locked
DB_Owner Requirement for Farm Admin, Service Accounts, Stsadm use RRS feed

  • Question

  • Hi,

    I know that the docs say that that db_owner priveleges are required in many places, but I am bumping up against a DBA group that is adamantly opposed to allowing any account except the actual DBAs to have this role. Is it possible to grant these accounts all of the other database roles (e.g. db_accessadmin, db_datareader, db_datawriter, etc,) in lieu of db_owner? Will this work? Is this supported?

    Thanks,

    Erik


    Erik RHS
    Tuesday, April 5, 2011 12:26 AM

Answers

  • Hi Erik,

    Here is a reference lists all service accounts and requirements detail the specific permissions for each account.
    Server farm account must be a member in db_owner.
    And there are also different services accounts in SSP, some of them are need to be a member in db_owner, like SSP application pool account, but some of them are not, like Office SharePoint Server Search Service account.
    If you run stsadm commands that affect a database, this account must be a member of the db_owner for the database too.

    Here is a table lists the mapping of the database roles to permissions. You can refer this table and add your account appropriate permission for the database.
    http://msdn.microsoft.com/en-us/library/ms189612(v=sql.90).aspx

    If you have any problem on the database roles, please give a new thread in SQL Server forum, thanks.

    Best regards,
    Emir

    • Marked as answer by David HM Wednesday, April 13, 2011 2:52 AM
    Thursday, April 7, 2011 3:33 AM

All replies

  • Hi Erik,

    I understand your problem as I also faced this in beginning of my Share Point Job with DBA people. But my first question did you already installed the share point or not? If not to install always use service account for installations. Number Service accounts needed depending on WSS or MOSS. But you can single service account also for both installation.But before installation you should the DB Creator, Security Admin on the sql server logins.  Once after you installed it you can remove the security admin and DB creator access. Instead of that you can DB owner access to only the share point databases not to whole sql server. Ask your DBA to give db owner access for particular service account on only share point Databases i mean congfigDB, AdminContent DB, Search DB , Content DB as it should required for it. If they don't listen show them MSDN articles which will suggest to have the DB_Owner access to the Data Base.

    If still they don't listen call to Microsoft  support and put your DBA on the conference. But don't install with out the proper permissions, it will work in the beginning but latter you need to face many problems.

    Let us know If you need any additional information.


    SPsRocks
    • Edited by Mike Walsh FIN Tuesday, April 5, 2011 6:46 AM Let US know - these aren't private conversations
    Tuesday, April 5, 2011 3:26 AM
  • Thanks for the reply, it confirms what I understood. We have installed a "demo" and "dev" environments, and had no problems. The DBA rules I am hitting are restricted to their production environment.

    Cheers,

    Erik


    Erik RHS
    Tuesday, April 5, 2011 5:53 AM
  • Thanks... I appreciate your help. I have reviewed all of the docs and my original post was a bit of a grasp to see if there was any way around the db_owner requirement. I beleive that there is only a minimal difference between having db_owner role and have all of the of the other roles (excluding the "deny" roles) combined. I think the diffs are that you can drop the db and assign someone else db_owner. I assume that it is simpler and safer for the SharePoint app to check for db_owner than trying to determine the specific permissions of an account. The bottom line is that I need to stay supportable, so I just have to bite the bullet and fight the battle with the DBAs.

    Cheers,

    Erik


    Erik RHS
    Wednesday, April 6, 2011 12:44 AM
  • Hi Erik,

    Here is a reference lists all service accounts and requirements detail the specific permissions for each account.
    Server farm account must be a member in db_owner.
    And there are also different services accounts in SSP, some of them are need to be a member in db_owner, like SSP application pool account, but some of them are not, like Office SharePoint Server Search Service account.
    If you run stsadm commands that affect a database, this account must be a member of the db_owner for the database too.

    Here is a table lists the mapping of the database roles to permissions. You can refer this table and add your account appropriate permission for the database.
    http://msdn.microsoft.com/en-us/library/ms189612(v=sql.90).aspx

    If you have any problem on the database roles, please give a new thread in SQL Server forum, thanks.

    Best regards,
    Emir

    • Marked as answer by David HM Wednesday, April 13, 2011 2:52 AM
    Thursday, April 7, 2011 3:33 AM
  • Thanks Emir, I appreciate the info.

    Cheers,

    Erik


    Erik RHS
    Thursday, April 7, 2011 4:51 AM