How many times have you heard the request by the business that an individual or individuals require either the db_owner or db_ddladmin privilege for their database.
As a DBA you need to understand the consequences of this type of request.
This may make the requestors job a lot easier, but did you realise you’ve potentially handed over the SQL server?
How is that possible?
1. Business approves for AUSER to be added to the db_owner role (or db_ddladmin role) of ADATABASE
2. DBA grants the privilege
4. AUSER creates a trigger on the database
Update: Thanks to Pawel Wojtowicz for pointing out that the following code doesn’t work on SQL 2008 R2. It has been tested on SQL 2012/4. You would also tend to use the new ALTER SERVER ROLE instead of sp_addsrvrolemember.
If you didn’t know about this, you do now.
As always, ensure you have policies and monitoring in place to address this scenario.