Re: Administrator
- From: "JMark" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Apr 2005 08:28:51 -0700
I agree with your DBA point, but at least a DBA can not
view data directly (without queries). Also I can take the
DBA role and give a DBA access whenever necessary.
When we setup sites for other departments/groups, this
(Giving domain admins admin rights to all SPPS/WSS sites)
is not an issue. However if I need to setup a WSS site for
our IT group, setup a WSS site for our Domain admin group
(everyone are admins, no reader, web designer or
contributor), or setup a secure site(e.g. for company
Policy Board, etc.), this would be a big concern.
I really hope that in the "Site Settings" area, Microsoft
can provide a option which allows me to turn this off and
block the access from domain admin group. I understand
that this is a "risk" here in case I screw the site up and
no one can save me, however I consider the risk of this is
less.
I suggest that when click the "Manage Users", list all
domain admin here, then I can "manage" their rights.
>-----Original Message-----
>Well as far as the SQL DBA point I brought up, part of
the reason for that is
>that there is no global SQL Admins domain group anyway
but that wasn't done
>because of Sharepoint especially since SQL Server existed
before Sharepoint
>did.
>
>I mainly suggest this because I'm not sure that you want
to also take on the
>role of a DBA and Sharepoint Administrator. And a DBA
will know more about
>tuning the database and other relevant configuration
information.
>
>However I do understand your desire to restrict data
access where possible.
>
>
>"JMark" wrote:
>
>> I am not saying about the "risk" - it is an issue of
>> SPPS. Recently my boss asked me to set up a site for
our
>> IT group and I encounter this. For instance, some areas
>> need to get my boss' approval before go live to
everyone -
>> but right now, all domain admin guys can bypass this.
>>
>> Sometimes drafting the policy is not enough and this is
>> why we need to use the permission control. There are
>> couple of levels of security groups within SPPS to
control
>> users' access rights - why don't we just draft a policy
to
>> tell users?
>>
>> I think this would not be an issue that "screw
something
>> and lock me out" since the last administrator can not
be
>> deleted from the site. Also there are ways to recover
the
>> SPPS even if I would screw it. Why does not Microsoft
give
>> me a choice which I can choose to include domain admins
as
>> my SPPS admin or not? This way I can decide it.
Regarding
>> your point about DBA, I guess you just prove my point -
>> Microsoft does the right thing here which has not
>> automatically given all DBAs of the SPPS database admin
>> rights to my SPPS sites.
>>
>> Thanks for discussing this with me.
>> >-----Original Message-----
>> >Just a quick question, but why do you consider your
>> Domain Admins being in
>> >the Local Administrators group a security risk? As an
FYI
>> this is the default
>> >behavior when the OS is installed as well. I do agree
>> with Gary because if
>> >you happen to do something to lock yourself out of
>> Sharepoint having the
>> >Domain Admins available might be the only thing that
>> saves you.
>> >
>> >If your concern is their ability to modify content
>> indiscriminately, you may
>> >want to draft a formal policy on usage to address this
>> and get management
>> >signoff. The other reason you want them to have this
>> access is because don't
>> >forget that Domain Admins also perform other
>> administrative functions aside
>> >from Sharepoint (OS patches, backups, software
installs,
>> etc.) where an
>> >elevated level of administrative privileges are
required.
>> >
>> >The other example of this is the database. I'm
assuming
>> you are not the DBA
>> >of the Sharepoint database as well. Otherwise you
could
>> make the same
>> >argument that the DBA has too much access to the
>> Sharepoint databases, which
>> >in fact holds all the data. But a DBA is going to have
>> more specific
>> >knowledge/experience in managing databases than the
>> application
>> >administrator. So you wouldn't want to prevent the DBA
>> from accessing the
>> >Sharepoint databases, right?
>> >
>> >"JMark" wrote:
>> >
>> >> Thanks. In our company, domain admin group has to be
>> added
>> >> to the local administrator group for each server. So
>> >> basically these guys are all admins of my SPPS -
this
>> is a
>> >> security issue.
>> >>
>> >> How can we solve this?
>> >>
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >No. This is a security feature so that there is
>> always a
>> >> way to manage
>> >> >security just in case someone screws up and deletes
>> all
>> >> admin rights on a
>> >> >site or area.
>> >> >
>> >> >--
>> >> >Gary A. Bushey
>> >> >SPS MVP
>> >> >bushey@xxxxxxxxxxxxxx
>> >> >"JMark" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in
>> >> message
>> >> >news:0b1f01c53a08$419c0320$a501280a@xxxxxxxxxx
>> >> >> Hi,
>> >> >>
>> >> >> Members of the administrators group for the local
SPP
>> >> >> server computer are allowed to perform
administrative
>> >> >> functions for SPPS.
>> >> >>
>> >> >> In our SPP server, 3 users from the domain admin
>> group
>> >> are
>> >> >> the local administrator of this server. Is there
any
>> >> ways
>> >> >> that I can remove their "admin" rights from the
SPPS
>> >> >> without removing them from the local
administrator
>> group
>> >> >> of tha server?
>> >> >>
>> >> >> Please help.
>> >> >
>> >> >
>> >> >.
>> >> >
>> >>
>> >.
>> >
>>
>.
>
.
- References:
- Administrator
- From: JMark
- Re: Administrator
- From: Gary A. Bushey [MVP]
- Re: Administrator
- From: JMark
- Re: Administrator
- From: KnightFall1
- Re: Administrator
- From: JMark
- Re: Administrator
- From: KnightFall1
- Administrator
- Prev by Date: Re: mapped personal folder opens word docs in read only
- Next by Date: Deleting Site Question
- Previous by thread: Re: Administrator
- Next by thread: Re: Administrator
- Index(es):
Relevant Pages
|
Loading
