We are having a bit of an issue with our DBA department when doing enterprise level access management checks. When it comes to SQL databases, for SQL authentication, we can easily produce a list of which SQL, local windows or domain users can access the instance – but specific to SQL authentication – when we provide a list to the DBA to ask what are these logins used for, whey have they the permissions they do, and which staff use them – more often than not then don’t seem to have a clue. They say often the accounts are tied to the application interacting with the database server – but I don’t think that’s sufficient:
1. What if any risks can you think of with the DBA not knowing what the accounts are used for/who access them?
2. And is there any general best practice on what documentation/notes to store about each account for future audits/reviews? i.e. what do you store about your accounts so you know straight away if asked what they are used for?