March 31, 2009 at 9:13 am
In my current job, we have quite a few databases that were created by the DBAs/Users, and therefore the Database Owner is that user.
In my past, I've always switched the database owner over to the 'sa' account. Is this common practice elsewhere? Is there a best practices for the owner of a database?
I've always prefered 'sa' because it's what it is, and you don't run into issues on the database if the user's account is discontinued, or permissions are changed.
Any suggestions or ideas would be great. We're looking at creating a standards document, and want to have the best dba practices out there.
Thanks for any feedback.
March 31, 2009 at 9:20 am
I am with you - I generally change the owner to sa for all databases. I did run into a recent exception though. We installed some third-party software that required a specific login to be the owner (granting db_owner rights was not sufficient). In general though, I always change my database owners to sa.
Kim
March 31, 2009 at 9:36 am
In general, 'sa' here as well (to prevent user being discontinued in future and causing issues)
except the ones that get created by the application logins, then I leave them as is
March 31, 2009 at 9:59 am
We always have 'sa' for actual db owner.
With application service accounts that created databases and dbobjects..
-On SQL2000 the attitude is like Jerry Hung stated.
-On SQL2005 those db are also altered to sa for dbowner.
The application service account will be added to the db-owner db group and it's default schema will be altered to dbo (or the actual schema needed).
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
March 31, 2009 at 10:06 am
Well, part of the discussion going on is do we want sa, as it is a well known account on SQL? Obviously creating a very strong, ever changing password can help limit the risk.
What we are thinking is creating a local group on each server that consists of every DBA on the team, and granting Server Admin rights to this group, and having it be the dbo of all databases created.
March 31, 2009 at 10:08 am
we go for 'sa' here as well unless an application requires something else, but, see this thread....
http://www.sqlservercentral.com/Forums/Topic455325-146-1.aspx
---------------------------------------------------------------------
March 31, 2009 at 10:23 am
nroberson (3/31/2009)
Well, part of the discussion going on is do we want sa, as it is a well known account on SQL? Obviously creating a very strong, ever changing password can help limit the risk.What we are thinking is creating a local group on each server that consists of every DBA on the team, and granting Server Admin rights to this group, and having it be the dbo of all databases created.
A group can't own a database. Each new database would end up being owned by the group member who created it.
Greg
March 31, 2009 at 10:47 am
Great catch there, I completely forgot about that.
March 31, 2009 at 11:47 am
What you need to watch out for here are DB settings like TRUSTWORTHY and CROSS-CHAINING. These will allow (to some extenet) the database principals (users & schemas) to assume the rights of their corresponding server principals (Logins mostly). This means that any active object (procedure, view, etc.) that executes as dbo (and most objects in most DB's do) may be able to also execute as 'sa' outside of the database, if 'sa' is the database owner. I am sure that you can guess the problems with that ... :w00t:
[font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
Proactive Performance Solutions, Inc. [/font][font="Verdana"] "Performance is our middle name."[/font]
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply