Skip to content

DBA Role Accounts

Jump to bottom
EdVassie edited this page Nov 23, 2020 · 2 revisions
Previous SQL Administration Server SQL Naming Standards Next

To comply with best practice for security, each member of the DBA team should have two accounts. One account should have sysadmin rights, while the other account should not have syadmin rights. Neither of these accounts should have Windows local Administrator authority except when supporting legacy versions of SQL Server.

If a DBA is supporting legacy SQL Server 2000 or older versions, it is normally necessary for the DBA to have local Administrator authority in order to use the management tools for these versions.

Most day to day activity should be performed using the non-Sysadmin account. The account with sysadmin authority should only be used when the sysadmin authority is explicitly required. This configuration will help the DBA team to comply with any local standards that require the use of minimum priviliges or restrict the availability of administration accounts.

The SQL FineBuild security model assumes that DBA accounts will be placed into Windows groups, to comply with Windows best practice. SQL FineBuild will assign rights to the groups and not to individual user accounts. The groups used by SQL FineBuild are described below:

DBA sysadmin group

This group name is supplied from the configuration file or by using the /GroupDBA: parameter at run time. If no /GroupDBA: parameter is given, it will default to the Windows local Administrator group.

If you do not already have a Windows group to hold the DBA sysadmin accounts, then contact your Support Centre to get a suitable group created.

The accounts that DBA team members use when needing sysadmin access should be placed in this group.

DBA non-sysadmin group

This group name is supplied from the configuration file or by using the /GroupDBANonSA: parameter at run time. If you do not want to use a DBA non-sysadmin group for your installation, then do not supply a /GroupDBANonSA: parameter.

If you do not already have a Windows group to hold the DBA sysadmin accounts, then contact your Support Centre to get the group created.

The accounts that DBA team members use for day to day work that does not need sysadmin access should be placed in this group. FineBuild will assign rights to this group so that perhaps 80% of all DBA tasks can be performed without needing sysadmin rights.

The rights assigned to these groups mean that Windows local Administrator authority is not required for any DBA activity. The only time local Administrator authority is required is when SQL Server is installed or when patches (Service Packs, Cumulative Updates, etc) are applied. In this situation, the best practice is to use a separate Software Install Account that has Administrator rights.

Copyright FineBuild Team © 2013 - 2020. License and Acknowledgements

Previous SQL Administration Server Top SQL Naming Standards Next

Key SQL FineBuild Links:

SQL FineBuild supports:

  • All SQL Server versions from SQL 2019 through to SQL 2005
  • Clustered, Non-Clustered and Core implementations of server operating systems
  • Availability and Distributed Availability Groups
  • 64-bit and (where relevant) 32-bit versions of Windows

The following Windows versions are supported:

  • Windows 2022
  • Windows 11
  • Windows 2019
  • Windows 2016
  • Windows 10
  • Windows 2012 R2
  • Windows 8.1
  • Windows 2012
  • Windows 8
  • Windows 2008 R2
  • Windows 7
  • Windows 2008
  • Windows Vista
  • Windows 2003
  • Windows XP
Clone this wiki locally