FIM Sync service account and db_owner database role

Hello everyone,

My question is similar to an existing one, Minimum set of database role memberships for FIM Sync Service and FIM Service accounts, but considering that question got zero answers, I'll be more specific with mine.

Does anyone have experience lowering the FIM Sync service account database permission role from db_owner to ddl_admin (for the FIMSynchronizationService database, of course)?

Reason I ask is that I'm in an environment where the policy generally prohibits this type of configuration.  In the DBA's own words:

"DBO is inherently risky as it allows operations such as dropping/deleting the DB, also backing the DB up, potentially to somewhere other than the DB server."

Thanks!

September 2nd, 2015 11:04am

1. Every DBA has the same issues and it is just a matter of control.

2. The Role DBO is given by the installation during install, so I don't think it is a good idea to change it.

3. Service account cannot do anything unless a person logs in as that account.  DBAs can be the only ones to have the password, so nothing to worry there from Security point of view.

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2015 11:17am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics