Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
bat_man2282
Starting Member
1 Post |
 Posted - 2006-04-11 : 14:05:13
|
| Hi all,An outside vendor has developed a web based software application that my company is looking at using. They are telling us that they require SA access to SQL Server in order to install the software and perform updates. We have taken the position that SA access to SQL Server is something we cannot grant. I have recommended based on my Oracle knowledge and experience that we create the necessary database and then give them SA access to just that database, while creating a user that has the grant and create user privileges that they can use to do any required maintenance. They have come back and told us that they must have SA access to SQL Server. Can anyone here tell me what application based tasks would possibly require this level of access. Also, is it customary in the SQL Server world to grant this level of access to a vendor outside of you organization (I know in the Oracle world this is strictly not allowed for obvious security reasons, but I do not know if the SQL Server world is different). Any information you could provide would be greatly appreciated.Cheers! |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2006-04-11 : 14:33:16
|
| No it is not customary. There are lots and lots of things that require sa, so have the third party vendor tell you which things they need that only sa has permissions to. You should be able to grant all of the permissions to them without granting sa.Tara Kizeraka tduggan |
 |
|
|
Michael Valentine Jones
Yak DBA Kernel (pronounced Colonel)
7020 Posts |
Posted - 2006-04-11 : 14:50:13
|
| This is not an inherent problem with SQL Server.More than likely, they will not be able to explain why they need SA access, because they do not understand SQL Server security themselves.Unfortunately, this is not uncommon with second-rate software vendors. It is usually a good indication that the vendor you are dealing with is not very good, and their developers have very little understanding of database security in MS SQL Server.To be fair, they may be used to dealing with customers that do not have a good understanding of SQL Server security.CODO ERGO SUM |
|
|
|
mcrowley
Aged Yak Warrior
771 Posts |
Posted - 2006-04-11 : 15:38:01
|
| I would give them owner rights in their database, and just not tell them they don't have sa. They probably will not know the difference for the reasons that MVJ has outlined. I can understand installing software as an administrator, but running it as an administrator is a very different proposition. |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2006-04-11 : 20:55:54
|
we often have vendors telling us they require SA, if I were involved in the project, I make sure that this is not the casethey can modify their procedure to follow your policy, if not, it means they're just distributors and have no technical capability of the promised support system when the software starts making problems for youin short, no SA privilege, just create the database(s) for them, provide them dbo rights on those database only for the duration of the installation, make sure they are supervised as they would probably harm themselves in the process  oh, and if it's a script that's plain text, have them explain what's needed to be done why they need SA, but you'll still say no, just to gauge how competent they are in handling the installationHTH--------------------keeping it simple... |
|
|
|
|
|
|
|
|
SA access to SQL Server required?