANT ALTER ANY DATABASE TO JoeDBA
I then opened a new window, logging in as JoeDBA and ran:EXEC sys.sp_detach_db @dbname = 'Bob'
Got this:
Msg 916, Level 14, State 1, Line 1
The server principal "JoeDBA" is not able to access the database "Bob" under the current security context.
Then tried this in my sysadmin connection:USE bob
GO
CREATE USER JoeDBA FOR LOGIN JoeDBA
GO
ALTER ROLE db_owner ADD MEMBER JoeDBA
Returned to my JoeDBA connection and was able to detach the database.
ALTER ANY DATABASE is not sufficient, but db_owner for a db is. This means you'd need to ensure each login had that permission in each database to detach.
I also tried dbcreator and serveradmin (separately) for the login. neither allows me to detach a database. I suspect sysadmin OR db_owner in a specific database allow detaching. Of course, if you add the user to model and include db_owner, that would solve that permission set.
March 1, 2018 at 7:33 am
Steve Jones - SSC Editor - Thursday, March 1, 2018 2:43 AMHmmm, OK. I tried this:
CREATE LOGIN JoeDBA with password = 'xxx'
GO
GRANT ALTER ANY DATABASE TO JoeDBA
I then opened a new window, logging in as JoeDBA and ran:EXEC sys.sp_detach_db @dbname = 'Bob'Got this:
Msg 916, Level 14, State 1, Line 1
The server principal "JoeDBA" is not able to access the database "Bob" under the current security context.Then tried this in my sysadmin connection:
USE bob
GO
CREATE USER JoeDBA FOR LOGIN JoeDBA
GO
ALTER ROLE db_owner ADD MEMBER JoeDBAReturned to my JoeDBA connection and was able to detach the database.
ALTER ANY DATABASE is not sufficient, but db_owner for a db is. This means you'd need to ensure each login had that permission in each database to detach.
I also tried dbcreator and serveradmin (separately) for the login. neither allows me to detach a database. I suspect sysadmin OR db_owner in a specific database allow detaching. Of course, if you add the user to model and include db_owner, that would solve that permission set.
Those were my experiences, as well. I couldn't find anything in BOL either locally or online that said that ALTER ANY DATABASE would allow someone to attach or detach databases and the documentation does seem to clearly state that either sysadmin or DBO privs are necessary to do attach or detach. That, not withstanding, Perry is a pretty smart cookie on this type of stuff and wondered what trick he might have up his sleeve for ALTER ANY DATABASE.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply