SA Admin Access Required?

[batman2282]

Hi all,

An outside vendor has developed a web based software application that my company is looking at using. They are telling us that they require SA access to SQL Server in order to install the software and perform updates. We have taken the position that SA access to SQL Server is something we cannot grant. I have recommended based on my Oracle knowledge and experience that we create the necessary database and then give them SA access to just that database, while creating a user that has the grant and create user privileges that they can use to do any required maintenance. They have come back and told us that they must have SA access to SQL Server. Can anyone here tell me what application based tasks would possibly require this level of access. Also, is it customary in the SQL Server world to grant this level of access to a vendor outside of you organization (I know in the Oracle world this is strictly not allowed for obvious security reasons, but I do not know if the SQL Server world is different). Any information you could provide would be greatly appreciated.

Cheers!

 

[SQLBill]

We have a vendor who's application uses the SA account also. But their software creates their own database. Our solution was to create a separate SQL Server instance with a different SA account (different password from other instances) just for this application.

Bottom line, it comes down to 'Do you want our application or not?' 'If you do, give us the account and privileges we tell you we need, otherwise go somewhere else.'

-SQLBill

Posting advice: FAQ481-4875

 

[SQLSister]

Frankly I would be leery of using any software that uses the sa account as the connection to the database. This is a security issue a mile wide. Especially a web app. They could be owners of the database not sa. Then they would have rights only in their own database and not in others on your server. Tell them if they want to sell you the software they have to accept that level of rights or show you exactly what they intend to run that would need more rights than that. Bill's solution sounds like the best bet if you can't get them to back off, but I'd look for another vendor before I went with it.



Questions about posting. See faq183-874
Click here to help with Hurricane Relief

 

[SQLBill]

I also should have mentioned that the application we use is NOT web-based. There is no external access to our database (or even to our server). Even the vendor cannot access it.


-SQLBill

Posting advice: FAQ481-4875

 

[Jasen]

Maybe you should be asking them what global changes they plan on making to your SQL server to require that kind of access level? Having an account with full permissions to the database(s) they need should be sufficient for 99% of the tasks they should be doing. Creating tables, stored procedures, UDT's, UDF's, etc can all be permitted on a per database level.

I hate seeing software packages hardcoded to use sa accounts.
It's like a unix app hardcoded to use "root".

 

[mrdenny]

We have a couple of vendor apps that requested SA access while doing the install.

The reason they needed sysadmin access what that there install scripts needed to setup Jobs and setup replication between two databases on the server.

They also said that as soon as the setup script was complete the sysadmin rights could be removed, and they only needed db_owner rights to there application databases.

While I wasn't happy about this the access was granted because the app was being installed on a seperate server from any other apps.

Typically if a vendor says they need sysadmin access to a SQL Server they are told to forget it. They can either send me the scripts, or have limited access to there databases.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com