Search code examples
sql-serversecuritysql-server-2008merge-replication

Are good security practices and auto identity range mgmt mutually exclusive?


I'm trying to use Automatic Identity Range Management. However, the only way to ensure my users can INSERT records in tables with identity columns is to make them db_owner. Am I missing something?


For full background please refer to my earlier question: Allow non-db_owner INSERT permissions in merge replication with auto identity range mgmt


Solution

  • Apparently they are mutually exclusive.

    Here is an excerpt from a Microsoft employee blog (note, this is not "official" documentation, but it's about as close as it gets):

    Common Identity Range Problems

    1) Account that makes inserts to the publisher or subscribed tables is not db_owner.

    SQL 2005/8 subscribers have merge replication triggers that can adjust an exhausted primary range onto the secondary auxiliary range if the account making inserts is a member of db_owner role. Publishers can also refresh the range (create new Primary and Secondary Ranges) if the account connected is a member of db_owner role. However, if the account making inserts into the tables does not belong to the db_owner role, the triggers cannot make such adjustments. In this case, the Merge Agent needs to execute in order to make those adjustments before the range exhausts to avoid new inserts to fail or a member of db_owner must manually run the system stored procedure sp_adjustpublisheridentityrange (Transact-SQL).

    WHAT!?!?! Who is out there writing database applications where the only users inserting records are db_owners?