October 6, 2017 at 11:43 am
Greetings! We are a small but growing business. We started off with 2 people in IT, and a contractor doing the SQL Server work. We have now expanded to 6 people in IT and a separate in-house Business Intelligence Department that is handling DBA responsibilities as well as performing development work. The IT department has recently implemented split accounts for their department where they log into their personal computers with a regular user credential with only domain user rights. When they need to perform an activity that requires admin rights, such as performing an install or remoting into a server, they use a credential with domain admin rights. Now the IT department has implemented a similar scheme for the BI Department. The BI Department must log into their computers with a credential that has domain user rights, and no rights to the SQL Server. When using SSMS, they must do a "run as" to run the program with a separate ID that has local admin rights to the SQL Server. This same separate ID is then used if they have to log in remotely to the SQL Server itself to perform DBA tasks. In addition, if local admin rights are required for any development activity they are performing on their local computers, they must ask the IS department to accomplish the task for them as they have no local admin rights for their personal computers with either account. Also, they are expected to do any development work by using "run as" their SQL Server rights ID to run whatever tool (such as IIS or Visual Studio) they want that tries to access SQL server.
My question is directed at those of you in small business: How is security handled? Do you use two different domain user accounts for DBAs and/or Developers? Do you grant local admin permissions to developer's local computers?
Thank you for your feedback!
October 9, 2017 at 1:20 am
Data_Cat - Friday, October 6, 2017 11:43 AMGreetings! We are a small but growing business. We started off with 2 people in IT, and a contractor doing the SQL Server work. We have now expanded to 6 people in IT and a separate in-house Business Intelligence Department that is handling DBA responsibilities as well as performing development work. The IT department has recently implemented split accounts for their department where they log into their personal computers with a regular user credential with only domain user rights. When they need to perform an activity that requires admin rights, such as performing an install or remoting into a server, they use a credential with domain admin rights. Now the IT department has implemented a similar scheme for the BI Department. The BI Department must log into their computers with a credential that has domain user rights, and no rights to the SQL Server. When using SSMS, they must do a "run as" to run the program with a separate ID that has local admin rights to the SQL Server. This same separate ID is then used if they have to log in remotely to the SQL Server itself to perform DBA tasks. In addition, if local admin rights are required for any development activity they are performing on their local computers, they must ask the IS department to accomplish the task for them as they have no local admin rights for their personal computers with either account. Also, they are expected to do any development work by using "run as" their SQL Server rights ID to run whatever tool (such as IIS or Visual Studio) they want that tries to access SQL server.My question is directed at those of you in small business: How is security handled? Do you use two different domain user accounts for DBAs and/or Developers? Do you grant local admin permissions to developer's local computers?
Thank you for your feedback!
Generally in the small businesses that I have worked in have followed the same principal as above, the only difference is that the developers "domain user" account is granted the same permissions as a normal user in the business, that means they can read write execute on the databases, that way when they are developing they can see if the application runs as a normal user with no errors, then they debug using their higher rights accounts.
October 10, 2017 at 11:15 am
Thank you for your reply!
October 11, 2017 at 9:11 am
Moderators: I don't want to create duplicate posts in forums, so I was wondering if it would it be possible to move this question to the Dev forum to see if any developers can chime in? Thanks for your consideration!
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply