I was reviewing a manual the other day prior to an upcoming installation. I have leafed through enough of these manuals in my career to spot the good from the bad, and while this particular one still awaits classification, I thought I might rant a bit about some of the crazy things I have seen in the past and I am certain many of you have seen as well.
One of my favorites has to be the manuals that “require” an account be made a member of the sys admin fixed server role. Naturally I need to ask why exactly does the system need such permissions. The answers I often get back range from “I don’t know” to “because” to “why does it matter?”
“Our system needs the ability to create new…(fill in the blank)…, therefore, sys admin is required”. Well, no, not exactly. There are many ways to give you the rights necessary to create (fill in the blank), and sys admin is not something you need, just something you use because you do not know of a better way.
Who exactly is building these apps? And do their shops employ any DBA’s? Or is it the manual written by someone with not even a rudimentary understanding of database security? Case in point, how about the manuals where they need something in addition to sys admin, say server admin. “We need sys admin to create (fill in the blank) and server admin in order for the (whatever) to connect to the database”. Really? So you need one account in both fixed server roles, otherwise your app will not work? Gee, here I thought that sys admin gave you all of those rights, but if YOU say you need server admin, then i guess YOU would know what is best for your application.
Have no fear, if the issue of security is a problem, then you can always take the vendor’s other typical recommendation: use a dedicated instance or server. “If security is an issue for a shared box, then simply install a second instance.” Oh, is it really that simple? Sure, I guess running a second instance is a fine option. Unless, of course, you start to consider the hardware that might be involved. If you start to think about such things you might find that perhaps a second instance is not the best of ideas. Maybe you need a new server altogether, and all for your 10 Mb size database with at most two connections. Yep, that should be worth roughly $30k in new equipment, no question.
I am starting to think that HP or Dell are secretly employing these technical writers, paying them under the table and having them write up these silly manuals in the hopes of increasing sales.
