Hello everyone,
My question is similar to an existing one, Minimum set of database role memberships for FIM Sync Service and FIM Service accounts, but considering that question got zero answers, I'll be more specific with mine.
Does anyone have experience lowering the FIM Sync service account database permission role from db_owner to ddl_admin (for the FIMSynchronizationService database, of course)?
Reason I ask is that I'm in an environment where the policy generally prohibits this type of configuration. In the DBA's own words:
"DBO is inherently risky as it allows operations such as dropping/deleting the DB, also backing the DB up, potentially to somewhere other than the DB server."
Thanks!