VA2108 - Minimal set of principals should be members of fixed high impact database roles

Question

VA2108 - Minimal set of principals should be members of fixed high impact database roles

Rishineken Pongen 176

Got this alert . VA2108 - Minimal set of principals should be members of fixed high impact database roles and I have attached the screenshot below . The only user id that I see different is bulkadmin. If I'm planning to remove it , how should i go ahead and do it ? Remove all from baseline or would that remove all the db roles present too ?

User's image

1 answer

Your answer

Answer 1

GeethaThatipatri-MSFT 29,557 Microsoft Employee Moderator

Hi, @Rishineken Pongen Thanks for posting your question in the Microsoft Q&A forum.

I am not quite following. What do you mean “that I see different is bulkadmin”?
In the results, it only shows db_owner

What is confusing and wrong though, is that it calls out the dbo-account. That is by design and cannot be changed.in this case, the dbo should be made part of the baseline. however, I will check with the internal team and provide you with more details.

Regards

Geetha

GeethaThatipatri-MSFT 29,557 Reputation points Microsoft Employee Moderator

2023-02-21T18:20:52.3233333+00:00

@Rishineken Pongen We haven't heard back from you. Just wanted to check if you had the chance to check my response.

Regards

Geetha
Madan Agrawal 0 Reputation points

2023-09-03T00:25:56.9933333+00:00

This look like bug in "Scan for vulnerability" module of SSMS.

Below is the query running behind the scene to scan for vulnerabilities

IF((SELECT count() from sys.database_principals WHERE principal_id >= 5 AND principal_id < 16384 ) > 0) SELECT 0 AS [Violation] ELSE SELECT 1 AS [Violation]*

and the result of select count(*) comes as Zero (0)

0>0 => false and went to else condition which shows 1 Violation.

Share via

VA2108 - Minimal set of principals should be members of fixed high impact database roles

1 answer

Your answer