FIM Sync service account and db_owner database role RRS feed

  • Question

  • Hello everyone,

    My question is similar to an existing one, Minimum set of database role memberships for FIM Sync Service and FIM Service accounts, but considering that question got zero answers, I'll be more specific with mine.

    Does anyone have experience lowering the FIM Sync service account database permission role from db_owner to ddl_admin (for the FIMSynchronizationService database, of course)?

    Reason I ask is that I'm in an environment where the policy generally prohibits this type of configuration.  In the DBA's own words:

    "DBO is inherently risky as it allows operations such as dropping/deleting the DB, also backing the DB up, potentially to somewhere other than the DB server."


    Wednesday, September 2, 2015 3:03 PM

All replies

  • 1. Every DBA has the same issues and it is just a matter of control.

    2. The Role DBO is given by the installation during install, so I don't think it is a good idea to change it.

    3. Service account cannot do anything unless a person logs in as that account.  DBAs can be the only ones to have the password, so nothing to worry there from Security point of view.

    Nosh Mernacaj, Identity Management Specialist

    • Proposed as answer by Nosh Mernacaj Tuesday, September 22, 2015 7:25 PM
    Wednesday, September 2, 2015 3:16 PM