Looking for help due to SOX - Removal of local admin from DBAs

  • Thanks to SOX regulations their is a movenement to remove the dba's from the local administrators group on all the servers.  Is there a paper or anything to get me started that list out what premissions a DBA would need such as regiestry keys file access and anything else in general?

  • This just seems like a bad idea and the thing about SOX -- its very open to interpetation. I've been through a SOX audit and did not loose my local admin permissions. The auditors did try to get us to implement data changes and select audit on all data (of course they are a reseller of such software), but we were able to show this request was not necessary. I would agrue against it and try to get your senior management to back you on it. The service account basically requires local admin access (there are several KB articles that document this, especially in a cluster). Also there is big difference in running SQL on a Windows server and running Oracle or Informix on a UNIX server. My team supports both and guess what -- we don't need root access on UNIX. The DBMS is somewhat OS agnostic and one of our UNIX servers reached an uptime of 360 days. As for SQL it is very tied to Windows and guess what -- sometimes you need to reboot or recycle the services and this requires admin access.

  • Thanks for the reply.  We are trying to fight it and what are plan is to come with such an obsured list of premissions need (registry keys, folders, etc.) that it would be crazy to local admin away and try to manage those premissions for every dba.

  • DBAs don't need local administrative access to the servers if the responsibilities for said DBAs are solely within SQL Server. Notice I said solely, as in nothing outside of SQL Server. And that's a key point: what are the expected responsibilities? In my organization there are a lot of things outside of SQL Server our DBAs are responsible for, meaning the removal of such rights would render our DBAs incapable of doing the job they've been assigned to do.

    If you give us an idea of what all your DBAs are expected to do, we can probably give you a better of idea of what rights are needed.

    K. Brian Kelley
    @kbriankelley

  • I recently worked as a DBA under a (extremely painful) SOX environment.  Not only did I not have admin rights to the box, but I was also not SA on the SQL Server.  I was doled out rights by the Network Admins so I had DBO for each individual db and could gain access for things like backups. 

    The most painful part was that you had to use Remote Desktop to connect to a "bastion host" from which you could PC Anywhere to the SQL Servers (moving backups from prod to refresh dev took an afternoon per DB) but that's not here nor there.

    The theory behind this was that the DBA role should be seperate from the Network Admin role entirely.  Therfore the DBA could not affect security audits on the boxes and the Network Admins couldn't fudge data.  I could never figure out how this Consultant-Approved system kept the Network Admins out of my financial data, but it certainly kept me from being able to hide my tracks from having logged in...  The main issue is who has the responsibility for maintaining the SQL Server application itself?  In this environment it was the Net Admins. 

    My takeaway from this experience, however, was that it is possible to do many DBA functions without access to the box, let alone admin access.  The rest of the functions, however, took a committee to accomplish. 

  • I just realized there is another thread in this group where this is discussed in more detail.

  • What was that thread? We're being asked right now the same thing. So if someone else has already gone through this I'd appreciate the knowlege share.

    Thanks

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply