By other than the DBA. We have a security group with our org that wants to
control sa and system accounts for SQL Servers. We're desparately trying to
hold on to our control of these, but need to justify with the business unit.
Anyone got a really great reason not to let a non-DBA control these?
"David T." <DavidT@.discussions.microsoft.com> wrote in message
news:2A6FC7A8-EE65-4DBA-86A2-78C1DD836333@.microsoft.com...
> By other than the DBA. We have a security group with our org that wants
> to
> control sa and system accounts for SQL Servers. We're desparately trying
> to
> hold on to our control of these, but need to justify with the business
> unit.
> Anyone got a really great reason not to let a non-DBA control these?
No, I mostly agree. Accounts and passwords which are shared among groups of
people are inherently insecure. SA should be disabled, and the passwords
for fixed service accounts should be centrally and closely controlled. In
the normal course of things, people should connect with windows integrated
authentication and service accounts should be managed centrally.
But, and this is a _big_ but, a DBA should be a local administrator of any
database server and have sysadmin fixed server role. This will give a DBA
the ability, in a pinch, to reset passwords change service accounts and do
whatever is necessary to react in a "data emergency".
David
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment