This project has moved and is read-only. For the latest updates, please go here.

Previous SQL Administration Server SQL Service Accounts Next

DBA Role Accounts

To comply with best practice for security, each member of the DBA team should have two accounts. One account should have sysadmin rights, while the other account should not have syadmin rights. Neither of these accounts should have Windows local Administrator authority except when supporting legacy versions of SQL Server.

If a DBA is supporting legacy SQL Server 2000 or older versions, it is normally necessary for the DBA to have local Administrator authority in order to use the management tools for these versions.

Most day to day activity should be performed using the non-Sysadmin account. The account with Sysadmin authority should only be used when the Sysadmin authority is explicitly required. This configuration will help the DBA team to comply with any local standards that restrict the availability of administration accounts.

The FineBuild security model assumes that DBA accounts will be placed into Windows groups, to comply with Windows best practice. FineBuild will assign rights to the groups and not to individual user accounts. The groups used by FineBuild are described below:

DBA sysadmin group

This group name is supplied from the configuration file or by using the /GroupDBA: parameter at run time. If no /GroupDBA: parameter is given, it will default to the Windows local Administrator group.

If you do not already have a Windows group to hold the DBA sysadmin accounts, then contact your Support Centre to get a suitable group created.

The accounts that DBA team members use when needing sysadmin access should be placed in this group.

DBA non-sysadmin group

This group name is supplied from the configuration file or by using the /GroupDBANonSA: parameter at run time. If you do not want to use a DBA non-sysadmin group for your installation, then do not supply a /GroupDBANonSA: parameter.

If you do not already have a Windows group to hold the DBA sysadmin accounts, then contact your Support Centre to get the group created.

The accounts that DBA team members use for day to day work that does not need sysadmin access should be placed in this group. FineBuild will assign rights to this group so that perhaps 80% of all DBA tasks can be performed without needing sysadmin rights.

The rights assigned to these groups mean that Windows local Administrator authority is not required for any DBA activity. The only time local Administrator authority is required is when SQL Server is installed or when patches (Service Packs, Cumulative Updates, etc) are applied. In this situation, the best practice is to use a separate Software Install Account that has Administrator rights.

Copyright © 2013 Edward Vassie. License and Acknowledgements
Previous SQL Administration Server Top SQL Service Accounts Next

Last edited Jun 18, 2013 at 10:45 PM by EdVassie, version 2