This is a command that many developers may need to use on their development instances, and it does not require sysadmin privileges. This particular article examines the permissions needed for the DROP DATABASE command. In an attempt to reverse this trend, I am providing a series of articles on SQL Server permissions that help sysadmins create and use roles that contain granular levels of permissions for certain jobs. Likewise, db_datareader and db_datawriter are often granted to every user to avoid setting more granular permissions and following the PoLP. Ineed, often the "sa" account (or other sysadmin privileged login) is often used in applications because this avoids any permission errors. This leads towards the common "grant nothing" or "grant everything" approaches. The second problem is that the permission sets and necessary permissions for various actions are often poorly understood by most people. First, the practice of setting a variety of permissions is cumbersome and the tendency to take the easiest (or laziest) path is common. ![]() In practice I find that many sysadmins rarely follow this pracfice, often because of two reasons. ![]() This helps to ensure that only those authorized users are able to perform certain actions, which is important for the security and integrity of our data. When granting access to logins or users to access a SQL Server instance or database, it is important that the principle of least privilege (PoLP) is followed.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |