4

At my organisation there are conflicting schools of thoughts around service accounts. This has come up because they wish to deploy SQL Server for the sole purpose of running SharePoint databases.

One group believe that a different service account should be used for each server application and for each environment (e.g. production, UAT/test, development). So in this example each SQL Server installation for SharePoint would have its own service account for prod, UAT and dev. Their reasons are security and preventing interference between environments.

Another believes that service accounts should be shared between production and test environments. So for the example there would be one SQL Server service account across prod, UAT and dev. (I'm not sure about sharing that account between different server applications.) Their reasons are security again as there are less passwords to change and reduced complexity.

Considering security, uptime and reliability, protection against mistakes, risk management, etc... what should be the recommended approach?

Thank you!

Alex Angas
  • 2,007
  • 2
  • 26
  • 37

3 Answers3

3

We follow the first group, which has a seperate service account for each environment & server application.

The main reason is security, but another good reason is that if some work is being done in test or dev, which requires changing security, you know that it is not impacting the production environment in any way.

Bravax
  • 511
  • 3
  • 12
2

By all means let your development and UAT/test environments share the same service accounts. But keep production separate. Apart from the change management issues already highlighted in other answers, development and test people shouldn't have any business accessing production systems in the normal course of events.

pgs
  • 3,471
  • 18
  • 19
0

Certainly security concerns would tend to lead you to the one account per application/service. However, I don't think you need to go to the level of having different accounts for prod, UAT & dev though. This would mean that the config would have to change when you deployed the application and that could potentially be a source of error.

EDIT: I've just seen Bravax's answer and he raises a valid point about changes to dev accounts not affecting the live system.

ChrisF
  • 1,861
  • 1
  • 21
  • 28
  • 1
    Yes re: your edit. We almost had a situation where the service account password was reset on test without thought that it would impact production. – Alex Angas May 01 '09 at 09:44