On Thu, Jul 17, 2008 at 7:22 PM, <vhamberg@xxxxxxxxxxx> wrote:
I think we are talking in different realms here.
Yes. For full administrative privileges on an i, two accounts are
needed. On Windows, you can delegate full administrative privileges to
a single account, if you want to.
Again: There is absolutely no need to delegate someone holding full
privileges on a SQL Server Database to be delegated permissions that
allow him to access the rest of the server (which includes the
database files used by SQL Server).
They are distinct, different concepts, with different advantages and
disadvantages. They were designed in different eras with different
requirements. (That was my point in my previous post). In this case,
neither of them has a security advantage or disadvantage.
I don't see how this has any security impact - usability, perhaps. Security? No.
And to put another spin on it - someone with full access to the OS,
but without DST access can still apply LIC PTFs. Enabling him to do
whatever he wants. Just the same as a SQL Server User that has
privileges to the program folders where SQL Server is run from - he
could replace the SQL Server binary with a version that circumvents
access control.
Both ways are entirely theoretically possible, but the knowledge
needed to make either of these work is immense.
midrange.com
