Vendor Administrator Access

  • I have a quick question regarding vendor access. I have a vendor that states they need sysadmin access (sql 2005 database) to setup a database. The issue is that in the future there will be other databases on this same instance that I don't want this vendor to see. Is it a reasonable expectation of the vendor to get this access? Is it possible or likely that they are overstating the access requirement? Can I accomplish this goal another way? Any thoughts or comments would be greatly appreciated.

    Thanks!

  • In my experience many of these apps need sa to setup there application db, etc. Then the app should create its own normal securables for its daily operation. If the app required to run under the sa context that would be a clear no no. You need to fight this one with fire and sword if this is the case.

  • Some vendors do need administrative access.

    You can deal with it by doing the following:

    1. Clear vendor's access with your direct manager and your company network security team.

    2. The vendor should sign a Non-Disclosure Agreement

    3. If the vendor would like, you may create a database for them and give them DBO rights only to the database.

    4. If #3 does not work, suggest that you stay next to the vendor during the installations and login yourself as an admin. I have a couple of servers that I support this way: a sysadmin logs in and I do what I need to do.

    5. If #3 and #4 are not the options, then report to your manager that the vendor needs a small dedicated server for their app.

    Regards,Yelena Varsha

  • Is this installation access?

    I've had Dynamics say this and we got around it by creating the database first and manually creating the logins. Once they were there, surprise, Dynamics saw them and didn't need "sa" access.

    If possible, I'd give them Windows access. Create an account, expire it tomorrow, give it sysadmin access and use that. If they want "sa", meaning SQL Auth, create a new login, give it sysadmin, stand next to them, and then set an Outlook reminder to disable the account later today.

  • Thanks for the posts! The admin access is for installation only. My plan right now is to grant the access and let them do the install while I watch. My instinct is that a lot of vendors just ask for this level of access because it make their life easiler - they don't need to get into the specifics of what the actually require. Moving forward I will not grant this access with out some serious consideration but for now there really isn't much on the box.

    Thanks!

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply