Skip to main content

Uptight Database Security

If you need a practical approach to managing database administrator access without always granting the sysadmin role to your database administrators then I encourage you to vote for my GroupBy session for the December lineup. 


As the SQL Server security model has become more granular, it is now easier to do routine database administration without sysadmin access. Starting with SQL Server 2005, administering SQL Server without sysadmin access is now possible for many of the typical DBA tasks.

For example, a DBA only needs the ALTER SETTINGS permission to use the sp_configure command on a database instance. To run SELECT queries on Database Management Views requires either VIEW SERVER STATE or VIEW DATABASE STATE depending on the DMV being queried. To use Query Store requires only VIEW DATABASE STATE. CONTROL SERVER can be granted to DBAs that allows them to do almost all the tasks that sysadmin allows but unlike the sysadmin role, it can be DENYED access to data that the business considers sensitive.

This session will review a proven process for managing database administrators permissions without giving uncontrolled sysadmin access.

If you want more practical advice on how to manage database administrator access, vote for this session.

Thank you for your consideration.








 
Labels:

Comments

Post a Comment

Popular posts from this blog

Modifying Endpoint URLs on Availability Group Replicas

I recently had to modify the Endpoint URLs on our SQL Server Availability Group replicas.  The reason for this blog post is that I could not answer the following questions: Do I need to suspend data movement prior to making this change?  Would this change require a restart of the database instance? I spent enough time searching on my own to no avail that I tossed the question to the #sqlhelp hashtag on Twitter and Slack but didn't get an answer prior to executing the change request. After reading the relevant documentation, I think it's probably a good idea to suspend data movement for this change. The T-SQL is straightforward.  USE MASTER GO ALTER AVAILABILITY GROUP [AG1]  MODIFY REPLICA ON 'SQL2012-1' WITH (ENDPOINT_URL = 'TCP://10.10.10.1:5022'); ALTER AVAILABILITY GROUP [AG1]  MODIFY REPLICA ON 'SQL2012-2' WITH (ENDPOINT_URL = 'TCP://10.10.10.2:5022'); ALTER AVAILABILITY GROUP [AG2]  MODIFY REPLICA ON 'SQL2012-1...
Post a Comment
Read more

Set Azure App Service Platform Configuration to 64 bit.

If you need to update several Azure App Services' Configuration to change the Platform setting from 32 bit to 64 bit under Configuration | General settings, this script will save you about six clicks per service and you won't forget to press the SAVE button. Ask me I know. 🙄 Login-AzureRmAccount Set-AzureRmContext  -SubscriptionName  "Your Subscription" $ResourceGroupName  =  'RG1' ,  'RG2', 'RG3' foreach  ( $g   in   $ResourceGroupName ) {       # Set PROD slot to use 64 bit Platform Setting      Get-AzureRmWebApp  -ResourceGroupName  $g  | Select Name |  %  {  Set-AzureRmWebApp  -ResourceGroupName  $g  -Name  $_ .Name  -Use32BitWorkerProcess  $false  }       # Set staging slot to use 64 bit Platform setting ...
Post a Comment
Read more