Results 1 to 8 of 8
  1. #1
    Join Date
    Apr 2004
    Posts
    79

    Unanswered: sa and sso role separation

    Hi all

    Do we have provision of separating sa and sso role in SQL server as we have in sybase? ( In such a case, sa shouldn't have any control on creating/modifying users/logins)



    Thx

    Wilson

  2. #2
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    Yes, you can separate them, but no, you can't "neuter" sa in MS-SQL.

    The MS-SQL security model is more complex and a lot "richer" than the Sybase model. It sounds to me like you'd like one serveradmin and a separate securityadmin, which would get pretty close to what you've described.

    -PatP

  3. #3
    Join Date
    Apr 2004
    Posts
    79
    no, I would like to have one login which can do all admin stuff like sysadmin, but except for creation/updates to the logins/roles etc and one login with which one can do sso stuff like creating logins/modifying logins, granting user-defined roles, change passwords etc.

  4. #4
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    Isn't that what I said? It's certainly what I meant.

    -PatP

  5. #5
    Join Date
    Apr 2004
    Posts
    79
    ok..thx for confirmation.

  6. #6
    Join Date
    Apr 2004
    Posts
    79
    But a login with only serveradmin role cant do things like creating a database etc. So to my understanding, I have to give all server-roles (except for sysadmin) to one login to do all DBA related things and then give secuity administrator role to one login who should act as SSO independently.

    Correct me if I am wrong.

  7. #7
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    As a general rule of thumb, I'm allergic to the idea of having only one person with any given responsibility. I tend to deal with more disaster related issues that the average admin, so I tend to think more about how to recover from disasters... Having only one person able to perform a given operation is (from at least my point of view) a reciepe for a disaster, just biding its time to happen!

    The beauty of Microsoft's more granular security is the ability to take a "buffet" approach, serving up what you need, to who needs it, as you need to. Sybase's approach is simpler, but that means that you need to tailor your operations to its security model instead of tailoring its security model to meet your needs!

    -PatP

  8. #8
    Join Date
    Apr 2004
    Posts
    79
    I really appreciate ur comments but it varies from company to company that how they use their resources. Giving admin access to one group makes easy to control the actions of admin group members.
    Since I have been working in sybase all the time, so i am more happy with sybase approach but I definately agree that SQL server provides more granular secuirty settings.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •