patternsqlMinor
Split Brain Administrators
Viewed 0 times
brainsplitadministrators
Problem
I have been appointed the DBA for our organization. I have been asked by senior officials to allow the two divisions of IT to have full control of their databases. They have asked for the following layout:
These
That does not include server-level things like killing a session, building a logon trigger, changing Resource Governor settings, etc, but they should be able to create databases.
I have created a server role for the SubAdmin group which grants
Would it be easier just to write some powershell script that changes the db owner to
I use the
The databases are all on the same server and same instance.
Admins
SubAdmin SubAdminThese
SubAdmins should be capable of performing all the functions possible on their own database, but should not be able to perform any functions on any other database.That does not include server-level things like killing a session, building a logon trigger, changing Resource Governor settings, etc, but they should be able to create databases.
I have created a server role for the SubAdmin group which grants
CREATE ANY DATABASE. This works well, except that when the SubAdmin attempts to change the owner of the newly created database to sa. They cannot because they cannot impersonate the sa account.Would it be easier just to write some powershell script that changes the db owner to
sa each night?I use the
sa account in this example just as a demonstration. We want the database owner to be a generic, low-privilege account. Therefore when the SubAdmin creates a database they:- Create the db
- Grant their admin group db_owner rights
- then should perform
ALTER AUTHENTICATIONto change the database owner to the generic, low-privilege account
The databases are all on the same server and same instance.
Solution
I would use a server level trigger on
Something like this:
This will fire off a trigger to automatically change the owner whenever the
You could grant the
CREATE DATABASE.Something like this:
CREATE TRIGGER [CreateDatabase_OwnerMapper]
ON ALL SERVER
WITH EXECUTE AS 'sa'
FOR CREATE_DATABASE
AS
BEGIN
SET NOCOUNT ON;
DECLARE @DatabaseName NVARCHAR(128) =
(SELECT CAST(eventdata().query('/EVENT_INSTANCE/DatabaseName[1]/text()') as NVARCHAR(128)));
DECLARE @SQL NVARCHAR(MAX) = '';
SET @SQL = 'ALTER AUTHORIZATION ON DATABASE::' + @DatabaseName + ' TO sa';
EXEC @SQL;
ENDThis will fire off a trigger to automatically change the owner whenever the
CREATE DATABASE command is issued.You could grant the
db_owner yourself with the trigger potentially. I do this on our debt environments.Code Snippets
CREATE TRIGGER [CreateDatabase_OwnerMapper]
ON ALL SERVER
WITH EXECUTE AS 'sa'
FOR CREATE_DATABASE
AS
BEGIN
SET NOCOUNT ON;
DECLARE @DatabaseName NVARCHAR(128) =
(SELECT CAST(eventdata().query('/EVENT_INSTANCE/DatabaseName[1]/text()') as NVARCHAR(128)));
DECLARE @SQL NVARCHAR(MAX) = '';
SET @SQL = 'ALTER AUTHORIZATION ON DATABASE::' + @DatabaseName + ' TO sa';
EXEC @SQL;
ENDContext
StackExchange Database Administrators Q#208464, answer score: 5
Revisions (0)
No revisions yet.