SA account and SA role

SA account and SA role

Post by criatur » Fri, 22 Oct 1999 04:00:00



I've been a Sybase DBA for a while, but just got started in MS SQL.

In Sybase, we have the concept of roles, like the sa_role, sso_role, and the
oper_role.

If I assign the sa_role to a login, then that login can do anything that the
sa account can, enabling me to lock the sa account for security reasons.

We just acquired a small software company that has been using MS SQL 6.5,
but they use the sa account for EVERYTHING.  Since I inherited the DBA job
for this MS SQL Server, I wanted to assign myself sa_role and disable the sa
account, but I cannot find any information on how to do that in SQL 6.5.

Help.

They need to use integrated security, which I believe maps anyone in the NT
administrators group to automatically login as sa.  How can I go around
that?  I don't want anyone to login as sa.  Never!

Thanks in advance.

-criatura


 
 
 

SA account and SA role

Post by Hal Berenso » Mon, 25 Oct 1999 04:00:00


I'm not much of a 6.5 expert but...

In 7.0 the roles you mention are present, similar to Sybase.  In 6.5 they
don't exist and I think you really need the SA login.  As for the mapping of
NT administrators to sysadmin, I know in 7.0 this mapping can be removed
using sp_dropsrvrolemember.  I don't know if 6.5 has a way to drop the
mapping.

Hal
--
All opinions expressed here are mine and mine alone

-----------
Show support for SQL Server and support the American Red Cross, order your
books from barnesandnoble.com at
http://bn.bfast.com/bfast/click/mid1349732?siteid=6710312&bfpage=h


> I've been a Sybase DBA for a while, but just got started in MS SQL.

> In Sybase, we have the concept of roles, like the sa_role, sso_role, and
the
> oper_role.

> If I assign the sa_role to a login, then that login can do anything that
the
> sa account can, enabling me to lock the sa account for security reasons.

> We just acquired a small software company that has been using MS SQL 6.5,
> but they use the sa account for EVERYTHING.  Since I inherited the DBA job
> for this MS SQL Server, I wanted to assign myself sa_role and disable the
sa
> account, but I cannot find any information on how to do that in SQL 6.5.

> Help.

> They need to use integrated security, which I believe maps anyone in the
NT
> administrators group to automatically login as sa.  How can I go around
> that?  I don't want anyone to login as sa.  Never!

> Thanks in advance.

> -criatura




 
 
 

1. Seeking query to display all users with sa privilege or sa equivalence

This should be a simple task.   I have not located the system table or
combination of tables that I can select from or join to determine all users
with sa privilege.

I am seeking a Transact-SQL query to list all users with sa privilege or sa
equivalence.   Certainly this should be simple and it must be possible.
This particular business situation is against a 6.5 instance.

BTW, I've seen the SQL Security Manager GUI interface.  This GUI tool lets
you expand a listing of sa accounts.  This is terrific but not what we need.

We are not looking for "select * from syslogins"

Thank you.

2. Using expressions AS a select clause

3. sa without sa privileges???

4. Fast Java object database free for non-commercial

5. non sa owner viewing sa owned jobs

6. ISQL/Query Assistant

7. SA privilegia to non-sa user

8. named user license questions

9. Announce: granting SA-commands to non-SA users

10. Server Roles - Running sql profiler and not being sa

11. deny access from sa / sysadmin role members

12. Help - removing NT Admin Group from sa role

13. SQL 6.5 sa role