I'm working as a solution architect on a new installation of EPiServer CMS5 SP2 in the UK.
Our team has noticed that all database access in EPiServer is done using an account with the "dbowner" role - is this normal?!
Database access in all our other applications (especially those exposed to the web) follows data security best practice - i.e. it is locked down to the absolute minimum permission level required for data retrieval so, should anyone compromise the web server, they can't drop database tables, delete data, access sensitive data etc.
Has any analysis work been done on database permissions? Has anybody changed the default permission levels in EPiServer (and did it break anything?!)?
Ideally we want to know what database permissions should be allocated for various tasks within the application - e.g. editing a site, creating new pages, and most importantly simply reading a site as an end user.
Did you get anywhere with this? We are encountering the same problem. I will send a support ticket to try and get the answers to this.
Any luck on this one?