Monday, January 14, 2013

Should a DBA have SA rights all the time?

I was having a look around and I have not seen many questions or Answers on this topic.
I did come across a post from Ted Krueger and also Brian Kelley on Should DBAs have local admin rights, this question above is a little different but I guess should cover both Local Admin and SA rights to the SQL server.

I have worked as a SQL Server DBA for many years working for the UK government to Banking. In all these years I have seen so many changes to the DBA job, when I first started out I was a Network Engineer, DBA and SA Slowly this has changed to being a glorified F5 pusher.

Should a DBA have SA rights all the time?
DBAs would almost defiantly argue yes as it makes their jobs easier. It defiantly does, no the other hand users, security risk and other admins may argue that it will make there jobs harder to monitor this.

As a DBA I am now in the thought on how we can manage risk and I think there is no right or wrong answer to the above question but now I am leaning towards the Risk and Security aspects of a DBA and the systems they could be in charge of, If you work in banking should you have full control of a database which may hold thousands of user account numbers and balances. You may also argue that the finance crisis of late was never caused by a DBA stealing the money it was the traders. but yet again would you want the blame, I once did a migration as a DBA in a large intuition that involved 100 billion pounds being shipped to Hong Kong from London, the money went missing from he database and ended up in another bank who was the first person they came to me. Not the person who sent the money to the wrong location they asked do you have a large amount in your bank account, I said now but do you really think I would be here if I did sarcastily as they never even knew the money was not in there account for 3 days. I did manage to track down where the money had gone through the database and they found the right person.

Need less to say taking away a DBAs rights and then asking them to elevate on a task will never stop the above scenario happening. But it can be controlled, through an elevation procedure and audit scripts that audit what everyone does.
This would only really work in a Medium to Large company you could never impose such large restrictions on a small company usually were the DBA is the SA and so on.

How can we monitor what users are doing?
Audit scripts, DML, DDL audits
Check out the post here for table audit scripts, I will post one for database audit and changes a little later.

I will work on a script for elevating a user to SA this way you only need to rights to do your day to day jobs, IE backup check jobs failed, run sp_who2 active and so on enough to diag performance issues and so on without seeing customer data.

on to local admin rights I also do not think a DBA should have these, if a drive feels up then the windows admin should ask the user or DBA which files to delete, I think logging on to a server could be a bad thing, I once knew a DBA who logged into a server and restarted it and also deleted files that he should not have done as they were on the same drive as the MDF, and the database was full. This is better for the apps team to do or the windows admin.

However, again one may argue that this makes the DBAs job easier and that the DBA should be trained, however, I go for the segregation of duty aspects and let others do a job they are meant to do and leave us to do our job.

To conclude on what I am saying here, is that we should not lock everyone down; it should just depend on your organization. It should depend on the data in question. It should depend on the controls you have in place. I will also try to add some above that you may like to implement, IE audit and elevation.
Even if you’re a small company it is good to add audits I once worked in a small company where someone run out of space and did not know that the master, msdb and so on were for starting MSSQL and deleted them. Needless to say the server was down a while having an audit would have shown who did this obviously the person who did it deninded it and it was hard to prove.
You should always look at every situation in these cases too and choose the best practices you should also look at what type of DBA you have dev or prod, dev DBAs may not be able to access prod servers you may need some sort of application support that works with a DBA on this you may not its up to the ORG HR and so on.
You may have HR Data and intellectual property that you don’t want people to see and it makes sense to lock these down to the DBA. Nevertheless you may come to the conclusion that the DBA needs these rights anyway, that would be fine if its what your org needs and there should be nothing wrong I would just suggest to look at the question and consider it. 

Thanks for your time please check back in a few days for audit scripts.