question

Blackhawk-17 avatar image
Blackhawk-17 asked

Limiting An App DBA's Ability to Create Files

We have been having issues where the Application DBA's are creating files to expand their databases and using up all the space.

The two-part question is does the db_ddladmin role allow the user to alter a dB to add files? And what sort of lockdowns are best practices? dB Owner? Just DataReader/DataWriter?

Can we prevent them from adding files at all?

sql-server-2005ddlroles
10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

· Write an Answer
David 1 avatar image
David 1 answered

The db_ddladmin role does not permit a user to add files to a database.

The db_owner role, dbcreater server role or sysadmin role do permit files to be added to a database.

What's best practice depends on what your Application DBAs actually need to do. It seems like you really have a management or training issue rather than a security requirement. Someone needs to be responsible for allocating storage. That person or those people need to understand what the correct procedure is. In many cases this will be the responsibility of a storage management group who have to allocate space on storage arrays before the DBA gets to use it.

10 |1200 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.