1. Computing

Discuss in my forum

In a recent forum posting, BATMAN2282 wrote:

"An outside vendor has developed a web based software application that my company is looking at using. They are telling us that they require SA access to SQL Server in order to install the software and perform updates. We have taken the position that SA access to SQL Server is something we cannot grant. I have recommended based on my Oracle knowledge and experience that we create the necessary database and then give them SA access to just that database, while creating a user that has the grant and create user privileges that they can use to do any required maintenance. They have come back and told us that they must have SA access to SQL Server. Can anyone here tell me what application based tasks would possibly require this level of access. Also, is it customary in the SQL Server world to grant this level of access to a vendor outside of you organization (I know in the Oracle world this is strictly not allowed for obvious security reasons, but I do not know if the SQL Server world is different). Any information you could provide would be greatly appreciated."

Do you have any comments? Visit our forum today!
Comments
May 23, 2006 at 2:14 am
(1) Saloman says:

There may be a scenario where the application developed by the vendore requires to use extended stored procedures of SQL Server like: XP_SENDMAIL (Used for mail Notification). As these extended procedures will only be executed with SA login this might be the case where the vendrore requires SA login.

May 30, 2006 at 4:32 pm
(2) Craig says:

Generally speaking, giving anyone sa access that is not a company employed dba is a bad idea, sorry but it’s even bad for most developers to have it. I’ve supported many vendors and 20 – 30 percent ask for sa access. Out of those I’ve only found 3 who actually needed the sa access. Most times they are too lazy to define exacly what they need. Sql server security is very flexible. of course, make sure the application is not running under an sa access account.

July 14, 2008 at 2:49 pm
(3) VO says:

Most vendors require SA accesss because they are too lazy to assign the correct rights. Usually they just want it for the install, to create databases and security ids, but afterwards it can be dropped to dbo with an issue.

Leave a Comment

Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>
  1. About.com
  2. Computing
  3. Databases

©2014 About.com. All rights reserved.