Epi db user with non-dbowner privileges?

Vote:
 

IT for a project I'm on is wondering if they could get more specific with the database privileges for the Epi db user than the typical "dbowner" privileges. Off the top of my head, I don't see this working too well, but I wanted to see if anyone else out there has run into a similar request, or has accomplished this in some way?

So far, I've only found this resource essentially saying not to do it, and wanted to see if there have perhaps been any updates since: https://world.episerver.com/forum/developer-forum/-Episerver-75-CMS/Thread-Container/2016/4/database-permissions-required-for-application-pool-user/

Thanks! :)

#182487
Sep 21, 2017 2:58
Vote:
 

what about at least `data_writer` role? it's less privileged as dbowner.

#182507
Sep 21, 2017 16:10
Vote:
 

Hi Valdis!

Really sorry for the very delayed reply on my end.

'data_writer' could work. I just haven't seen any Epi documentation noting that that's a valid option (and if I did, I'd wonder why it's not recommended over dbowner in the first place?). So I suppose I'm wondering -- have you tried running Epi with 'data_writer' privileges before, successfully? It sounds like I'll have to test it out & report back if I see any issues. :)

#182971
Oct 02, 2017 21:18
Vote:
 

" if I see any issues" - you might try hard to cover all functionalaity for epi to spot problematic areas :) "db_owner" is  the most easiest answer.

#182980
Oct 02, 2017 22:45
Vote:
 

I agree, as I wrote that last comment I visualized the hordes and hordes of sudden permission issue-related bugs cropping up across all kinds of obvious and not-so-obvious areas of Epi functionality. It was terrifying, haha.

Thanks for your input! One piece of advice I did get from a colleague is to consider using pass-through IIS App Pool user authentication for the dbowner privileges, rather than just storing them in the web.config. I'll see if that might be a happy medium.

#182985
Oct 03, 2017 0:55
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.