Security - dbOwner permissions?!

Vote:
 

Hi all

I'm working as a solution architect on a new installation of EPiServer CMS5 SP2 in the UK.

Our team has noticed that all database access in EPiServer is done using an account with the "dbowner" role - is this normal?! 

Database access in all our other applications (especially those exposed to the web) follows data security best practice - i.e. it is locked down to the absolute minimum permission level required for data retrieval so, should anyone compromise the web server, they can't drop database tables, delete data, access sensitive data etc.

Has any analysis work been done on database permissions?  Has anybody changed the default permission levels in EPiServer (and did it break anything?!)?

Ideally we want to know what database permissions should be allocated for various tasks within the application - e.g. editing a site, creating new pages, and most importantly simply reading a site as an end user.

Thanks

MattB

 

 

#21614
Jul 02, 2008 17:38
Vote:
 

Did you get anywhere with this? We are encountering the same problem. I will send a support ticket to try and get the answers to this.

#58311
Apr 19, 2012 1:19
Vote:
 

Any luck on this one?

#62499
Oct 26, 2012 10:24