![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 13%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,492 questions
Is it a good idea to give any elevated permissions to developers?
It's a question that is very difficult, and depending on whom you ask may get widely different answers.
In the place where I am, we are a small group of senior developers for our system, and three of us are sysadmin on the production server. But as I said, we are all senior. Furthermore, this place does not really a true DBA team, but the IT person responsible for the server trusts us to do the right thing. And after all, we wrote the system and we are the one who are in the know.
For many years I worked, first as an employee and then as a consultant, for an ISV who developed a large system that was critical for our customers. For most of the customers I had access to their production environment with sysadmin access, and many of my colleagues had the same. That was probably to high permission level - db_owner should have been OK in most cases.
So there are two answers from my professional career in favour. But there are many DBAs out there who would answer "Never in my life! Devs should not be sysadmin even on the dev server". As you may guess, I have never worked as a DBA, I've always been in a developer role.
There are many layers here. One layer is about the skills of the developer in question. A developer whose focus is .NET and Java and only does SQL Server left-handedly is more likely to cause a mess than a developer who is focused on SQL. Another layer is what methods your organisation want to embrace. DevOps has been popular the past decade, and with DevOps, developers are also involved in operations. Which is a good thing. Having silos with application teams and admin teams is less efficient and often results in a lot of finger-pointing than if the same team is responsible both for development and the production environment for the application.
But how you should work in your organisation is, I assume, over your pay grade. If your boss and your boss's boss have decided that you should work in silos, silos it is. And in that case granting developers elevated permissions... It may be something you want to discuss with your manager or a security manager before you go ahead.
As for your idea of packaging the permission in a stored procedure, that is absolutely a good idea. But EXECUTE AS OWNER is not a good tool to use for this, least of all for server permissions. (As you found out the hard way.) Instead the way to go is certificate signing. This is a bit complicated, not the least for server permissions, but once you master it, it is a very powerful method. I have an article on my web site where I discuss it in great detail: https://www.sommarskog.se/grantperm.html The article includes a script to automate the signing process for server-level permissions. (You only need to read the first five chapters to learn how to use the technique. But if you proceed, you will also learn why EXECUTE AS is an inferior choice.)