Should every job, SSIS project, SSRS have its own sql login
https://dba.stackexchange.com/questions/264957
-
28-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Apologies for asking an opinion type question, but I'd like to know what is best practice.
I have a bunch of sql servers and every job as well as every connection manager for every SSRS report & SSIS project all use one login, sysadmin of course. I see it as a problem for two reasons:
- I would like every SSRS, SSIS etc to use their own logins with only the required permissions.
- I also would like to know immediately what's causing blocking etc., rather than seeing one sysadmin login every time and then checking to see what's running the offending query.
My fellow DBA believes this is madness due to the number of logins required (hundreds per server), suggesting one login per database with the db_datareader role would be more appropriate. Can anyone share links to articles or offer advice?
Thanks
Solution
I have a bunch of sql servers and every job as well as every connection manager for every SSRS report & SSIS project all use one login, sysadmin of course.
Since you asked for best practices, by using sysadmin like that you are breaking The Principle of Least Privilege which states that:
[...] Administrative tasks are broken out using fixed server roles, and the use of the sysadmin fixed server role is severely restricted.
- I would like every SSRS, SSIS etc to use their own logins with only the required permissions.
I'd say creating and managing one login for each user, app, job or services would be going to the oposite extremity and that's a problem too, for, as your fellow DBA said, it would make it a really difficult job to manage so many logins, but you can achieve a middle term by using roles and Windows groups for that matter. Check the Principals doc.
- I also would like to know immediately what's causing blocking etc., rather than seeing one sysadmin login every time and then checking to see what's running the offending query.
Quoting @Dan Guzman's comment: For the purpose of identification, you can specify the application name in the connection string instead of separate logins.
Once you configured the Connection strings and application name you can retrieve it from sys.sysprocesses by using sp_who2, sp_whoisactive or sys.dm_exec_sessions DMV.
