SEP 11.x to 12.1 migration problem
IHAC that has identified a problem in the migration process of moving from SEPM 11.x to 12.1 where we require system admin level credentials for SQL database access; Ingram Micro would like to see a lesser-privileged SQL user queried for security’s sake.
Regarding how the permission checks made by installation wizard could look: We could be checking to see if the SQL user supplied is member of the db_owner role and then allowing for installation to continue, instead of checking for sysadmin level access for the user. This would be a simple edit to our KB (not so simple to change the code, I know.)
Sounds like a job for Common Error Dialogue: Process could like this: customer enters a non-sa account and instead of throwing the error we currently do, we prompt with something like “If you are attempting to use a non sa account to migrate, please add db_owner rights to the user account you are attempting to use for accessing the SEPM database” and then link them to a procedure for how to accomplish this.
Bottom line is, IHAC that sees the current requirement for SA account to be unnecessary, and a large security risk.
To me it looks possible to re-work the migration process. I’d like to hear your input about what you feel is the best way to handle the issue.
Comments
If the installer would check db_owner
I voted yes. If the installer would at least check the DB_OWNER property before prompting, it would allow a veriety of options -- such as requesting DB admins to upgrade the sem5 user before migration, having a KB arcticle, or even a script to upgrade the sem5 user using any account that has the ability to changed the sem5 user.
Furthermore, due to some issues with RU6, some companies have already upgraded there Sem5 users to DB_OWNER -- in those cases they should be allowed to skip this whole issue.
12.1 migration requires SQL
12.1 migration requires SQL schema changes. This is why 'sa' is requested.
Permissions
It's not the schema change that requires the 'sa' user. It's a privilege change.
By default, the 'sem5' user of an SEPM 11.x installation does NOT have the "DB_OWNER" privilege. In SEP 12.1+, the 'sem5' user required "DB_OWNER" (I think it had to do with triggers/SQL Procedures).
But, of course, a SQL user is not allowed to grant themselves higher privileges. So they require a higher-level user to grant them that privilege. Thus, the requirement for 'sa' comes along.
SEPM 11.x has been updating it's schema from RTM through MR6 without the need of 'sa'. And future upgrades (SEP 12.1 to SEP 12.1 RU1 for example) will not need the 'sa' user again. It's only to ensure the 'sem5' user privilege level is elevated when going from 11.x to 12.1+ .
A privilege change so to
A privilege change so to allow for schema changes :)
Would you like to reply?
Login or Register to post your comment.