"Tom I" <ti******@isd.net> wrote in message news:<10*************@corp.supernews.com>...
I am interested if anyone can point me to "best practices" regarding the
level of administrative authority a SQL Server database administrator should
have. Alternatively, I'd be interested hearing what level of authority on
the server you/your SQL Admin has. I have been told that in order to do
their job, a database admin needs full admin authority on the operating
system in a Microsoft environment, but I find that hard to believe.
Thanks.
The SQL2000 security best practices guide has some information on
this, but unfortunately not much:
http://www.microsoft.com/sql/techinf...ty/default.asp
DBAs need many of the rights that the OS administrators require -
stop/start services, use Perfmon, possibly make registry
modifications, manage shares (for replication and data transfer),
manage server (and maybe AD/domain) groups and accounts, view security
logs, reboot the server if all else fails etc. I guess it would be
possible to go through the OS rights ones by one, and grant only the
ones required to the DBA group, but I suspect that in practice, most
sites simply make DBAs members of the each database server's local
Administrators group.
However, the opposite is not necessarily true - Windows administrators
do not usually need to be in the MSSQL sysadmin role (although they
are by default). The sysadmin role can do anything in MSSQL, including
view and modify any data in any database. Of course, Windows
administrators could be added to other MSSQL server roles if
appropriate (securityadmin, processadmin etc.).
Simon