February 11, 2014 at 3:27 am
We have a policy of not allowing sysadmin access for SQL Server systems to anyone outside of the DBA group. A supplier is telling us that
SAP only operates if it is allowed to have sysadmin prevlieges. I have trouble beleiveing that a mature application from a large supplier works in this way, does anyone run a SAP installation, without sysadmin ?
February 23, 2014 at 11:56 am
Anyone ?
February 23, 2014 at 3:58 pm
I have worked with a few applications in the past that all required elevated privilege. This is a typical candidate for ring fencing to a separate instance.
If the application is dynamically adding users to sql server and mapping them into databases there needs to be a level of elevated privilege, whether it needs to be sysadmin or not is another question
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 24, 2014 at 9:32 am
Unfortunately, I've come across many applications which require "sa" access. Sometimes, alternative scripts are provided, which need to be run as a sysadmin, avoiding the requirement for the installer to run as sysadmin; and afterwards the application can run with a normal user. But these are rare cases.
In my view, and most probably your view too, this is terribly lazy, indicates poor design and provides weak security. Often the larger application providers are the worst offenders! Perhaps because fewer DBAs can complain (SAP = mature application = must be correct).
I'm not sure which SAP product you are referring to, but if it is a full-blown system (R/3, or even Business One) then a standalone instance of MSSQL is probably required; perhaps it is reasonable, if SAP will manage backups, scheduled jobs, reporting, users, cubes, etc, etc, that it has sysadmin access.
Andy
February 24, 2014 at 11:18 am
Me too had to work with vendor apps that required SA privileges for them to function. Some need SA level of access only during initial setup to create vendor databases and some for ever.
As a best practice, it's better to work with vendor and avoid granting SA access. Vendors usually ask for highest level of access so that their apps work without any issues. But it should not be granted. Control the permissions with as much granularity as possible.
Only when they say that it's by the architecture itself, then you may grant SA access. But you should document that and enable auditing on the application account to capture any security changes.
--
SQLBuddy
February 25, 2014 at 6:08 am
Same here... some apps they need that elevated privledge to run... you simply have to have it documented that the app requires it. Nothing really you can do about it.
February 25, 2014 at 6:18 am
Microsoft, even with all their documentation not to build systems that need SA, still build SharePoint server with the requirement of securityadmin and dbcreator, which gives the services account 99% of the SA permissions.
February 26, 2014 at 3:43 am
At least Sharepoint doesn't simply demand sysadmin access. It indicates the developers thought about the problem. But as you say, securityadmin is almost the same as sysadmin. So I guess the developers didn't think that hard about the problem!
Andy
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply